"A lot of cases that could be solved with data retention"

When it comes to fighting crimes in the digital sphere, there is no more powerful unit in Germany than the Central Office for Combating Internet Crime (ZIT) at the Frankfurt Public Prosecutor's Office. Benjamin Krause is deputy head of the central office.

WORLD: Mr. Krause, according to the judgment of the European Court of Justice (ECJ), German data retention is illegal in its current form, but could be designed to conform with European law with some restrictions. What does the decision mean for your work?

Benjamin Krause: We expected the verdict because it corresponds to the previous line of the ECJ. For our work as a central office for cybercrime, only the storage of IP addresses is actually relevant, and the ECJ gives the member states a lot of leeway (IP addresses are regularly changing combinations of numbers that are automatically assigned to users by their Internet providers for identification in the network , ed.). I fear, however, that a lengthy political debate will ensue as to the extent to which this scope should be used.

In the end, in the worst case, there is some kind of compromise solution that ends up before the courts again. This legal situation, which has been unclear for years, is particularly frustrating for us; sometimes I think it might be better if the ECJ had simply banned any form of data retention - then at least we would know where we are.

WORLD: In fact, data retention in Germany only existed from 2008 to 2010. In 2015 it was re-enacted in a revised form, but due to legal concerns it was never applied. Were you able to record a higher clear-up rate in the two years with data retention?

Krause: I can't answer that for the ZIT because our office was only founded in 2010. If you look at the police crime statistics, the clear-up rate for crimes on the Internet was 83 percent in 2007 and fell to 72.3 percent in 2010 after the introduction of data retention. In the years that followed, however, it fell even further and was only 58 percent in 2021; at the same time, the number of offenses has roughly doubled.

Empiricism has its pitfalls, and there are many other influencing factors such as the staffing of the public prosecutor's office. In our day-to-day practice, I would describe the lack of data retention as a double-edged sword. On the one hand, the loss of that ability has forced us to approach investigations in a much more innovative, inventive, and technically complex manner than we might otherwise have done. On the other hand, there are without a doubt a lot of cases where we still fail and which could easily be solved with data retention.

"It is an essential instrument for being able to get the most serious crimes under control," says senior public prosecutor Ralph Knispel on the ECJ's ruling. Without data retention, fighting crime is made considerably more difficult. The hope for a new instrument from the traffic light is not there.

Source: WORLD

WORLD: What are these cases?

Krause: Let's take child pornography, for example. The Federal Criminal Police Office receives most of the information on this from the National Center for Missing and Exploited Children in the USA. Reports are forwarded from there when Google, Facebook, Snapchat or one of the other large Internet companies has discovered child pornography material on its platform. The message typically includes the account name and the IP address used, as well as some registration data such as the e-mail address. We can then ask the social network or mail provider which person this account is registered to.

The problem, however, is that none of these services perform identity checks. Since they are free of charge, no payment data is stored that would allow assignment to an account. Sometimes the accounts are still registered to the real data of the perpetrators, then we're lucky. Often, however, obvious fantasy names such as Donald Duck are entered, sometimes also data that look real but are fictitious.

The IP address would actually be the much more valid determination approach here, because the Internet provider knows its customers. But due to a lack of data retention, the assignment of the IP address to the respective customer is usually not saved.

WORLD: But sometimes?

Krause: Some Internet providers save the IPs voluntarily for about a week, others don't save them at all, and still others save them in some cases and in others not for business reasons that are unclear to us. So we always make a request if the suspicious access via the IP was only a few days ago. This means a lot of work, which often leads to nothing.

WORLD: Even if there were data retention: IPs can be easily disguised - for example, by the perpetrator using a public WLAN.

Krause: That is correct; data retention is certainly not a panacea. In our experience, however, such tricks are mainly used for cybercrime in the narrower sense, i.e. ransomware (malicious software that encrypts the data on the infected computer and only releases it again after paying a kind of ransom, ed.) or computer fraud. When it comes to child pornography or hate comments on the Internet, the perpetrators are rarely technically adept, but are instead controlled by their anger or their instincts. Incidentally, child pornography is not primarily shared via the dark web, but also extensively via social networks, messengers or e-mail.

WORLD: Federal Minister of Justice Marco Buschmann (FDP) still wants to abolish data retention and instead introduce a so-called quick freeze procedure, with which Internet providers can be obliged to freeze the traffic data currently recorded by them and, if necessary, to publish it later. Do you think this is a sensible alternative?

Krause: That may make sense in the telephony area, for example in cell detection, but I'm not an expert there. In any case, the proposal would not be effective in the case of Internet crime, because you can only freeze what you have initially collected and stored, and, as mentioned, many Internet providers do not save the assignment of the IP address to a customer ID at all.

For this reason, a discussion draft by the Federal Ministry of Justice from 2011 on Quick Freeze provided for the additional obligation that IP addresses must always be stored by the provider for seven days so that the mechanism does not come to nothing.

I experienced the problem described in impressive form in 2016 during preliminary proceedings against an accused who offered his child for live abuse on the Internet. We got him to download some harmless pictures from a server we control and that's how we got his IP. I then sent a live request to his internet provider while one of our investigators was chatting with the suspect, and even in this situation they were unable to match it to a customer account.

What does the ban on the previous German rules on data retention mean for the fight against organized crime, child pornography and terrorism? Joachim Herrmann, CSU interior minister of Bavaria and chairman of the conference of interior ministers, talks about this at WELT.

Source: WELT/Katja Losch

WORLD: Which regulation would you like instead?

Krause: It is ultimately a societal decision as to how much freedom and how much security we want online. The federal government is planning an overall monitoring bill that should include all forms of state data collection. At the same time, perhaps she could draw up an overall investigation bill that just as meticulously examines what options the law enforcement authorities have in the digital age and what causes investigations to regularly fail; then at least there would be a basis for discussion.

"Kick-off Politics" is WELT's daily news podcast. The most important topic analyzed by WELT editors and the dates of the day. Subscribe to the podcast on Spotify, Apple Podcasts, Amazon Music or directly via RSS feed.