Registration of a Tor node at the German Bundesnetzagentur
Hi, this is a question more specific for the German jurisdiction. At the 29C3 in Hamburg I attended a interesting talk about open WIFI (http://is.gd/9G8AVA unfortunately in German) who was given by Reto Mantz (http://www.offenenetze.de/). He gave the advice to register open WIFIs which are operated by non-profits at the German Bundesnetzagentur, because this is required under German law for companies (http://is.gd/vcz2pZ). I am wondering if there are Tor nodes operated by Germans who have been registered at the Bundesnetzagentur. >From my layman’s understanding of the law this should at least be required for nodes operated by German non-profits like CCC and Torservers. I am specially interested in the case of a node which runs in a data center outside of Germany but is operated by a German non-profit. As I operate my nodes privately I am unsure if registration of my tor nodes is required. I will check with my lawyer if a registration should be done and could help to run the nodes more securely concerning law enforcement. Having information from others would help to clarify this. Thanks & regards, torland
tor-admin <tor-admin@torland.me> wrote:
this is a question more specific for the German jurisdiction. At the 29C3 in Hamburg I attended a interesting talk about open WIFI (http://is.gd/9G8AVA unfortunately in German) who was given by Reto Mantz (http://www.offenenetze.de/).
He gave the advice to register open WIFIs which are operated by non-profits at the German Bundesnetzagentur, because this is required under German law for companies (http://is.gd/vcz2pZ). I am wondering if there are Tor nodes operated by Germans who have been registered at the Bundesnetzagentur. From my layman’s understanding of the law this should at least be required for nodes operated by German non-profits like CCC and Torservers. I am specially interested in the case of a node which runs in a data center outside of Germany but is operated by a German non-profit.
A couple of years ago I was contacted by the Bundesnetzagentur which somehow noticed that I was running Tor relays (in Germany) and pretended that I was legally required to formally register them. They didn't bother backing this claim up, of course. IIRC the form they send me was six pages long and looked like it was intended for commercial ISPs. After I ignored their request for a while they threatened a fine of a few thousand Euros which in a later letter was even increased a bit which seemed somewhat silly to me as the fine was intended for the exact same thing (not registering). I finally told them that I didn't recognise them as authority for my Tor relays and that I had no intent to register anything. As I haven't heart back from them I assume the case got closed after they talked to their lawyers. All in all (I also occasionally had to indirectly deal with them at a previous job) my impression is that the Bundesnetzagentur are a bunch of incompetent clowns with too much time on their hands and no proper oversight.
As I operate my nodes privately I am unsure if registration of my tor nodes is required. I will check with my lawyer if a registration should be done and could help to run the nodes more securely concerning law enforcement. Having information from others would help to clarify this.
I doubt that registering with the Bundesnetzagentur would significantly affect the risk of problems with law enforcement agencies. I you run exit relays I think it makes sense to voluntary inform the local police about them to decrease the risks of raids, but even that doesn't always work reliably. While I was living in Overath I "registered" my relays with the Police in Rösrath (who always acted very professionally and respectful). Several years later "Internet crime experts" coming from the police in Bergisch Gladbach (pretty close to Rösrath) made first contact by executing a Durchsuchungsbeschluss (search warrant) that didn't mention Tor in any way ... Fabian
On Wednesday 02 January 2013 13:34:27 Fabian Keil wrote:
While I was living in Overath I "registered" my relays with the Police in Rösrath (who always acted very professionally and respectful). Good point. I never thought about pro actively informing the local police about my nodes. Will check this with my lawyer.
Several years later "Internet crime experts" coming from the police in Bergisch Gladbach (pretty close to Rösrath) made first contact by executing a Durchsuchungsbeschluss (search warrant) that didn't mention Tor in any way ...
Fabian
I hope these days German police is better educated about Tor exit nodes. Thanks Torland
the guys from opentracker told us at 24c3 that they have made good experiences with informing their upstream provider about their activities. that way their provider forwarded all abuse-mails directly to them. events.ccc.de/congress/2007/Fahrplan/events/2355.en.html this might help with tor-nodes, too. Markus
On Sunday 06 January 2013 20:35:25 Markus Drenger wrote:
the guys from opentracker told us at 24c3 that they have made good experiences with informing their upstream provider about their activities. that way their provider forwarded all abuse-mails directly to them.
events.ccc.de/congress/2007/Fahrplan/events/2355.en.html
this might help with tor-nodes, too.
I informed my hosting provider about the Tor exit nodes. With each incoming abuse message they forward to me, I inform the employee that handles the message again about the purpose of the server. So for them it should be clear what and why this is happening. Regards, Torland
On 06.01.2013 20:29, tor-admin wrote:
On Wednesday 02 January 2013 13:34:27 Fabian Keil wrote:
While I was living in Overath I "registered" my relays with the Police in Rösrath (who always acted very professionally and respectful). Good point. I never thought about pro actively informing the local police about my nodes. Will check this with my lawyer.
