No Such Weblog

To help with an ongoing investigation, allegedly involving child porn, Germany's federal police agency had asked the lower court in Frankfurt for an order that would lift the anonymity of those accessing a specific web site. The court ordered the anonymization service to comply with law enforcement's demands.

A mechanism for tracking accesses to certain target IP addresses was implemented; technically, the last mix in a chain would detect the "criminal" target, and would then collaborate with earlier mixes to lift anonymity for this specific access. (Details here.) This scheme was implemented in late June, and was not announced for legal reasons. Since JAP is Open Source Software, the change was ultimately discovered, and then publicized widely. (See alt.2600 [via Max Dornseif's disLEXia], Heise [in German], The Register [some facts incorrect] for early publications.)

In addition to implementing the deanonymization scheme, the original court's decision was appealed: The decision had been based on rules in the code of criminal procedure which deal with turning over data that have been collected legally, in the past. Wiretaps (i.e., data recording orders) are dealt with elsewhere, and can only be used when prosecuting a specific list of crimes. Child porn is not on this list. (Details in this press release.)

The present decision suspends enforcement of the original court order. The appeal is still pending.

Even if the final decision is favorable for the anonymization service (which might seem likely), quite a few interesting questions will remain open: What, for instance, if the investigations had dealt with one of the crimes on the wiretap list? What if the anonymization software had been proprietary, without a possibility for those running the service to change the code?

Finally, what impact will the presence of the anonymizer's "crime detection" feature have on courts' decision, the next time that law enforcement asks for surveillance?