Germany: Data retention to be abolished (opens in new tab)

Do you have a paid account or a free account? If I store my documents on a free account for a one time send to the university application and then I forget about it, then Dropbox should purge it after a time to protect my data, as I don't have any "contract" with them like a subscription or something. The same for G2A, I have bought from them some game keys at a cheap price sometime ago and then I totally forgot that I have one, I couldn't even find the activation mail in my inbox, lol. One day in the summer I woke up with a mail that I have to pay an inactivity fee even if I'm just a row in their database and I have no contractual obligation with them.

fiddlerwoaroof4y ago

I had a family member go through a major life event that left his OneDrive account unused for about a year. When we needed to access tax documents on it, Microsoft had deleted it. I’m strongly against non-user initiated account deletion.

3 more replies

ivan_gammel4y ago

In fact you have the contract with the services where you sign up. Even if you did not read T&Cs, you have accepted them and only then your relationship with the service started on their terms. You are not just a row in the database, you are a customer getting service in exchange for something. You have at least opted in to their data retention policy, and you have to opt out explicitly. If services will be required to purge the customer data after period of inactivity by default, chances are high that free accounts will simply cease to exist. In any case, quite significant share of customers would prefer to opt out from purge and they will be important enough from commercial perspective to make this opt out default in T&Cs acceptance process.

lexandstuff4y ago

So you'd like Dropbox to "protect your data" by deleting it?

I'd rather see my family photos leaked to hackers than see them purged from existence forever because I forgot to log in enough.

nickff4y ago

>"If I store my documents on a free account for a one time send to the university application and then I forget about it, then Dropbox should purge it after a time to protect my data, as I don't have any "contract" with them like a subscription or something."

I found this sentence interesting, as it contained positive and normative statements that I disagree with, with a non-sequitor between them. You say that you have no contract with them, even though you agreed to some sort of 'user agreement'. Then you say that you forgot about it, and that makes your faulty memory their problem. They have to make sure your data is secure for you because you... just don't bother to pay any attention to where you're leaving it? Should they also be responsible for checking your password against known breaches, to make sure it's not compromised? Where does this end?

kevinventullo4y ago

Strongly disagree, for Steam in particular. I played a lot of computer games in high school and early college, then stopped for about 7 years. When I finally bought a new computer, I somehow remembered my old Steam password and was thrilled to find that all the old games were still on my account, ready to download. In comparison, I had long lost any physical copies of games I had purchased as a youth.

As a bonus, I get the “bragging rights” of having nearly the oldest possible steam account (it can now vote).

rntksi4y ago

What do you mean by "it can now vote" ? (honest curiousity)

bagels4y ago

They mean it is older than 18 years. It can't vote.

https://steamcommunity.com/id/ruakai/recommended/582660/

tluyben24y ago

I have accounts over 20 years old I use every few years. I would not be very amused if your suggestion takes off.

I can see simple things happening though that work towards this; for my pet project I just coded a feature that hashes email addresses of inactive (3 months without any interaction) and using another differently salted hash of their email address (which we then no longer have after this) to encrypt their data. They can still login, which restores their account and data without them noticing, but they will never receive email and possible breaches hurt less.

robbedpeter4y ago

Nobody is suggesting you can't consent to long term storage, we're advocating for a sane, privacy respecting default.

ThrustVectoring4y ago

This is the sort of experience that you want. In case you don't want to click through, this is someone with over 1700 hours in an MMO who lost all their progress and items because they took a break and missed the GDPR-related opt-in to get their account transferred.

wowokay4y ago

I don't want to lose all my steam games just because I am inactive for a time. That us a terrible idea, I purchased those digital goods, that's like saying crypto markets should dump data from time to time.

Schroedingersat4y ago

Then fight for digital purchases to be actual purchases, not renting until you lose that account.

renewiltord4y ago

What, why would I do that? I don't want to fight for something I already have. I'd rather fight against people who would take it from me.

ajmurmann4y ago

So what would your ideal scenario look like? I buy the game download it, backup on S3, pay for that and then lost access when I don't access it in a few months?

I'm super happy I don't have to worry about storage for my large Steam collection.

luckylion4y ago

If so, please make it opt-in. Let users set the auto-delete date themselves, because I don't want to have to make sure that I log in every other week to keep my account alive.

b1124y ago

This could work, along with a default setting, and if the config was easy to find.

Or not purposefully obscured.

pjc504y ago

This would be a disaster for a lot of people.

3234y ago

> In my country (Romania), even barber shops that store user accounts for longer periods than necessary are fined

Those most be some fancy barber shops that you need online accounts for.