When I started torservers.net, I also discussed this with our lawyer, and also proposed 'registering with' the LKA, federal state police. He doubted they have any system to put that down into. I have since talked to a cybercrime investigator of one of the LKAs, and he agreed and called that idea 'useless'. -- Moritz Bartl https://www.torservers.net/
Moritz Bartl <moritz@torservers.net> wrote:
On 06.01.2013 20:29, tor-admin wrote:
On Wednesday 02 January 2013 13:34:27 Fabian Keil wrote:
While I was living in Overath I "registered" my relays with the Police in Rösrath (who always acted very professionally and respectful). Good point. I never thought about pro actively informing the local police about my nodes. Will check this with my lawyer.
When I started torservers.net, I also discussed this with our lawyer, and also proposed 'registering with' the LKA, federal state police. He doubted they have any system to put that down into. I have since talked to a cybercrime investigator of one of the LKAs, and he agreed and called that idea 'useless'.
I agree that there seems to be no real registry in place and that "registering" with the BKA and the various LKÄ is probably useless. My main motivation for "registering" with the local police was that they seemed to get a lot of abuse cases forwarded from other police "districts". I also assumed that any Tor-related search warrants in my area would likely be executed by them and that they wouldn't knowingly execute search warrants that are legally questionable. They had also mentioned that having a list of the IP addresses I use together with an universal description of what a Tor relay does and why I can't provide "Klarpersonalien" for Tor users would allow them to deal with abuse cases more quickly as they wouldn't have to contact me each time (always getting pretty much the same answer anyway). Fabian
On 01.01.2013 22:30, tor-admin wrote:
He gave the advice to register open WIFIs which are operated by non-profits at the German Bundesnetzagentur, because this is required under German law for companies (http://is.gd/vcz2pZ). I am wondering if there are Tor nodes operated by Germans who have been registered at the Bundesnetzagentur.
Disclaimer: I am not a lawyer, and this is not legal advice. This is a personal opinion. I have talked to a number of lawyers, and formed my opinion based on their statements. I doubt that I need this sort of disclaimer, but some people say I do. There is a fundamental legal difference between operating Internet Access Providers and Internet Service Providers. As a Tor exit, you should and want to be judged as a service provider. The key difference is that Access Providers give you Internet access, whereas Service Providers (Telemediendienste, "tele media services") give you services which require (existing) network access. Access Providers are bound to the Telekommunikationsgesetz: http://www.gesetze-im-internet.de/tkg_2004/ Whereas service providers are bound to the Telemediengesetz: http://www.gesetze-im-internet.de/tmg/ Most interesting for exit operators within German borders are: §8 - no liability for forwarded content (compare §512a DMCA USA) §15 - you are not allowed to collect or store user identifying data unless required for billing purposes -- Moritz Bartl https://www.torservers.net/
On Wednesday 02 January 2013 14:56:59 Moritz Bartl wrote:
There is a fundamental legal difference between operating Internet Access Providers and Internet Service Providers. As a Tor exit, you should and want to be judged as a service provider. The key difference is that Access Providers give you Internet access, whereas Service Providers (Telemediendienste, "tele media services") give you services which require (existing) network access.
Access Providers are bound to the Telekommunikationsgesetz: http://www.gesetze-im-internet.de/tkg_2004/ Reading the law it is still unclear to me if a Tor node operator is a "Diensteanbieter" (service provider) as defined by the Telekommunikationsgesetz. If yes the law is pretty clear in § 6 that such a service has to be registered at the Bundesnetzagentur if it is done commercially.
Whereas service providers are bound to the Telemediengesetz: http://www.gesetze-im-internet.de/tmg/
Most interesting for exit operators within German borders are: §8 - no liability for forwarded content (compare §512a DMCA USA) §15 - you are not allowed to collect or store user identifying data unless required for billing purposes
These paragraphs surely help Tor operators. Thanks for your comments. Torland
On Sun, Jan 06, 2013 at 08:20:44PM +0100, tor-admin wrote:
Whereas service providers are bound to the Telemediengesetz: http://www.gesetze-im-internet.de/tmg/
Most interesting for exit operators within German borders are: §8 - no liability for forwarded content (compare §512a DMCA USA)
Don't forget http://de.wikipedia.org/wiki/St%C3%B6rerhaftung The Freifunk guys are also affected, and fighting it http://freifunkstattangst.de/ http://www.taz.de/!95330/ etc.
§15 - you are not allowed to collect or store user identifying data unless required for billing purposes
These paragraphs surely help Tor operators.
