German court overturns anti-terrorism data retention law

Today the Federal Constitutional Court of Germany struck down a law requiring telecommunications companies to retain individual user data on phone and Internet usage in case it is needed by law enforcement authorities in criminal investigations. The law was created in response to a European Union data retention directive (2006/24/EC), which obligated member states to store telecommunications data on citizens for at least six months, and to make the retained data available to law enforcement or other authorized officials. In its rule, the German court decided that the interest in combating terrorism and protecting national security was outweighed by personal privacy and data protection rights, and concluded the law is unconstitutional. The court’s ruling was lauded not just by privacy advocates and the thousands of German citizens who had appealed to have the law overturned, but also by some German government officials, despite the fact that the ruling is a rebuke to a high-profile initiative implemented by the current administration. Peter Schaar, Germany’s Commissioner for Freedom of Information and a member of the European Commission’s Data Protection working party, noted that despite the intention of the Data Protection Directive, as implemented the German law resulted in keeping “massive amounts of data about German citizens who pose no threat and are not suspects.”

This ruling provides a stark contrast to the efforts by lawmakers and senior justice officials in the previous and current administration to enact laws that would require Internet service providers and other telecommunications companies to retain customer data. Both the House and Senate have drafted versions of the so-called Internet SAFETY Act, which is focused on curbing child exploitation but which requires, among other provisions, that  electronic communication service providers retain user information for at least two years, with the aim of facilitating criminal investigations by law enforcement. When first introduced, the SAFETY Act raised an outcry among both privacy advocates and computer users due to a possible interpretation of the law’s definition of “electronic communication service provider” that any home user whose network configuration allowed more than one computer to connect to the Internet might be subject to the data retention requirement. That debate notwithstanding, the issue of customer data retention is now one in which companies like Google, Yahoo!, and Microsoft — all of whom vigorously defend their practices of retaining Internet search data, IP addresses, and other user information — are simultaneously urged to store less personal information about users and for less time by the FTC and other regulators, while Congress and the Justice Department would seem to prefer that they collect and hold even more data for longer periods of time, just in case it could help in a future investigation. Addressing the RSA conference this week, FBI Director Robert Mueller echoed the theme of private sector organizations doing more to cooperate with the government.

On a somewhat less publicized front, major service providers in the U.S. already have processes and procedures in place designed to assist law enforcement investigations. In the wake of the disclosure of the Google attacks in China in January, security guru Bruce Schneier suggested that the attacks were facilitated by backdoor access to Google’s systems that are in place to allow eavesdropping by government officials. Less than two weeks ago, a minor stir erupted when an allegedly leaked “Global Criminal Compliance Handbook” was published online, detailing procedures by which law enforcement could obtain access to data Microsoft retains on the users of its online services, such as Hotmail, MSN, and Windows Live. The document also includes information about the specific data elements that are stored and the retention period for those data. The document was posted online, then withdrawn ostensibly at Microsoft’s insistence, then surfaced again, and is now readily accessible to Internet searchers seeking it. Microsoft has noted in its public comments following the disclosure of the document that it has the same obligation as all service providers to support authorized requests for information from law enforcement and to facilitate criminal investigations, so while Microsoft’s guidelines may be garnering the most attention at the moment, it seems likely that comparable policies and procedures are in place for most if not all online service providers.