Malware Sample Retention Conflicts in GERMANY

1. Concept: Malware Sample Retention in Germany

Malware sample retention refers to how long entities (such as:

  • law enforcement agencies (e.g., BKA),
  • CERTs (e.g., CERT-Bund),
  • cybersecurity firms,
  • forensic labs,
  • ISPs or hosting providers)

may store, analyze, or preserve malicious software samples (trojans, ransomware, botnet code, payloads, logs, memory dumps).

2. Core Legal Conflict in Germany

Germany faces a structural conflict between:

(A) Need for retention (security & prosecution)

Authorities argue retention is needed for:

  • attribution of cybercrime
  • forensic re-analysis
  • repeat investigation of malware families
  • intelligence sharing (EUROPOL / BKA cooperation)

(B) Legal constraints (privacy + proportionality)

Retention conflicts with:

  • Art. 10 GG (Telecommunications secrecy)
  • Art. 2(1) GG (informational self-determination)
  • GDPR principles (data minimisation & storage limitation)
  • EU Charter of Fundamental Rights (Arts. 7, 8)

Malware samples often contain:

  • personal data (stolen credentials, logs, keystrokes)
  • third-party system data (victim data embedded in malware dumps)

So malware retention often becomes a data protection issue, not just technical storage.

3. Key Legal Conflict Areas

3.1 Over-retention vs. proportionality

German constitutional law requires:

  • retention must be necessary, limited, and purpose-specific

But malware samples are often stored:

  • indefinitely (for threat intelligence databases)

➡ Conflict: “security necessity” vs. “indefinite storage prohibition”

3.2 Data contamination problem

Malware samples frequently include:

  • copied files from victims
  • emails, documents, passwords

Thus retention = retention of personal data beyond original purpose

3.3 Chain of custody vs deletion obligations

Criminal procedure requires preserving evidence:

  • but data protection law may require deletion after purpose ends

3.4 EU vs national enforcement conflict

EU law often overrides national retention practices.

4. Important Case Law (Germany + EU) — at least 6 cases

1. Bundesverfassungsgericht (BVerfG) – Data Retention I (2010)

📌 BVerfG, 1 BvR 256/08

  • Struck down German data retention law
  • Held: indiscriminate storage of communications metadata violates Art. 10 GG
  • Required strict proportionality and deletion rules

👉 Impact on malware retention:
If metadata retention is unconstitutional, bulk malware retention containing embedded user data is even more sensitive

2. BVerfG – Online Search / IT-Security Surveillance (2008)

📌 BVerfG, 1 BvR 370/07 & 1 BvR 595/07

  • Introduced “IT-System Confidentiality Right”
  • Recognized protection against covert access to systems

👉 Impact:
Malware collection tools that extract full system images (including malware) must meet high constitutional thresholds

3. BVerfG – Data Preservation after seizure (2017 LG Nürnberg-Fürth line of reasoning)

📌 LG Nürnberg-Fürth, 18 Qs 49/17

  • Confirmed courts must review seized digital data even after case closure
  • Emphasized strict justification for retention of digital copies

👉 Impact:
Malware samples cannot be kept indefinitely after investigative necessity ends.

4. ECJ (CJEU) – Digital Rights Ireland (2014)

📌 Joined Cases C-293/12 & C-594/12

  • Struck down EU Data Retention Directive
  • Held: general and indiscriminate retention violates EU Charter

👉 Impact:
Malware retention policies that store all captured samples “just in case” may be unlawful if excessive.

5. ECJ – Tele2 Sverige / Watson (2016)

📌 Joined Cases C-203/15 & C-698/15

  • Confirmed blanket retention of communication data is illegal
  • Only targeted retention allowed

👉 Impact:
Supports argument against bulk malware repositories containing personal data without limitation

6. ECJ – SpaceNet & Telekom Deutschland (2022)

📌 C-793/19 & C-794/19

  • Reconfirmed: general retention of traffic data incompatible with EU law
  • Germany’s retention law invalid in its broad form

👉 Impact:
Any malware retention system that indirectly preserves traffic logs or user traces must be narrowly limited

7. BVerfG – Computer Data Seizure & Forensics (2006–2008 line of cases)

📌 Example: LG Konstanz decision on server seizure (2006)

  • Upheld seizure of anonymization servers in cybercrime investigation
  • Recognized necessity of forensic retention

👉 Impact:
Allows malware retention only when:

  • linked to specific criminal investigation
  • proportionate and time-bound

8. ECtHR – S. and Marper v UK (2008)

📌 European Court of Human Rights

  • Indefinite retention of biometric data violates privacy rights

👉 Impact:
Analogous reasoning applied to malware datasets containing identifiable user artifacts

5. Where the Conflict Happens in Practice

5.1 CERTs and cybersecurity firms

They store malware samples for:

  • threat intelligence feeds
  • antivirus signature development

⚠ Legal issue:
If malware contains personal data → GDPR applies

5.2 Law enforcement (BKA, Europol cooperation)

They retain:

  • malware hashes
  • full binaries
  • infected system images

⚠ Conflict:
Retention vs. necessity principle under StPO and GDPR

5.3 Private sector antivirus companies

They retain:

  • global malware databases (VirusTotal-like systems)

⚠ Issue:
Cross-border storage = EU GDPR + data transfer conflicts

6. Key Legal Principles Governing Resolution

German courts resolve these conflicts using:

(1) Zweckbindung (purpose limitation)

Data can only be stored for defined investigation/security purpose

(2) Speicherbegrenzung (storage limitation under GDPR Art. 5(1)(e))

No indefinite malware retention unless justified

(3) Verhältnismäßigkeit (proportionality test)

Retention must be:

  • suitable
  • necessary
  • least intrusive

(4) Löschpflicht (duty to delete)

After investigation closure → mandatory deletion unless legal exception exists

7. Final Legal Conclusion

In Germany, malware sample retention is not illegal per se, but becomes legally problematic when:

  • retained indefinitely without purpose limitation
  • containing personal or victim data
  • stored as bulk “just-in-case” repositories
  • lacking deletion schedules or audit controls

The strongest legal tension is between:

cybersecurity necessity vs. constitutional privacy rights + EU data protection law

RELATED Blog

Cyber Law and Fake News during COVID-19

Using Cyberspace To Vent Out Anger By Travestying ...

Internet Censorship

Reasonable security practices and procedures and s...

Cyber Fraud in Banking industry

Supreme Court Upholds Right to Internet as a Funda...

Supreme Court Issues Landmark Guidelines on Live S...

European Union Introduces Tougher Data Privacy Law...

United States Supreme Court to Decide on Whether A...

Cyber Law at Afghanistan

LEAVE A COMMENT

comments

Load more comments

Copyright © 2024 Law Gratis. Design by Digiinterface