Motion Molina (18.3507): Implementation of the BÜPF in accordance with the voting dispositions
Content
ToggleSubmitted text
The Federal Council is instructed to amend the Ordinance on the Surveillance of Postal and Telecommunications Traffic (VÜPF) to the effect that those obliged to cooperate pursuant to Article 2 letters b.-f. BÜPF, only the control data (header) may be stored in Internet communications.
Justification
During the revision of the BÜPF, the Federal Council repeatedly assured the public that the storage of Internet communication Exclusively the marginal data (header) affected and stored by the parties obliged to cooperate. According to the current implementation of the BÜPF in the corresponding Regulation by the Federal Council, however, the providers can use the entire data packages, i.e. also the “surfing dataare systematically stored. This is an additional encroachment on the fundamental rights of blameless citizens, which was not intended by the legislature and should be corrected accordingly.
Statement of the Federal Council of 29.8.18
Neither the Federal Act of 18 March 2016 on the Surveillance of Postal and Telecommunications Traffic (BÜPF; SR 780.1) nor its implementing ordinances require those obliged to cooperate to retain the content (user data) of internet communications. In particular, neither the entire IP data packets including user data nor all so-called IP header data need to be retained. There is thus No legal basis, to find out retroactively, which websites a particular person has visited and certainly not what was communicated. This is possible only in real time and by means of monitoring ordered by the prosecutor’s office and approved by the court, and only from the moment of activation.
The only requirement is that certain providers must be able to unambiguously identify the authorship or origin of a specific Internet connection retrospectively. And this is only possible if the authorized authority provides the necessary information, in particular the time of the searched connection. Ultimately, nothing else is required than in the case of a telephone directory query. One would like to know the Identify customers can, which has a specific internet connection at a specific time has been established. However, the search is not for a phone number, but for an origin IP address.
Many providers use non-unique methods, e.g., “carrier-grade network address translation” (CGNAT), to allocate IP addresses to their customers. This means that many customers have the same public origin IP address at the same time use. In such cases, a query based on an originating IP address and a specific time will result in many hits. The assignment of Internet connections to individual customers can only be made by the provider operating the CGNAT system. This provider must therefore provide further information than only the public origin IP address assigned to the customer and the time of assignment. The Retention of the destination IP addressesThe name of the domain name of a visited website can be found out based on this information, may therefore be necessaryif the Provider requires them for the unique identification of the authorship or origin of a particular Internet connection.
According to Art. 22 BÜPF, providers are obliged to supply the ÜPF service with all information that enables the identification of the perpetrator. However, providers are free to decide how to ensure this identification technically.. Based on Art. 22 para. 2 BÜPF, the Federal Council has defined the marginal data for the purpose of identification in Art. 21 of the Ordinance of 15 November 2017 on the Interception of Postal and Telecommunications Traffic (VÜPF; SR 780.11). Edge data do not contain any information on the content of telecommunications traffic, but only provide information on how who is or was in contact with whom and when. The marginal data on the allocation and translation of IP addresses and port numbers must be retained for six months for identification purposes and then destroyed in order to minimize the interference with fundamental rights.
It should also be noted that the obligation to retain marginal data for identification purposes does not apply to all providers, but only to providers of telecommunications services who have not been exempted from certain monitoring obligations (Art. 26 para. 6 BÜPF, Art. 51 VÜPF), as well as providers of derived communications services with more extensive monitoring obligations (Art. 27 para. 3 BÜPF, Art. 52 VÜPF). Thus Only a few large providers affected.
Finally, the explanatory report on the VÜPF expressly points out that from the point of view of data protection law Procedures are to be implemented, where the Storage of connection destinations (destination IP addresses) not required and is therefore to be omitted. On the other hand, the Federal Council does not want to interfere with the economic freedom of the providers and therefore does not prescribe the procedure, but only the purpose, namely the identification of the perpetrators of criminal acts via the Internet and the identification of persons in the case of threats to internal or external security.
The Federal Council proposes that the motion be rejected.