
German govt proposes law to force WhatsApp Gmail etc to hand over user passwords - chupa-chups
https://www.heise.de/newsticker/meldung/Justizministerium-WhatsApp-Gmail-Co-sollen-Passwoerter-herausgeben-muessen-4615602.html
======
dang
I changed the URL from
[https://translate.google.de/translate?sl=de&tl=en&u=https%3A...](https://translate.google.de/translate?sl=de&tl=en&u=https%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FJustizministerium-
WhatsApp-Gmail-Co-sollen-Passwoerter-herausgeben-muessen-4615602.html) to the
original source, as the site guidelines request.

I know this is a tradeoff that leaves something on the table, but HN is an
English-language site, so articles here need to be in English. We don't allow
machine translations as a workaround. I could imagine exceptions for topics of
particuar intellectual curiosity—something that is so obscure that it only
exists in one form and hasn't been translated. But articles on current affairs
are the opposite—in those domains, if a story is important enough to be
covered here, it will certainly appear in the English-language media.

Put conversely: in popular domains like current affairs, if there's no
English-language article worth submitting on a topic, mostly likely that's
because the topic isn't significant enough yet. When it comes to politicians
proposing bills, that's certainly the case. Most bills go nowhere
([https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20bills&sort=byDate&type=comment)),
and if anything comes of this one, it will surely receive much closer
attention.

~~~
chupa-chups
You're right.

~~~
dang
> _Yeah. You 're totally right, anything outside of US doesn't matter :)_

I was just in the process of replying to your comment and question when you
replaced it with that snarky one-liner.

HN is a highly international community. Plenty of international stories appear
here. Nor does HN being an English-language site imply any disrespect for
other languages, including the wonderful German language. Quite the contrary.

In this case the language issue is secondary anyhow, since "politician is
working on drafting a bill" is an even less substantive story than "politician
introduces bill", which is one of the classics of off-topicness for HN
([https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20bills&sort=byDate&type=comment)).
We would have demoted the story regardless of the language it was written in.

In cases like this, we've learned that there's no harm in waiting for a story
to actually become real before having a thread about it.
[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20%22harm%20in%20waiting%22&sort=byDate&type=comment)

~~~
LargoLasskhyfv
In spite of the draft status this already makes some waves in the german
mainstream press, not only some computer magazine.

[1] [https://www.faz.net/aktuell/wirtschaft/digitec/hassrede-
bund...](https://www.faz.net/aktuell/wirtschaft/digitec/hassrede-
bundesregierung-will-an-e-mail-passwoerter-16535665.html)

Though the last paragraph cites a politcian saying something along the lines
of this can't stand as it is and needs further discussion and changes,
otherwise it would be contested in germanys highest court and canceled there.

edit: 2nd link [2] [https://www.stern.de/politik/deutschland/hetze-und-
drohungen...](https://www.stern.de/politik/deutschland/hetze-und-drohungen-
haertere-strafen--gesetzentwurf-gegen-hass-im-netz-9047530.html)

edit: 3rd link [3] [https://www.spiegel.de/netzwelt/web/facebook-twitter-co-
mill...](https://www.spiegel.de/netzwelt/web/facebook-twitter-co-millionen-
bussgeld-wenn-drohungen-ignoriert-werden-a-1301168.html)

------
ajb
One problem with this kind of debate today is that fewer lawmakers than in the
past have direct knowledge of communication systems and how to keep them
secure.

For example, in the 80's there was concern about 'bugging' in the UK. But at
the time, there was actually informed debate in parliament about the technical
details. This could happen because since there was so much labour involved in
maintaining the old systems, large numbers of people actually knew how they
worked. There were MPs who had formerly been telecom linemen, and followed the
trade->union official -> Labour party -> MP route into parliament.

Nowadays I can't think of an MP who would actually have the background to know
that this is a bad idea, themselves.

