Log-free email provider Posteo: 'You must log user IP addresses', court rules

German Constitutional Court says email service needs to store its users' IP details for law enforcement.
Written by David Meyer, Contributor

Posteo is a German email provider that offers encrypted communications and, crucially, does not log the IP addresses of its users. 

So it's no surprise that the company is angry about a decision from the German Constitutional Court, which says it has to log IP addresses so that it can provide them to investigators, when asked.

The ruling was published Tuesday, in a case involving the attempted surveillance by Stuttgart authorities of someone suspected of breaking narcotics and weapons laws.

In 2016, a local court came to Posteo with a warrant, demanding all existing and future data relating to the suspect's email account. Posteo implemented surveillance of the account but told the cops that, as it doesn't log traffic data, there was nothing on that front to share.

Prosecutors complained that Posteo had the IP addresses and was discarding them, but the provider retorted that it never had them, because it uses a Network Address Translation (NAT) technique that leaves them at the network's border. 

The local court told Posteo to collect all future IP addresses. Posteo refused on the basis that a system conversion would be disproportionately costly. But the regional court disagreed and hit Posteo with a small fine, and the case ended up at the Constitutional Court.

In its ruling, the Constitutional Court acknowledged that fining Posteo for not collecting IP addresses "interferes with the complainant's right to freely practice one's occupation or profession", but said it was constitutionally acceptable because Germany's Telecommunications Act (TKG) does permit the surveillance of IP addresses.

SEE: IT pro's guide to GDPR compliance (free PDF)

Meanwhile, it added, Germany's Telecommunications Surveillance Ordinance (TKÜV) obliges providers to "provide the technical infrastructure necessary for carrying out telecommunications surveillance and to take the organizational measures necessary in this regard to ensure that surveillance can be implemented without undue delay".

Posteo's lack of users' IP addresses is not the result of "a lack of available data", the court ruled, but rather because of its "decision to hide this data from its internal system and to refrain from recording it due to data-protection concerns".

"Thus, the situation at hand was created solely by the business and system model that was deliberately chosen by the complainant," the court said. 

It added that the 2017 update to the TKÜV, which expressly mentions the need for service providers to collect IP-address information, does not create a new requirement but clarifies the existing law.

In a Tuesday blogpost, Posteo said it was still in the process of figuring out if it had any legal options left. But if not, it would "adapt our system architecture, but choose a solution that will not compromise the security and rights of our customers".

"To put it bluntly, we will not start logging the IP addresses of our respectable customers," the post read. It went on to say that "a conservative system conversion is not an option for us", and Posteo would only gather IP addresses in relation to a mailbox that is subject to a surveillance warrant.

So would what Posteo is proposing satisfy the courts? According to Carlo Piltz, an information privacy lawyer with Reusch Law in Berlin, it probably would.

"The ruling by the Constitutional Court does not create or speak in favor of an obligation for unlimited data retention," said Piltz. 

"The court restricts the obligation only to data that is generated during the period specified in the surveillance decision from the authority and it concerns Posteo's very specific system infrastructure."  

This position does not result in a general obligation for companies to store IP addresses, Piltz said.

"Of course, it seems a bit strange that a service that is particularly concerned about data protection and privacy should now be obliged to store data for the sole purpose of criminal prosecution," he added. 

"But in the end, in the opinion of the Constitutional Court, this obligation is prescribed by law and also binding for Posteo."

In its Tuesday statement, Posteo accused the Constitutional Court of hardly acknowledging an opinion by Germany's federal data protection commissioner, which had warned of creating obligations not actually set out in the TKG. The law says providers may only collect traffic data that they need for operational purposes.

"We have come to the conclusion that highly complex, secure system architectures and their benefits are scarcely comprehensible to public authorities," Posteo complained, pointing to Germany's recent massive data leak as an example of why it was best not to store data unnecessarily.

Previous and related coverage

Massive German hack: 20-year-old admits mass doxing politicians, journalists, celebs

Police have found the likely culprit of last week's big leak of high-profile personal data.

Illegal file-sharing: You can't get away with blaming a family member, says top court

Shifting the blame onto a family member for illegal file-sharing on your internet connection is not good enough without specifics, says EU's top court.

German police hacking hit by volley of complaints: Can 'state trojan' law survive?

Germany's use of state-sponsored malware to fight crime is under fire from several sides.

Windows scores a win over Linux as another state decides to switch

Around 13,000 workstations running OpenSuse will be migrated to a current version of Windows.

Hackers dump data of hundreds of German politicians on Twitter

Data for some German artists and YouTube celebrities also included.

German police hacking hit by volley of complaints: Can 'state trojan' law survive?

Germany's use of state-sponsored malware to fight crime is under fire from several sides.

Police get broad phone and computer hacking powers in Germany

The German parliament has waved through a massive expansion of police hacking powers.

Spies win right to keep monitoring all traffic at world's biggest internet hub

Vital internet hub, De-Cix in Frankfurt, has lost its fight against German intelligence services' mass surveillance.

No, we're not trying to get backdoors in smart homes, cars, says Germany

The German government is trying to quell outrage over reported smart-home and car-bugging proposals.

Russians suspected of new German attack may 'have been inside system for a year'

German intelligence services and federal specialists are investigating "an IT security incident".

How a troubled SAP S/4HANA migration caused a gummy bear shortage in Germany TechRepublic

German confectionery company Haribo suffered from operational upheaval during their digital transformation, leading to missed shipments and lowered sales.

German court dismisses latest Qualcomm patent suit against Apple CNET

But a separate ban on iPhones in Germany still stands.

Editorial standards