Tijdreiziger4y ago

Not Romanian, but you usually need to make an appointment at a barber (especially now that they can't/don't want to have too many people in their shop at once, due to COVID regulations). If you make the appointment online, then you can usually create an account to view/rebook/cancel it later, if necessary.

valdiorn4y ago

I book my hair appointment online. they ask for name, email and mobile phone number. They need the name to know who to expect for the appointment. They ask for email and/or phone to send you a reminder (which is nice, IMO).

Very reasonable and totally with the GDPR rules as well, as long as they purge the data after a certain time.

samus4y ago

Email and phone number should be optional though. People can set up reminders on their phones by themselves.

peakaboo4y ago

Why does it amaze you that companies want to keep user data when we know it's extreamly valuable?

nine_k4y ago

What is extremely valuable about data on an account which is dormant for years?

robbedpeter4y ago

How do you think profiling is done?

If a data aggregator can create a timeline of an individuals life, watching personality traits, social graphs, income, travel, routine, biometrics and health, stress and recreation, political affiliation, brand and taste preferences, savings, debt, credit, and social media influence traces, local, regional, and national cultural influences, and so on... that email archive is gold.

You can then create predictive models that let you target products, politics, music, media, and so on. It's not about spying on individuals, it's about manipulating populations. It's about rent extraction and wealth consolidation using tools of influence that negate consent. It augments abuses by law enforcement, corrupting the principles by which democratic governments are supposed to operate by hiding tyranny behind EULAs and TOS and private sector proxies.

Imagine a gpt-3 type model, except that instead of predicting text, it's designed to predict behaviors and psychological effects. That gives you a tool that's got a Darren Brown level of manipulation potential that you can scale. It's never going to be 100% accurate at the individual level, but you can target huge collections of individuals to modulate their lives through advertising and media sequencing.

notimetorelax4y ago

We’ll this is not what the OP is proposing. Data removal after 3 months or a year seems too fast. I game on steam once every two years - do I have to buy all my games each time?

usrusr4y ago

You can fake relevance if you want to sell the company without actually lying. Coincidentally there's a certain class of company that is in a permanent state of being sold and whose communication is under particular scrutiny wrt truthfulness. Seen from any other angle I fully agree, random user data value tends to be greatly overestimated.

lgrapenthin4y ago· 15 in thread

Since June, the German government allows even police to secretly spy on Germans "preventively", i. e. without suspicion or proof of crime or future crime and without decision by court of law, by installing trojans on their phones and PCs, i. e. through the app store. "Your right to privacy is being respected in Germany!" - This is not true.

eastendguy4y ago

NOT true. The regulations that you have in mind never made it into law.

Source: https://www.spiegel.de/netzwelt/netzpolitik/bundesrat-stoppt...

ashtonkem4y ago

The German government is pretty good at putting on a face of respectability and proper process, while also doing bad things. I'm reminded of the fact that the state began a criminal investigation of FT after they reported on Wirecard's fraud on the insistence of Wirecard itself.

y4mi4y ago

Germany has a massive corruption problem on the higher levels.

It's not as visible for outsiders, because nations with corruption issues usually also have police and office workers essentially doing shakedowns to do their jobs, and that's not really a thing in Germany.

What is quiet widespread is politicians and office worker enriching themselves either directly from budgets theyre responsible for or by doing things for corporations which pay them handsomely.

nivenkos4y ago

The mask scandal brought it to light.

drited4y ago

Yep all while people working for the financial regulator Bafin traded Wirecard stock in their personal accounts.

3np4y ago

Not that I doubt you, but do you have a source?

St_Alfonzo4y ago

Maybe I mixed up something and this is the wrong law: The "Gesetz zur Modernisierung der Rechtsgrundlagen der Bundespolizei" was accepted by the Bundestag, but finally the Bundesrat did not agree. https://dip.bundestag.de/vorgang/gesetz-zur-modernisierung-d...

ben_w4y ago

While I am very much opposed to being spied on without a warrant[0], the case where only government bodies can do this is better than the case where anyone can do it.

Of course, the existence of a mechanism to enable this is itself a thing which can be exploited by the exact same criminals I’m most concerned about with data retained by private businesses, so it’s not much of an improvement even though the attack surface is probably smaller.

[0] and indeed this is why I was already looking to leave the UK even before Brexit; the Investigatory Powers Act gives the Welsh Ambulance Service access to anyone’s “internet connection records” without a warrant.

SllX4y ago

I prefer the case where no one does it.

