End of digital anonymity? Hubig ventures a risky push for IP storage
Between investigative pressure and fundamental rights: The draft on data retention relies on legal tricks and the "freezing" of sensitive location data.
(Image: asharkyu/Shutterstock.com)
Shortly before Christmas, the Federal Ministry of Justice and Consumer Protection (BMJV) published its long-awaited draft bill on the "Introduction of IP Address Storage" on Monday. It promises a modern toolbox for law enforcement without repeating past mistakes. However, a closer look reveals the paper to be a tightrope walk. The ministry is attempting to redefine a blanket storage obligation as a "not serious interference" with the ruling of the European Court of Justice (ECJ) through a legal reinterpretation. At the same time, planned new instruments such as the "preservation order" could enable comprehensive online surveillance through the back door.
The core of the new draft law, which has been contentious even before its publication, is the introduction of a three-month IP address storage obligation in the new Paragraph 176 of the Telecommunications Act (TKG). It speaks of a "precautionary securing" of internet identifiers. The BMJV justifies this step by stating that criminals online often leave only one trace: "the internet protocol address they used." To meet the strict requirements of the ECJ, which has repeatedly prohibited general and indiscriminate storage of traffic data, the ministry is relying on a daring differentiation.
The justification states that IP address logging constitutes an "interference with fundamental rights that is not to be classified as serious." The BMJV refers to the recent ECJ ruling in the "Hadopi" case, according to which the identification of an internet connection owner solely based on the IP address is permissible under certain conditions. Nevertheless, it remains highly doubtful whether storage that affects every citizen indiscriminately can withstand scrutiny by the Luxembourg judges. The Federal Constitutional Court has also consistently criticized the enormous "scatter effect" of such measures.
"Preservation Order" also for Messengers
No less explosive than the pure IP log megadata file is the planned instrument of the preservation order, known in expert circles as Quick Freeze and considered in a similar form by the traffic light coalition. According to the planned Paragraph 100g, Section 7 of the Code of Criminal Procedure (StPO), authorities such as the public prosecutor's office or the police can order providers to immediately secure all traffic data – including connection information and, in particular, location data. The expansion of surveillance becomes particularly clear here, as the preservation is by no means limited to IP addresses.
What is particularly problematic is that the hurdles for this "freezing" are set low. "Sufficient factual indications that a criminal offense has been committed" are sufficient, which is a significantly lower threshold than for the subsequent actual disclosure of the data. Messenger services such as WhatsApp, Signal, iMessage, Meta Messenger, or Threema, and email providers are also fully included, with the draft even allowing login data and associated locations to be secured. The data could be frozen for up to three months, with the option of a one-time extension by a court.
The ministry defends this approach by arguing that no permanently existing data pool is being created. Storage occurs on a case-by-case basis with specific suspicion. Opponents, however, see a dangerous gray area here: Since data is already available due to the new IP obligation or for operational purposes, the "freezing" becomes a powerful lever to gain access to movement profiles and communication partners even before a judge could fully assess proportionality.
Passwords and Mobile Phone Grid Searches
Another sensitive point is the outlined rules for the disclosure of passwords. The draft specifies that investigators may request information about such highly sensitive access information if it is necessary for the prosecution of particularly serious offenses such as murder or terrorism. However, this would lower a technical barrier: providers of digital services are to be generally obliged to disclose passwords as part of the existing data disclosure, which are used to protect access to end devices or storage facilities.
The planned legislative changes are also intended to clarify the conditions under which the police may conduct a cell tower dump. In this form of grid search, investigators analyze which mobile phones were logged in at a certain location at a specific time to convict perpetrators. While the Federal Court of Justice (BGH) ruled in 2024 that this should only be permitted for particularly serious crimes, the draft provides for a relaxation. According to this, the suspicion of a criminal offense of considerable importance should be sufficient to query the location data. The ministry is thus aligning itself with the legal opinion of some regional courts that consider a lower hurdle for investigative work to be appropriate than the BGH.
Ambitious Attempt on Clay Feet
"We need to fight crime on the internet more effectively," says Justice Minister Stefanie Hubig (SPD), advocating her approach, which can now be commented on by other ministries, the states, and associations before the parliamentary process begins. "Perpetrators get away far too often, especially in cases of child pornography, online fraud, and criminal hate speech online." The confidentiality of communication remains "strictly protected." Markus Beckedahl from the Center for Digital Rights and Democracy, on the other hand, laments a "general suspicion against the population." An IP address is "not a harmless thing." Such identifiers can be "very well condensed into personal references in practice through timestamps and additional data."
Videos by heise
The eco association of the internet industry already warned in October of a "step backward in digital policy" in view of a new "blanket data retention." Such a measure "endangers fundamental rights, creates economic burdens, and undermines trust in digital services." After almost two decades of legal disputes, the federal government should not again initiate a law "that is exposed to significant legal risks in court." The indiscriminate logging of user traces remains contrary to European law. What is needed are "targeted investigative instruments and better international cooperation" instead of mass surveillance.
The draft reads as an ambitious attempt to secure investigative capabilities online without failing again in Luxembourg or Karlsruhe. However, the argument that blanket IP storage is not a serious interference is legally on shaky ground. In combination with the far-reaching preservation order, a massive expansion of digital surveillance threatens. This would also further erode anonymity on the internet, as the Working Group on Data Retention has repeatedly emphasized for years.
(wpl)
