
Germany’s Federal Network Agency wants to regulate XMPP clients - orless
https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=https%3A%2F%2Fwww.golem.de%2Fnews%2Fmeldepflicht-bundesnetzagentur-will-hundert-jabber-clients-regulieren-1703-126929.html&edit-text=
======
erlehmann_
For context, Bundesnetzagentur (literally “federal network agency”) is a
German agency that regulates five kinds of networks – electricity, gas,
telecommunications, post, railways. The telecommunications part of their work
is supervised by the Bundesministerium für Verkehr und digitale Infrastruktur
(literally “federal ministry for transport and digital infrastructure” i.e.
highways and data highways).

One of its tasks is to ensure non-discriminatory access to infrastructure
markets for all market participants: Former state monopolies have to share
their infrastructure at a reasonable price to competitors, for example.
Another task is consumer protection: In february 2017 they decided that an
internet-enabled child's doll containing a microphone accessible remotely
without any indication to the people using that doll should be “verboten”
since they classified it as a hidden wiretapping device.

The federal network agency claims that XMPP clients have to be registered
according to a German law that says that one has to be registered with (but
does not need permission from) the agency if providing public communication
services commercially.

[https://en.wikipedia.org/wiki/Federal_Network_Agency](https://en.wikipedia.org/wiki/Federal_Network_Agency)

Edit: As other hackernews have pointed out, only the telecommunications stuff
is supervised by the BMVI.

~~~
catdog
> It belongs to the Bundesministerium für Verkehr und digitale Infrastruktur
> (literally “federal ministry for transport and digital infrastructure” i.e.
> highways and data highways).

That's blatantly wrong. It's the Federal Ministry of Economics and Technology
(Bundesministerium für Wirtschaft und Energie). You even mentioned the
Wikipedia article which states it right.

~~~
germanier
The departments of the agency working on telecommunication law are exclusively
supervised by the Bundesministerium für Verkehr und digitale Infrastruktur.
Only the other areas plus all administrative supervision is done by the
Bundesministeriums für Wirtschaft und Energie.

("Belongs to" is probably too strong either way. They are not part of a
ministry.)

~~~
catdog
Ah you are right they introduced that change late 2013.

//edit: But how it is stated in the parent post is still wrong ;)

~~~
erlehmann_
I edited my post to clarify that.

------
orless
Original (in German): [https://www.golem.de/news/meldepflicht-
bundesnetzagentur-wil...](https://www.golem.de/news/meldepflicht-
bundesnetzagentur-will-hundert-jabber-clients-regulieren-1703-126929.html)

TL;DR German Federal Network Agency (BNetzA) contacted more than 100
developers of XMPP clients, in or outside Germany. BNetzA considers XMPP-
clients to be "telecommunication services" and requested developers to
register with German authorities, as required by the German "telecommunication
law".

Here's a relavant tweet by Xabber developer from Chelyabinsk, Russia:

[https://twitter.com/Xabber_XMPP/status/844865634672435200](https://twitter.com/Xabber_XMPP/status/844865634672435200)

Update: Corrected BND -> BNetzA, was a wrong translation.

~~~
eternalban
> BNetzA considers XMPP-clients to be "telecommunication services"

But that is exactly what network clients provide: telecommunication services.
IFF the relationship between the states and the governed was healthy you
wouldn't bat an eyelash at the suggestion.

Problem is elsewhere.

~~~
balfirevic
> IFF the relationship between the states and the governed was healthy you
> wouldn't bat an eyelash at the suggestion.

Please clarify what suggestion you mean: that XMPP clients are
telecommunication services or that their developers need to register?

~~~
eternalban
The client is a component of a communication service. Such components used to
be (mainly devices and) developed solely by corporations already integrated
into the 'system'.

You don't trust the system, and you have good reasons for that, and the
'system' doesn't trust actors it does not control.

It is that simple.

~~~
balfirevic
I just asked for a clarification of what suggestion you exactly meant in your
original comment and I still have no idea after this response.

------
photon-torpedo
The interesting bit is that they explicitly point out part 7 of the TKG
(telecommunications act) which details the telecommunication provider's duties
in assisting law enforcement agencies, such as providing interfaces for
targeted surveillance.

Relevant part of the law:

[https://translate.googleusercontent.com/translate_c?depth=1&...](https://translate.googleusercontent.com/translate_c?depth=1&hl=de&ie=UTF8&nv=1&prev=_t&rurl=translate.google.com&sl=de&sp=nmt4&tl=en&u=https://www.gesetze-
im-
internet.de/tkg_2004/BJNR119000004.html&usg=ALkJrhizUtlFGCANtatJPtuf8nRlx4hPlg#BJNR119000004BJNG001800000)

See especially paragraph 110 and following.

So I wonder if they want developers of XMPP software to implement surveillance
features?

------
morsch
Here's the page the Xabber guys were referred to:
[https://www.bundesnetzagentur.de/EN/Areas/Telecommunications...](https://www.bundesnetzagentur.de/EN/Areas/Telecommunications/Companies/Notification/NotificationRequirement-
node.html)

It's in English, but the registration form is in German:
[https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sac...](https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Anbieterpflichten/Meldepflicht/Meldeformular_pdf.pdf;jsessionid=F0427467E2779E03415AF0AB9CD01C6D?__blob=publicationFile&v=13)

Here's a cursory overview (IANAL!): They want the name of your company, and
for companies outside Germany, the name of a representative in Germany; and a
way to contact you. Page 2 concerns access providers, e.g. ISPs. Page 3
concerns service providers, with provisions for all manner of services from
VoIP, Email, messaging, VPNs and more general network solutions, and a field
for "other" ("include brochure where applicable"). They close with some
explanations, and a threat of fines up to 10000 EUR in case of non-
cooperation.

