German court bans retention of logged IP addresses

A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site.

The judges pointed out that in many cases it was simple to map an IP address to an identity with the help of 3rd parties, and declared that logging IP addresses was a "violation of the right to informational self-determination."

OK whatever.

Germany does not seem to be of one mind regarding logging.  On the one hand their draconian privacy laws (how's that for an oxymoron?) are pretty much in opposition to any meaningful user activity logging.  On the other hand, their law enforcement folks at least seem to know the value of logs, even if they are a little draconian in the other direction.  Finally the article above notes that even the Bundestag, the lower house of the German Parliament, doesn't comply with with the privacy laws that body created- the web site logs and retains PII.

Attention Germany: the privacy horse has left the barn.  Technology has far outpaced the capability of an individual to control where his or her information flows.  Expecting to both receive service from an online provider, and to remain "private" (whatever that means) from the provider, is unreasonable- and in fact denying the provider the right to log prevents the provider from systematically improving service to you.  Logging is a best practice for administrative activity, including maintenance-related activities, marketing & service planning, and security-related activities such as forensics.  Everything generates logs nowadays.  It would probably be better to write laws restricting what can be done with logs rather than to outlaw logging.  In this manner you could mitigate abuses such as those by the ambulance chasers but still provide organizations of all sorts, including the government itself, the information they need to do their jobs.

Comments