Private corporations at least do it for money. Governments do it for power. I think it’s a hard case to make that that’s a better reason than to do it for money.

ben_w4y ago

Likewise I would prefer nobody does it, but that isn’t feasible given how easy it is to do it.

But… money is one kind of power, so I don’t think it’s “better”.

Given what happened in living memory to a previous government in (East) Germany that abused surveillance power, I both accept the concern, and yet also don’t expect it to actually apply here, at least not until about 2040 when the last people who remember experiencing the receiving end of it retire.

Jensson4y ago

In smaller democracies the government tend to serve the people. In that case the purpose of the spying is to serve the people and not a government power grab, that is how democracies are intended to work.

Also large enough corporations tend to do things for power reasons rather than money, as once you are a billionaire your money is mostly just a means to exert power so trading money for power is what you do. And at that size they start to intermingle with governments, making the acts of the company hard to separate from acts of the government.

4 more replies

yawaworht19784y ago

Without warrant or accountability?

How would they go on about infecting a PC?

Crazy that the app stores play along.

usrusr4y ago

Do warrants really make that much of a difference? I don't really see anything that could be considered incentive or control for keeping that mechanism from slowly (or not slowly at all) degenerating into a rubberstamping process.

I could easily imagine a system that leaves case by case decisions completely to law enforcement practitioners, but constrains them with paper trail requirements (accountability, I do agree with that part) and, most importantly but unfortunately kind of irreconcilable with the legal mindset, an artificial quota that forces them to actually think about the case. I believe that a system like that might in the end lead to less frivolous eavesdropping than one where everything is fair game as soon as they get someone authorized to sign off a form. "I got it signed off" goes a long way when it comes to questions of moral licencing: suddenly it becomes someone else's job to feel bad about it if maybe someone should.

largbae4y ago

Would the warrant describe what is being searched for and why? If so could that be used to challenge unrelated "evidence" to the approved purpose?

AceyMan4y ago

at least in the States one effective counterforce to this concern is that judges are very adamant about the separation of policy making (legislation) and the courts (judiciary). Most judges are conservative (read 'purist') about the doctrine of the separation of the branches of government and don't take well to pressures from the other two. The upshot is that warrant issuance is seen as a vital part of their domain and they don't sell it away.

adolph4y ago· 7 in thread

It is unclear to me if this means that ISPs cannot retain data, or a revocation of the law requiring ISPs to retain data.

pmontra4y ago

From what I read it seems that they have to stop logging. They can start logging only after they got a request from whoever is allowed to issue such requests in Germany.

onli4y ago

That should be pretty much the same thing. The moment the illegal data retention law gets disabled the ISPs have no right to collect and retain that data anymore.

adolph4y ago

Is there some other law requiring no data retention? It doesn’t logically follow that the revocation of a data retention law means that an ISP can’t still retain data.

onli4y ago

Yes, this all follows from the DSGVO/GDPR and - depending where you are - their local implementations. When data means personal data, which includes IPs and certainly things like websites one visits, connection metadata an ISP would collect.

realityking4y ago

That’s not true. It’s perfectly reasonable to keep some operational logs for debugging purposes for a few hours or even days.

onli4y ago

It's illegal to keep personal data of users without either legitimate interest or a direct agreement, that's completely clear under the DSGVO. If the operational logs are needed to fulfill the contract with the user then sure, the provider can keep them (for as short as possible), otherwise not. Days? I highly doubt it.

The Vorratsdatenspeicherung counteracted that principle, if it falls away storing this data gets really complicated.

realityking4y ago

The latter. An ISP - within the guard rails set by GDPR and other privacy laws - can store customer data for their own purposes. But the government won’t require them to do so.

usrbinbash4y ago· 6 in thread

And what can we learn from this story?

Middle-Left coalitions are actually a pretty good idea.

iqanq4y ago

As if data retention was the only thing the government had to decide on...

To be fair, data retention is a hot topic right now in Europe, the pandemic and the increased screen time that resulted from it, the amount of accounts we had to create left and right require new regulations.

iqanq4y ago

I live in Europe and the only hot topic I can think of, apart from the virus, is energy prices. The same energy prices the center-left wants to increase via CO2 taxes.

More like that people do not read articles. They're discussing mandatory vaccinations, they are talking about banning Telegram, with Buschmann saying he's not pro ban but wants to censor Telegram content like they already censor other social media. It's a huge thorn in their claws that they don't control this platform because they're based outside the West. The new chancellor is corrupt and helped cover up the embazzling of over 60 billion euros in the largest tax fraud in German history (CumEx). Forgive me for being skeptical. This is likely smoke and mirrors, just like their announcement to legalize cannabis to distract young voters from all the scandals and authoritarian policies.

usrbinbash4y ago

Mandatory vaccinations helped to eradicate smallpox.

