France Goes Overboard In Data Retention: Wants User Passwords Retained

from the anti-privacy-laws dept

There have been plenty of stories about various governments, often at the behest of either law enforcement or the entertainment industry, pushing for data retention laws. It seems especially ironic in Europe, where privacy laws are a much bigger deal, that they would also push for data retention, which is the opposite of a privacy law. However, Andrew Swift points us to a new data retention law in France that goes way beyond your typical "keep the log files" data retention rule. Instead, it appears to require that ISPs and hosting companies retain all sorts of private information (Google translation from the original French). Swift summarizes for us the information that needs to be retained:
Information furnished when agreeing to a contract or opening an account, including first name, last name, business name, associated mailing addresses, and pseudonyms utilized, associated e-mail addresses and accounts, telephone numbers, and passwords as well as data permitting the verification or modification of the password.

These companies must also keep all user id's and passwords for any internet connection, the IP address of the terminal used to connect, the time and date of every connection, and...

Here's the kicker: for EVERY action of a user on the internet, these companies are now required to record the nature of the operation, whether it is writing an e-mail or downloading an image or video.
Just the fact that these companies would even have access to passwords should be problematic. Why aren't these services encrypting the passwords? I'm really curious how a law like this could possibly work in conjunction with European privacy laws?

Not surprisingly, it appears that pretty much every online service provider is planning to challenge this decree in court (Google translation of the original French).


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Chris Rhodes (profile), Mar 11th, 2011 @ 10:36am

    Yeah, Sure

    Here's the kicker: for EVERY action of a user on the internet, these companies are now required to record the nature of the operation, whether it is writing an e-mail or downloading an image or video.

    After people get wind of this, I hope they have fun sorting through logs that look like:

    3-11-2011@19:27 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
    3-11-2011@19:31 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
    3-11-2011@19:34 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
    3-11-2011@19:47 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
    3-11-2011@19:58 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
    3-11-2011@20:06 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
    3-11-2011@25:04 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    james, Mar 11th, 2011 @ 10:44am

    Return of the alias era; rise of the proxy industry.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    el_segfaulto (profile), Mar 11th, 2011 @ 10:47am

    Even if they get a list of passwords, what use will they do? Any developer with an IQ over that of an eggplant will be using AES-256 with a salt. Not saying it's right and not creepy, but insofar as the passwords go there isn't much damage that can be done.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    PrometheeFeu (profile), Mar 11th, 2011 @ 10:59am

    Re:

    Actually that won't help you. The whole point of the decree is that the service is required to keep your password for the purposes of giving it to the authorities. So keeping it in an encrypted format probably does not discharge your legal obligation. Also, I would use SHA256 myself. ;-)

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Gwiz (profile), Mar 11th, 2011 @ 11:02am

    Wow

    Wow...just...wow.

    What's next in France?

    Will their postal service be required to open each and every piece of mail and record everything in a log? How much you owe on your credit card, that fantasy filled letter form your girlfriend or that package from Victoria's Secrets would all be fair game.

    Also, in the US here we have very strict rules (HIPAA Privacy Rule) concerning the privacy of medical records and it could mean that the US medical establishment wouldn't be able to corroborate with their French counterparts on diagnoses.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    el_segfaulto (profile), Mar 11th, 2011 @ 11:12am

    Re: Re:

    Wow...if they are required to keep your password in an unencrypted form (and theoretically to update it as you update your password) then this just went to a really unsettling level. I think I heard an entire legion of blackhats menacingly wring their hands together. You are right about SHA vs AES, I'm not entirely sure why I typed AES...I'll just chalk it up to lack of coffee.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Mr. Oizo, Mar 11th, 2011 @ 11:12am

    Re: Yeah, Sure

    This is something I always wondered about. If I run a tor node and somebody start hacking a remote machine trhough my connection. Who do you think will be blamed ?

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    :Lobo Santo (profile), Mar 11th, 2011 @ 11:19am

    Re: Re: Re:

    What, https isn't enough?

    ;-P

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    BBT, Mar 11th, 2011 @ 11:34am

    Oh good! a law requiring French sites to store passwords in plain text, one of the worst and most dangerous security practices imaginable! Now anyone who hacks into a french site's database will have access to all the site's visitors' passwords. This is an epic failure.

    French site administrators will now have the fun choice of obeying the law or putting their customers' data in danger of being compromised. Brilliant!

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Brad Hubbard (profile), Mar 11th, 2011 @ 11:37am

    Re: Re: Re:

    Recall - this is the country that sued Google because a bunch of BANKING PASSWORDS were being sent, unencrypted, over open WIFI connections.

    Clearly their laws and practices don't make for good security policy. Maybe it's a culture thing?

    And why would you ever need a user's password? Any decent program has a "become" feature for admins, so you can log in as that user. All the ones I write have it, anyhow.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    John Doe, Mar 11th, 2011 @ 11:38am

    I absolutely agree with you on encrypting passwords...

    No website should have access to your password. I wrote a public facing website and the password was one-way encrypted. If you forgot your password, you were issued a new one as the old one could not be decrypted. Every website should be operating the same way. If there is a database of passwords out there, then someone in the company has access to it and can use it for illegal reasons. Most people use the same password for many sites, so all they have to do is attempt to log into every bank and online stock trading company until they find yours.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Mar 11th, 2011 @ 12:04pm

    One of the reasons I don't participate and comment at many sites is the requirement to join some sort of blog company in order to comment or that you need to sign up to do so. Call it childishness or paranoia or whatever. The fact that I can not do as I do here and comment without registration insures I will not comment but rather will read the article and go on.

