UK Domain Seizures: Nominet Admits It's Helped Police Seize 3,000 Sites
Copyright Fight Ensues Over Rebecca Black's 'Friday'

Google, Facebook Go To Court In France: Claim Data Retention Rules Violate Privacy

Privacy

from the american-companies-protecting-european-privacy dept

Thu, Apr 7th 2011 05:57am -

We’ve noted that, one by one, various European countries are realizing that Europe’s “data retention” directive appears to be in direct conflict with EU privacy rules — and when you put the two up against each other, privacy should win out. Germany, Romania, Cyprus, Hungary, the Czech Republic, Sweden, Greece, Ireland and Austria have all either ignored the data retention rules, or had courts rule against them. As we discussed last month, over in France, however, new data retention rules were recently published, which requires service providers to keep all sorts of info about their users — including passwords in plain text:

According to the decree with immediate application (so in force since 1 March 2011), the data to be preserved include: the identifier of the connection at the origin of the communication, the identifier attributed by the information system to the content that makes the object of the operation, the types of protocols used for the connection and for the content transfer, the nature of the operation, the date and hour of the operation and the identifier used by the author of the operation, when provided. Moreover, the hosting companies must also preserve, for one year after the deletion of an account, even more sensitive data such as the date and time when an account is created and the identifier of the connection, his/her complete name, pseudonyms, associated post addresses, e-mail and associated addresses, telephone numbers and even password.

In case the service subscribed is a paid one, the hosting companies must also retain data related to the payment method, the amount paid and date and hour of the transaction. Furthermore, they must preserve, for one year after the contribution to the content creation, data including the connection identifier, the identifier attributed to the subscriber, the identifier of the terminal used for the connection, the date and hour of the beginning and end of the connection and the features of the subscriber’s line.

If that seems like quite a lot of information (passwords? really?!?), you’re correct and Google and Facebook find this requirement problematic. The two companies are taking the French government to court over this rule, saying that it violates other rules on privacy.

I find it somewhat ironic that Google and Facebook — two American companies, quite frequently bashed in Europe for not respecting privacy, are standing up to a European government for privacy rights of their users…

Filed Under: , , ,
Companies: facebook, google

26 CommentsLeave a Comment
If you liked this post, you may also be interested in...
Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Google, Facebook Go To Court In France: Claim Data Retention Rules Violate Privacy”

Subscribe: RSS Leave a comment
26 Comments
blaktron (profile) says:

Im not really quite sure where the Google/Facebook privacy bashing came from. Beacon and some wifi sniffing I guess? Both basially harmless compared to REAL breaches of privacy. What about Sony? What about the US Government, and every other government on the planet? Maybe I’m just griping about a ton of hypocrisy since most news publications that reported negatively on beacon store more personal data on their subscribers than that, and share it FAR more readily to their advertisers (to the point where they conduct studies about what demographics look at what sections first, and target those ads specifically). Also, neither Google nor Facebook have ever had a major security breach compromising their users privacy. So ya….

Nicedoggy says:

Re: Re:

Not to be confrontational, but Google and Facebook both had severe data breaches by the hands of hackers(maybe even governments).

Google with the Chinese dissidents emails hack and Facebook on a daily basis by the hands of kids trying to out do each other and hacking each others accounts(which also happens in other platforms) mostly using XSS to steal cookie sessions, that could include automated Javascript worms that collect and store passwords and cookies.

Which although serious pale in comparison to the deliberate attempts to breach that privacy by governments.

Anonymous Coward says:

Re: Re: Re: Re:

Do you really think that Facebook and Google…and AOL and Yahoo and Hotmail and MySpace and LinkedIn and and and haven’t already been served with NSLs requiring that they not only provide a complete copy of everything they have, but a realtime feed of everything new that they’re getting? (Oh, and that of course they refrain from disclosing this.)

REALLY?

Christopher Gizzi (profile) says:

Not sticking up for users.

I doubt Facebook & Google are doing this for the users. They’re doing it so they don’t have to spend resources dealing with the authorities – especially when most countries are leaning towards keeping less information and are at odds with France.

That said, I’m sure they see an issue with the lack of security in plain text passwords but what makes you think those two companies aren’t tracking that information already in some way? it just means they might have to keep it longer (again, not bad for them) and they have to give it up when asked.

It’s not rights they’re worried about. It’s their burden.

John Doe says:

Passwords should not be kept in the clear...

Passwords should never be stored in clear text. In fact, they should only be stored using a one way encryption algorithm. Using this method, there is no way to decrypt them. If I thought my password was being stored in clear text or in a decipherable manner, I would quit using the service.

Richard (profile) says:

Re: Re: Passwords should not be kept in the clear...

You – and blaktron – are missing the point.

The point is not “whether your password is secure” it is “whether the service provider has a plain text copy of it that the can hand over”. The fact that there may be attacks is irrelevant – after all, if there are viable attacks, the authorities wouldn’t need to go to the service provider for your password.

The basic fact is that to create password security a NECESSARY but not SUFFICIENT condition is that the provider uses a cryptographically secure hashing algorithm – and therefore has NOTHING USEFUL to hand over to the authorities.

If they don’t use such a system the implication is that they have given no rational thought whatsoever to security – and therefore John Doe is quite correct not to touch them with the proverbial barge pole.

You are of course quite correct to say that this, on its own, does not make the system truly secure – but it is surely better than storing plain text passwords – ensuring that anyone who hacks into your system can get everyone’s passwords in seconds.

blaktron (profile) says:

Re: Re: Re: Passwords should not be kept in the clear...

I dont see how I’m missing the point, I’m just stating that as far as I know, Facebook and Google should be the last 2 companies answering questions about privacy breaches, or taking any heat at all over them.

And my point about having passwords encrypted is that in Europe or the US, the government could just spoof the CA and break anything they want, assuming they couldnt just pressure the CA to give them copies of the certs. Plain text or not makes little difference at that point, if the government demands it, its theirs, encrypted or not.

Richard (profile) says:

Re: Re: Re:2 Passwords should not be kept in the clear...

You ARE missing the point – so much so that you make one half of my point yourself without noticing.

The point is that the government doesn’t NEED to get passwords from the service provider anyway (as you yourself say) and the provider WON’T HAVE THEM anyway – because to do so would lay them open to a hacker who could harvest ALL the passwords in one go – much easier than a MtM attack on every single user individually.

In that context writing a requirement that service providers should retain passwords is JUST STUPID – which is the point you don’t seem to get.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

UK Domain Seizures: Nominet Admits It's Helped Police Seize 3,000 Sites
Copyright Fight Ensues Over Rebecca Black's 'Friday'
Follow Techdirt

Techdirt Daily Newsletter

Ctrl-Alt-Speech

A weekly news podcast from
Mike Masnick & Ben Whitelaw

Subscribe now to Ctrl-Alt-Speech »
Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...