On 06.01.2013 21:01, Eugen Leitl wrote:
Whereas service providers are bound to the Telemediengesetz: http://www.gesetze-im-internet.de/tmg/ Most interesting for exit operators within German borders are: §8 - no liability for forwarded content (compare §512a DMCA USA) Don't forget http://de.wikipedia.org/wiki/St%C3%B6rerhaftung The Freifunk guys are also affected, and fighting it http://freifunkstattangst.de/ http://www.taz.de/!95330/ etc.
Again: We are talking about two completely different worlds here. One is providing telecommunications services, the other is providing telemedia services. "Störerhaftung", something I find hard to translate but I am sure exists in English-speaking countries also, is "just" the general legal concept of "you can be made liable if assisting in crimes". Freifunk is in so far "affected" *not* because any law or judge says so, but because in Germany, lawyers can write Abmahnungen, scary letters coming with a proposed fee to pay for the "crime commited". Most people think anything coming from a lawyer must be "proper", and usually pay the fee instead of arguing against it. In the case of Freifunk, providing open wireless access, it is a complex situation. Freifunk is a lot of single individuals trying to build open wireless networks in their own cities. It's completely decentralized, up to the (stupid) point of having different firmwares for routers in every city. People become active in Freifunk often for very short time spans, and "old wisdom" is not conserved. I can not know if the situation has changed since everything is so decentralized, but at least until some time ago most of the Freifunk firmwares suggested to share your own Internet access with other Freifunk users (and users of your open AP). For one, most access providers don't allow you to share your network in the first place, so that is a TOS violation. Second, and now we're "near Tor waters again", the process of finding the "culprit" is to ask the upstream provider for customer data, and then send the bill to that customer. So far, there has not been a single LEGAL CASE made against Freifunk or anyone else deliberately operating an open wireless network. People are scared, and are UNSURE if "Störerhaftung" applies to them, that's why they want "laws changed". In my opinion, there is no need for any change in law at all. I have yet to watch the 29c3 talk about it [1], but from what I heard talking to some Freifunk people that lawyer was also mistaken on some things. [1] https://events.ccc.de/congress/2012/Fahrplan/events/5164.en.html , in German -- Moritz Bartl https://www.torservers.net/
On 06.01.2013 20:20, tor-admin wrote:
Access Providers are bound to the Telekommunikationsgesetz: http://www.gesetze-im-internet.de/tkg_2004/ Reading the law it is still unclear to me if a Tor node operator is a "Diensteanbieter" (service provider) as defined by the Telekommunikationsgesetz.
Law is always a bit "unclear" and every judge might see it differently. Still, most lawyers seem to it similar to what I read: TKG §3 provides with the definitions. (6) "service provider" (within the scope of the TKG) is someone who provides telecommunication services. (24) "telecommunication services" (within the scope of the TKG) is a service 'usually provided for a fee' (? IMHO useless part) that *in whole or predominantly* consists of forwarding signals over telecommunication networks. One could become philosophical here and say that that applies to any online service whatsoever, as in the end everything is just signal noise on telecommunication networks. The key interpretation is that a 'telecommunication service' is a service that directly CONSISTS OF forwarding signals over (owned, physical) networks. Otherwise, the whole division between TMG and TKG would not exist. If you look at the rest of the TKG, that becomes (in my opinion) very clear as those deal with frequencies, physical operations of networks, phone numbers etc. In that, it well applies to Freifunk, but does NOT apply to other services, including Tor. For all those, the German law has TMG (including the pesky "Impressumspflicht").
If yes the law is pretty clear in § 6 that such a service has to be registered at the Bundesnetzagentur if it is done commercially.
The second part of your sentence here is fundamentally wrong. In general, when German law uses the term "geschäftsmässig", most people wrongly think it translates into "commercially". It does not and instead as a rule of thumb translates to "anyone", even if you are not making a single cent out of what you provide. Applied to TKG, the above §3(24) speaks of services 'usually provided for a fee', but of course also applies to those few providing these kind of services for free. In my opinion, stating the obvious ("in capitalism, most stuff costs money") does not help much. -- Moritz Bartl https://www.torservers.net/
Moritz Bartl <moritz@torservers.net> wrote:
On 06.01.2013 20:20, tor-admin wrote:
If yes the law is pretty clear in § 6 that such a service has to be registered at the Bundesnetzagentur if it is done commercially.
The second part of your sentence here is fundamentally wrong.
In general, when German law uses the term "geschäftsmässig", most people wrongly think it translates into "commercially". It does not and instead as a rule of thumb translates to "anyone", even if you are not making a single cent out of what you provide.
I've been told a few years ago by a lawyer teaching "Internetrecht" that this rule of thumb isn't commonly used anymore and was questionable in the past anyway. Of course that's just an opinion, but it's also my impression that nowadays there's a lot less fear mongering about the "Impressumspflicht" for private websites which was "popular" around 2000 and was largely based on that interpretation. Fabian
participants (5)
-
Eugen Leitl -
Fabian Keil -
Markus Drenger -
Moritz Bartl -
tor-admin