And yes, social media providers have to get their act together if they want to do business in Europe.

Vaccination isn't going to eradicate SARS, you don't understand how coronaviruses work. If it were that easy we'd already have eradicated a whole bunch of viruses. Any year now the flu is going to be eradicated, just gotta vax more. /s

[1] https://www.whitecase.com/publications/alert/court-confirms-...

pmontra4y ago· 1 in thread

I'm glad about this decision. Anyway removing all personal data from logging will be a huge project in large organizations. I'm thinking about IP addresses [1] which are often used to aggregate requests, debug, etc. Wireshark could become a hot tool to handle.

I didn't spend much time to think about it so I might be totally wrong but anonymizing IP addresses is probably not easy unless we give up aggregation. I think that anything that uniquely maps IP addresses also becomes personal data, e.g. cookies.

notimetorelax4y ago

Wireshark is very much a hot tool to handle already. To be in compliance with GDPR all the traces have to be dropped within the data removal grace period.

mytailorisrich4y ago

Key seems to be "without any reason".

An example: here in the UK the limit on taking legal action on most civil issues is 6 years. This means it is perfectly reasonable to have a 6 year retention policy and indeed that's what most companies do.

nkmnz4y ago

This is about ISPs (no one else) that currently have to store a lot of data way longer than necessary to serve the customer or for technical reasons, so that law enforcement can „travel back in time“ once they have a judicial order. It‘s like putting a GPS into anyones pocket so that the government can always trace your whereabouts. In the future, storing that data will already require a judge to be involved, preventing mass surveillance (or at least, makes it a little bit harder for everyday law enforcement to access the surveillance data).

dmitriid4y ago

Also, quite relevant for data processing and consent: German DSK issues cookie guidance with strict requirements for cookie banners, consent and using US-based providers, https://twitter.com/OdiaKagan/status/1473725634102939650

Germans are quite pissed about their privacy, and for good reason. I also like that they are taking matters into their hands.

cblconfederate4y ago

except for tax reasons. then you have to keep track of every penny for a thousand years.

amelius4y ago

Are Messenger/WhatsApp messages also telecommunications data?

Goety4y ago

The new center of the world

j / k navigate · click thread line to collapse

117 comments

77 comments · 11 top-level

johnnycerberus4y ago· 37 in thread

slickdork4y ago

Mildly related: In America, e-mails stored on a server for over 180 days are considered 'abandoned' and can be viewed by law enforcement without warrants. [0]

[0] https://en.wikipedia.org/wiki/Electronic_Communications_Priv...

Matticus_Rex4y ago

goodpoint4y ago

How comes there are no ongoing protests? This is appalling.

largbae4y ago

I wonder the same thing. Civil Asset Forfeiture is at least as awful and should offend everyone regardless of their stance on current political hot topics. Yet it appears to go on unaddressed.

kelnos4y ago

CodeMage4y ago

People can't protest what they don't know about, and this kind of thing isn't talked about at all.

indrora4y ago

This explains the "179 day retention policy" that I've seen at several places.

akersten4y ago

> Everything that is linked to your email address should be purged after 3-12 months of inactivity, including

That is such a horrible idea, I go on vacations longer than that. My Dropbox should be deleted if I don't log in for 4 months?

Breza4y ago

"Sorry, you can't log into this NCAA bracket website because you haven't used it since last year."

"Why would I use it more than once a year?"

inetknght4y ago

> I go on vacations longer than that.

That's the bigger injustice, tbqh.

fiddlerwoaroof4y ago

3 more replies

ivan_gammel4y ago

lexandstuff4y ago

So you'd like Dropbox to "protect your data" by deleting it?

I'd rather see my family photos leaked to hackers than see them purged from existence forever because I forgot to log in enough.

nickff4y ago

kevinventullo4y ago

As a bonus, I get the “bragging rights” of having nearly the oldest possible steam account (it can now vote).

rntksi4y ago

What do you mean by "it can now vote" ? (honest curiousity)

bagels4y ago

They mean it is older than 18 years. It can't vote.

https://steamcommunity.com/id/ruakai/recommended/582660/

tluyben24y ago

I have accounts over 20 years old I use every few years. I would not be very amused if your suggestion takes off.

robbedpeter4y ago

Nobody is suggesting you can't consent to long term storage, we're advocating for a sane, privacy respecting default.

