According to privacy notices on many websites, IP addresses are stored in server log files for their full length, often allegedly for security reasons without any reason. Whether the unprovoked logging is permissible depends on whether it is technically necessary or if milder means exist.
Introduction
Scope: The contribution only considers publicly accessible servers of ordinary operators, thus NOT those of ISPs, law enforcement agencies etc. It is not about cases covered by § 172 TKG, in particular. A legal basis according to Art. 6 DSGVO, such as consent, is assumed not to be given (otherwise the question would quickly be answered).
To avoid misunderstandings again: The understanding of the term "occasion" is fundamental! It's explained in the contribution. Data retention is called so because it takes place without occasion, i.e., always!
IP-addresses are network addresses. They are part of the Metadata, which are transmitted every time a website is called up. These metadaten are occasionally also referred to as Traffic data or Connection data. The meaning of these two terms seems to be different in the technical and legal context. Therefore, I use the term metadaten.
IP-addresses are, according to highest court rulings by ECJ and BGH personal data. This also applies to dynamic IP-addresses, and has been since 2016 (ECJ) and 2017 (BGH). The GDPR has been in effect since the end of May 2018.
IP-addresses may possibly allow attacks to be identified and thus given the possibility of increasing the security of servers. Furthermore, knowledge of an IP-address might lead to law enforcement taking place. All this seems plausible to me, although not for every possible attack scenario. My conversation partners, numerous experts in IT security and law, confirm this.
IP-addresses are therefore useful for increasing the security of a server and for identifying perpetrators. The usefulness is however no decisive justification.
So, what is the question to be answered?
Must full IP addresses be logged by server operators without cause, or are there milder means?
Question of this contribution.
This contribution is therefore focused on server operators. Internet service providers (ISPs) such as Deutsche Telekom or Vodafone should not be considered here for reasons of complexity.
Update: The ECJ had even declared unjustified mass data storage for use in clarifying serious crimes as unlawful. See ECJ ruling of 05.04.2022 (Case C-140/20).
Even regulations that provide for a general and indiscriminate storage of traffic and location data as preventive measures against serious crime and severe threats to public safety are unlawful.
My formulation of the ECJ judgment of April 5, 2022, Case No. 101.
The ECJ further finds that it is only permitted to "store IP addresses, assigned to a connection source, for a time period limited to what is absolutely necessary" in order to prevent threats to public safety and combat serious crime (para 101 of the judgment). The ECJ thus confirms what I had already stated earlier. For private operators of (web) servers have little or nothing to do with public safety and certainly not with combating serious crime.
Moving on in the text, without direct reference to the aforementioned EU court ruling, which what only made after my text what written.
It's about three conditions that are all true at once in my contribution:
- NO CLASSIFIED INFORMATION
- PERMANENT STORAGE (e.g. in files)
- VOLLER IP-ADRESSEN
The purpose is to prevent dangers. Law enforcement has nothing to do with you and me, nor your server, unless you are police, prosecutor etc.
Please internalize these conditions before continuing to read and think you can answer the question in this post!
It's not about:
- Incident-related documentation and/or
- Transient data held in main memory and/or
- Use of other data than full IP addresses and/or
- Law enforcement by authorities, police, prosecution office.
Have you taken this on board? Then please continue reading and let me know if you are the first one who can name a concrete example of unprovoked logging of IP addresses that recognizes a legal basis.
Occasionless means that IP addresses are always logged. Occasion-related would mean that with IP address logging only starts when an event occurs, such as a suspected hacker attack or for troubleshooting network problems or when trying to log in with a password, is started. The occasion is considered given only from the point in time at which it what determined or assumed. A retrospective assumption of an occasion is not permissible. Because then would always have to be logged in order to later discard 99% of the data (which would then have been logged occasionless and thus, as claimed, illegally), just to use 1% of the data for the occasion that what only later determined. An occasion can also be considered given when an automatism with a sufficiently high probability considers an occasion to be present. This high probability cannot certainly exist for any arbitrary (thus occasionless) access (except every access to a server occurs from a hacker). In this contribution, it is not about discussing probability values. A permanent logging of all events at least bases on a probability of zero percent that an occasion exists and is not permissible, I claim.
An occasion is a supposed event. A constantly occurring recording is obviously without occasion.
Establishment.
An occasion is also referred to elsewhere as Event. See here the IT-Grundschutz-Kompendium of BSI (German federal security agency)
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