    I am sure more than anything it's being driven by the need to put some sort of control on spamming and trolling, neither of which I am interested in. However because of this sort of restriction, places like ARSTechina and Torrentfreak no longer receive any sort of comment from me. (maybe that's a good thing)

    I do at times comment here, strictly because I can do so anonymously without the requirement to be counted, datamined, and tied to some sort of identification. Yes, I know that my IP is recorded because I haven't used VPN or TOR and have not to this point chosen to do so.

    It is rapidly reaching the point that I am considering the last two as self protection. It's not that I'm guilty of anything, it's that I don't want to be followed where ever I go, linked to everything under the sun on the internet in a casual browse.

    The one thing I am very sure of is that if you have a huge database being kept track of, somewhere a hacker will figure a way in. Governments are honey pots for them as that's where large databases are. Info is key to money in one form or another. So making sure a large database to keep track of things like passwords will surely open their citizens to hacker access, simply because it is there.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Mar 11th, 2011 @ 12:05pm

    France is the new China :)

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Capitalist Lion Tamer (profile), Mar 11th, 2011 @ 12:12pm

    Re: Wow

    Will their postal service be required to open each and every piece of mail and record everything in a log?

    Taylor Negron is reprising his role from "Better Off Dead" for the French postal service instructional films.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Nick Taylor, Mar 11th, 2011 @ 12:18pm

    I already put everything through a vpn - but as far as comments go, I'm a head-above-the-parapets kind of guy. I use my real name, and my real email-address (though I never register on a site to comment).

    And I'll say it out loud (with head above parapets): Any government that tries to inflict control over the internet does so without the consent of those that it would control - so is illegitimate, and must be got rid of.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Hugues Lamy (profile), Mar 11th, 2011 @ 12:23pm

    Use OpenId

    What about service liked OpenID, Facebook Connect and other services by Yahoo and Microsoft. What about service aggregator like JanRain? The passwords are located on their servers. They use a callback method to give you access to the sites. This will but everybody using this technique to be guilty of not keeping the password. But you can't have it.

    Anybody know that the person that wrote the application doesn't need the password to look into its database. I can only see that since the regular people use the same password everywhere, with one password you can get into other services to dig more dirt.I'm pretty sure that if you dig hard enough on somebody else past, you can find him guilty of something.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    ComputerAddict (profile), Mar 11th, 2011 @ 12:38pm

    Re:

    Before you jump on me, I'm not for this law...But

    This law is for ISP's not for Websites... your gmail password will stil be encrypted, it is just your password you use to CONNECT to the internet, not what you do once your online.

    That being said this is obviously so they can connect as you, visit a bunch of nasty sites, and then sue you saying "You visited StealCopyrightedMusic.com and downloaded the internet, pay us or goto jail."

    Also it doesn't say (yet) that it has to be plain txt, thats an assumption, If anything I hope this encourages ISP's to encrypt more data (with reversible encryption) like your address, billing info, and browsing history.

    Again I think the idea is horrible, but lets not confuse ISP's and Websites, or assume they have to be completely unencrypted.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Chris Rhodes (profile), Mar 11th, 2011 @ 1:11pm

    Re:

    Yes, I know that my IP is recorded because I haven't used VPN or TOR and have not to this point chosen to do so. [...]
    It is rapidly reaching the point that I am considering the last two as self protection


    Indeed. I have an older machine sitting about, and my current plan is to craft it into a "secure" desktop running a hardened version of Linux, with full disk encryption, TOR, and a bevy of other offerings both large and small to make tracking a virtual impossibility.

    Should be a fun project.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Gwiz (profile), Mar 11th, 2011 @ 1:35pm

    Re: Re:

    Should be a fun project.

    I have been thinking about doing this too.

    MAC Address Spoofing is important too (and easy in Linux - MacChanger)

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Vive la France, Mar 11th, 2011 @ 2:00pm

    Do you have to register to buy and read a book or buy a magazine in France because that is the equivalent of visiting web pages. There would be outrage under the label of cultural exception if you had to. Politicians yet again have double standards.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Mar 11th, 2011 @ 2:04pm

    Re: Yeah, Sure

    TOR is NOT anonymous. Google it.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Richard (profile), Mar 11th, 2011 @ 3:02pm

    Re: Re: Re: Re:

    And why would you ever need a user's password? Any decent program has a "become" feature for admins, so you can log in as that user. All the ones I write have it, anyhow.

    Remind me never to use any service that you have set up!

    Proper services are setup so that the service provider can't see user data.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Major, Mar 11th, 2011 @ 3:26pm

    Re: Re: Yeah, Sure

    True but had something like privoxy on top of it and it is pretty much :)

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    iveseenitallbutmaysomedaywish2forget, Mar 12th, 2011 @ 12:07am

    Retaining all information will help?
    A. The people.
    B. Ongoing struggle of good versus evil.
    C. Because lives are at stake here!
    or
    D. Thwart al-Qaeda.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Mar 12th, 2011 @ 5:51am

    Re: Re: Yeah, Sure

    TOR is anonymous, Google it.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    john galt, Mar 13th, 2011 @ 12:33am

    suggested password

    I would humbly suggest that all passwords to .fr domains contain the word "mortevache" if this goes thorugh

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    zzlg, Mar 20th, 2011 @ 6:48am

    Re: Re:

    This law IS for websites and ISPs. The law concerns "online communications services to the public", anything that includes the creation of content (websites, blogs, comments, participation in forums, etc.) publicly avalaible.

    Private correspondence (ie email services) is excluded from the scope of this law.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This