Fun stuff.

The list of companies that have complied is public:
[https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sac...](https://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Anbieterpflichten/Meldepflicht/TKDiensteanbieterPDF.pdf;jsessionid=F0427467E2779E03415AF0AB9CD01C6D?__blob=publicationFile&v=62)

It's 149 pages at around 20 entries per page (there's also an Excel version
available). Facebook is not listed. Google is, hilariously with the note that
there is an ongoing legal dispute on whether they are required to register.

------
xg15
I find this bit of their reasoning particularly curious:

> _The authority argues that the software would also take over functions of a
> server in so-called Over The Top services (OTT services) and thus not to be
> assessed as pure software._

If I'm not misunderstanding that, the agency asserts that a software requires
regulation because it _opens a port for listening_.

On the risk of being alarmist, my suspicion for some time is that the next
step in centralising the internet will involve stronger legal hurdles for
usage of the internet that does not conform to the standard "dumb client+cloud
backend" pattern. I fear this is the beginning of exactly that.

------
tehabe
The translation is wrong, it is the Federal Network Agency. Comparable with
the FCC in the US but it also regulates other network based markets. But they
have nothing to do with the BND.

See [https://www.bundesnetzagentur.de/](https://www.bundesnetzagentur.de/)

~~~
orless
You're right, sorry, it's not BND, it's BNetzA. I'll correct the posts.

------
thriftwy
Isn't it a bit too late?

XMPP was big-ish ten years ago, maybe. Today even Google discontinues its
client.

~~~
FungalRaincloud
I don't think XMPP is going away any time soon, but it certainly is not the
most used thing out there.

However, I think that's part of why they've made this request. I think the
problem is that it is late enough in the lifecycle of XMPP that no one large
group (politically speaking - let's talk minimum of 100,000 people with
similar political interests) really cares about it. That makes this not at all
controversial, so it allows them to set a precedent.

I do not live in Germany, though, so I don't know if there's already
precedent, or if the German people really even care about this. Hell, I don't
even know if making XMPP service providers register is at all harmful or
restrictive. All I can comment on is how it looks to me, and it looks like a
power grab from over here.

~~~
orless
Registration per se is not harmful or restrictive - except that some
(figuratively speaking) poor developer in Russia now has to deal with a four-
page form in German which isn't even really suitable for software.

The problem is not the registration, the problem is that BNetzA considers
software to be "telecommunication services" and thus subject to regulation.
There are 152 paragraphs in the TKG ([https://www.gesetze-im-
internet.de/tkg_2004/index.html](https://www.gesetze-im-
internet.de/tkg_2004/index.html)), how much would it cost a software vendor to
comply with everything? Or how much would it cost even to find out what a
software vendor would have to comply with? There was a pretty good reason
Google went to court over the question whether GMail is a "telecommunication
service" or not ([https://www.noerr.com/de/newsroom/News/gmail-ist-ein-
telekom...](https://www.noerr.com/de/newsroom/News/gmail-ist-ein-
telekommunikationsdienst-im-sinne-des-tkg.aspx)). Google lost, by the way.

From the other hand, the list of "providers" includes a lot of organisations
like "Antennengemeinschaft Schreiersgrün e.V" \- roughly translated as
"Antenna community of the village Schreiersgrün (registered society)".

~~~
FungalRaincloud
It does seem pretty odd to consider software a telecommunication service, to
me, absolutely. All the software is doing is wrapping up a message for someone
else to send. It would sort of be like considering envelopes, paper and
writing (when taken together) to be a mail service.

Taken another way, if we think of XMPP as a telecommunication service, and
require providers to register, do we also consider HTTP to be a
telecommunication service, and also require registration of every public
access HTTP server? Both are protocols that, at their core, pass messages.
Who's going to ratify all of those forms? This feels like it would be
expensive to enforce, and if the law does not explicitly name XMPP (or
explicitly define the difference between a telecommunication service that it
covers and one that it does not in a way that excludes such widely used things
as HTTP), it should not be selectively applied to XMPP. It should either be
rewritten, or applied to technologies that existed or were expected when it
was drafted.

------
Sephr
Germany also wants you to pay for a broadcasting license (costs up to $10,000)
if you continuously livestream online, regardless of whether you are making
any money from livestreaming.

All of this reeks of ham-fisted overregulation.

~~~
schlenk
It is a kind of fallout from a long overdue reform of that law area. In theory
you even have to stop 'sending' your website between 6:00 and 22:00 if it
contains adult content, same law. The reform failed due to the totally insane
requirement of rating every single website for child protection. As it is a
law with state and federal parts, you have lots of duplications and weird
rules.

So the 'register all XMPP clients' is a side effect of german regulations that
still consider Internet to be mostly just a slight variant on Phone&TV&Radio.

In the past (1980s/1990s) you had (in theory) to register any BBS service as a
telecom provider, but they didn't even have a proper form to do the
registration.

------
ezoe
Regulating a specific application layer protocol is like regulating to speak
English in the phone call.

The result: We'll use yet another protocols and natural languages.

------
johnappleseed1
Lost in translation: Not the BND (German Federal Intelligence Service) wants
to regulate it, rather it is the Bundesnetzagentur (think FCC).

