In my previous posts I described iSec Lab's de-anonymizer, which combines a browser's history with data from a social network (in this case Xing) to find out who is sitting behind a computer surfing the Internet. Just imagine how attractive it would be for many website owners to exactly know who is visiting their site. As it seems to be pretty simple to create such a de-anonymizer, there we might soon see broad use.
Therefore the question: is it allowed to run such a de-anonymizer? Well, I'm not a lawyer, but in the German Criminal Law (§ 202a StGB, Ausspähen von Daten), data theft is a crime only if the stolen data had been protected against unauthorized use and if the attacker did crack that protection. Browser history is not protected against unauthorized use. So it is not a crime over here.