~~~
pjc50
I'd have thought that Germany would have enough representatives from the DDR
to know why this is a bad idea. Which is why they're usually one of the most
anti-surveillance countries in Europe and leaders of GDPR campaigning.

~~~
wongarsu
Even though we are fairly anti-surveillance as a whole, a lot of fairly
radical surveillance laws get proposed all the time. Most die early, some die
after push-back from the population, some get voted in and are thrown out by
the constitutional court, and a few survive. It's a never ending fight.

------
AnssiH
The current title ("Germany requests WhatsApp, Gmail etc. to hand over
passwords in plaintext to DOJ") makes it sound like this law already passed,
which is not the case according to the article.

~~~
chupa-chups
Yes, but

\- the title length is limited

\- from my PoV, this needs some attention

What would you propose as a title?

~~~
emerongi
"German ministry of justice proposes law to force WhatsApp, Gmail etc to hand
over sensitive user data"

~~~
chupa-chups
"22 too long"

I really tried to summarize with the available title length. And to be honest,
laws like this tend to be passed in Germany.

Sorry if you disagree. Please provide a better title. Honestly, I couldn't
come up with one.

~~~
markdown
German govt proposes law to force WhatsApp Gmail etc to hand over user
passwords

~~~
chupa-chups
Thanks. Changed it!

------
adammunich
Any sensible company would store passwords as hashes... I sure hope google
would.

~~~
Nextgrid
They can always alter the login code to secretly log the passwords in plain
text the next time the designated users log in.

~~~
haecceity
Gdpr violation?

~~~
anticensor
No, required by another law.

------
ma2rten
The HN title is inaccurate. The article itself actually says:

 _The draft does not provide for an explicit obligation to provide identifiers
in plain text. When providing information, however, "all company-internal data
sources must be taken into account"._

------
Roritharr
This is not the combined force of the German Nation State, this is a part of a
proposal by our Federal Justice Minister, framed to counter "hatecrime".

Still far from Merkel calling Zuck und Sundar to hand over the passwords.

------
lima
This is the draft in question:
[https://drive.google.com/file/d/1gV4FIr6cNu2s1W37vd7NJZC4HNc...](https://drive.google.com/file/d/1gV4FIr6cNu2s1W37vd7NJZC4HNceruKL/view)

Translated to English: [https://www.scribd.com/document/439773952/BMJV-GE-
Bekampfung...](https://www.scribd.com/document/439773952/BMJV-GE-Bekampfung-
Rechtsextremismus-Hasskriminalitat-EN)

One of the notable proposed changes is that providers are required to notify
federal law enforcement about content that they removed from their platform
and which the provider determined to likely violate German laws, including the
content and the user's IP address and [source] port number. The intention is
to prosecute these cases. There is a provision that requires the user to be
notified about this, except if law enforcement specifically requests not to
notify the user.

The changes to §15a are very broad and allows a variety of government
institutions to request not just customer contract data ("Bestandsdaten",
which would be regulated by §14), but also "Nutzungsdaten", i.e. user IDs, IP
addresses, logs or similar usage data, even for misdemeanor-level offences.
It's a bit of a hyperbole, but to my understanding, this would, in theory,
include parking violations and littering, which feels wrong.

Requesting such data was, to my understanding, regulated only superfically by
the TMG in §15 (5) with unclear scope. Previous court cases established that
this would include IP address data (LG Frankfurt/Main, 2-03 O 174/18). The new
paragraph expands on this by explicitly allowing requests to be made using
just an IP address (rather than a user identifier), by clarifying the scope to
include all usage data, and requiring security measures to be taken to ensure
that the data is transmitted securely.

The draft document only mentions about passwords in the comments (page 29),
not the actual proposed changes to the law, which only mentions "data which
can be used to access storage media on a device".

This is an oddly specific provision that likely targets full disk encryption
schemes that have a server-side key backup (i.e. Windows Bitlocker). This was
copy-pasted from the existing §113 TKG, which regulates ISPs, and calling
these "passwords" is a very unfortunate choice of words by the authors of this
draft document.

Disclaimer: Not a lawyer, but I dealt with law enforcement requests in Germany
in a past job.

------
ngcc_hk
Given the Hong Kong police state situation, once again who watch the watchman.

------
paulie_a
Hand it over. It's hashed anyways

