Facebook's latest case in Germany could have international consequences Watch Now

Posteo is a German email provider that offers encrypted communications and, crucially, does not log the IP addresses of its users.

So it's no surprise that the company is angry about a decision from the German Constitutional Court, which says it has to log IP addresses so that it can provide them to investigators, when asked.

The ruling was published Tuesday, in a case involving the attempted surveillance by Stuttgart authorities of someone suspected of breaking narcotics and weapons laws.

In 2016, a local court came to Posteo with a warrant, demanding all existing and future data relating to the suspect's email account. Posteo implemented surveillance of the account but told the cops that, as it doesn't log traffic data, there was nothing on that front to share.

Prosecutors complained that Posteo had the IP addresses and was discarding them, but the provider retorted that it never had them, because it uses a Network Address Translation (NAT) technique that leaves them at the network's border.

The local court told Posteo to collect all future IP addresses. Posteo refused on the basis that a system conversion would be disproportionately costly. But the regional court disagreed and hit Posteo with a small fine, and the case ended up at the Constitutional Court.

In its ruling, the Constitutional Court acknowledged that fining Posteo for not collecting IP addresses "interferes with the complainant's right to freely practice one's occupation or profession", but said it was constitutionally acceptable because Germany's Telecommunications Act (TKG) does permit the surveillance of IP addresses.

SEE: IT pro's guide to GDPR compliance (free PDF)

Meanwhile, it added, Germany's Telecommunications Surveillance Ordinance (TKÜV) obliges providers to "provide the technical infrastructure necessary for carrying out telecommunications surveillance and to take the organizational measures necessary in this regard to ensure that surveillance can be implemented without undue delay".

Posteo's lack of users' IP addresses is not the result of "a lack of available data", the court ruled, but rather because of its "decision to hide this data from its internal system and to refrain from recording it due to data-protection concerns".

"Thus, the situation at hand was created solely by the business and system model that was deliberately chosen by the complainant," the court said.

It added that the 2017 update to the TKÜV, which expressly mentions the need for service providers to collect IP-address information, does not create a new requirement but clarifies the existing law.

In a Tuesday blogpost, Posteo said it was still in the process of figuring out if it had any legal options left. But if not, it would "adapt our system architecture, but choose a solution that will not compromise the security and rights of our customers".

"To put it bluntly, we will not start logging the IP addresses of our respectable customers," the post read. It went on to say that "a conservative system conversion is not an option for us", and Posteo would only gather IP addresses in relation to a mailbox that is subject to a surveillance warrant.

So would what Posteo is proposing satisfy the courts? According to Carlo Piltz, an information privacy lawyer with Reusch Law in Berlin, it probably would.

"The ruling by the Constitutional Court does not create or speak in favor of an obligation for unlimited data retention," said Piltz.

"The court restricts the obligation only to data that is generated during the period specified in the surveillance decision from the authority and it concerns Posteo's very specific system infrastructure."

This position does not result in a general obligation for companies to store IP addresses, Piltz said.

"Of course, it seems a bit strange that a service that is particularly concerned about data protection and privacy should now be obliged to store data for the sole purpose of criminal prosecution," he added.

"But in the end, in the opinion of the Constitutional Court, this obligation is prescribed by law and also binding for Posteo."

In its Tuesday statement, Posteo accused the Constitutional Court of hardly acknowledging an opinion by Germany's federal data protection commissioner, which had warned of creating obligations not actually set out in the TKG. The law says providers may only collect traffic data that they need for operational purposes.

"We have come to the conclusion that highly complex, secure system architectures and their benefits are scarcely comprehensible to public authorities," Posteo complained, pointing to Germany's recent massive data leak as an example of why it was best not to store data unnecessarily.

Previous and related coverage