ThrustVectoring4y ago

wowokay4y ago

Schroedingersat4y ago

Then fight for digital purchases to be actual purchases, not renting until you lose that account.

renewiltord4y ago

What, why would I do that? I don't want to fight for something I already have. I'd rather fight against people who would take it from me.

ajmurmann4y ago

So what would your ideal scenario look like? I buy the game download it, backup on S3, pay for that and then lost access when I don't access it in a few months?

I'm super happy I don't have to worry about storage for my large Steam collection.

luckylion4y ago

If so, please make it opt-in. Let users set the auto-delete date themselves, because I don't want to have to make sure that I log in every other week to keep my account alive.

b1124y ago

This could work, along with a default setting, and if the config was easy to find.

Or not purposefully obscured.

pjc504y ago

This would be a disaster for a lot of people.

3234y ago

> In my country (Romania), even barber shops that store user accounts for longer periods than necessary are fined

Those most be some fancy barber shops that you need online accounts for.

Tijdreiziger4y ago

valdiorn4y ago

Very reasonable and totally with the GDPR rules as well, as long as they purge the data after a certain time.

samus4y ago

Email and phone number should be optional though. People can set up reminders on their phones by themselves.

peakaboo4y ago

Why does it amaze you that companies want to keep user data when we know it's extreamly valuable?

nine_k4y ago

What is extremely valuable about data on an account which is dormant for years?

robbedpeter4y ago

How do you think profiling is done?

notimetorelax4y ago

We’ll this is not what the OP is proposing. Data removal after 3 months or a year seems too fast. I game on steam once every two years - do I have to buy all my games each time?

usrusr4y ago

lgrapenthin4y ago· 15 in thread

eastendguy4y ago

NOT true. The regulations that you have in mind never made it into law.

Source: https://www.spiegel.de/netzwelt/netzpolitik/bundesrat-stoppt...

ashtonkem4y ago

y4mi4y ago

Germany has a massive corruption problem on the higher levels.

What is quiet widespread is politicians and office worker enriching themselves either directly from budgets theyre responsible for or by doing things for corporations which pay them handsomely.

nivenkos4y ago

The mask scandal brought it to light.

drited4y ago

Yep all while people working for the financial regulator Bafin traded Wirecard stock in their personal accounts.

3np4y ago

Not that I doubt you, but do you have a source?

St_Alfonzo4y ago

ben_w4y ago

While I am very much opposed to being spied on without a warrant[0], the case where only government bodies can do this is better than the case where anyone can do it.

SllX4y ago

I prefer the case where no one does it.

Private corporations at least do it for money. Governments do it for power. I think it’s a hard case to make that that’s a better reason than to do it for money.

ben_w4y ago

Likewise I would prefer nobody does it, but that isn’t feasible given how easy it is to do it.

But… money is one kind of power, so I don’t think it’s “better”.

Jensson4y ago

4 more replies

yawaworht19784y ago

Without warrant or accountability?

How would they go on about infecting a PC?

Crazy that the app stores play along.

usrusr4y ago

largbae4y ago

Would the warrant describe what is being searched for and why? If so could that be used to challenge unrelated "evidence" to the approved purpose?

AceyMan4y ago

adolph4y ago· 7 in thread

It is unclear to me if this means that ISPs cannot retain data, or a revocation of the law requiring ISPs to retain data.

pmontra4y ago

From what I read it seems that they have to stop logging. They can start logging only after they got a request from whoever is allowed to issue such requests in Germany.

onli4y ago

That should be pretty much the same thing. The moment the illegal data retention law gets disabled the ISPs have no right to collect and retain that data anymore.

adolph4y ago

Is there some other law requiring no data retention? It doesn’t logically follow that the revocation of a data retention law means that an ISP can’t still retain data.

onli4y ago

realityking4y ago

That’s not true. It’s perfectly reasonable to keep some operational logs for debugging purposes for a few hours or even days.

onli4y ago

The Vorratsdatenspeicherung counteracted that principle, if it falls away storing this data gets really complicated.

realityking4y ago

The latter. An ISP - within the guard rails set by GDPR and other privacy laws - can store customer data for their own purposes. But the government won’t require them to do so.

usrbinbash4y ago· 6 in thread

And what can we learn from this story?

Middle-Left coalitions are actually a pretty good idea.

iqanq4y ago

As if data retention was the only thing the government had to decide on...

iqanq4y ago

I live in Europe and the only hot topic I can think of, apart from the virus, is energy prices. The same energy prices the center-left wants to increase via CO2 taxes.

usrbinbash4y ago

Mandatory vaccinations helped to eradicate smallpox.

And yes, social media providers have to get their act together if they want to do business in Europe.