France Goes Overboard In Data Retention: Wants User Passwords Retained
from the anti-privacy-laws dept
There have been plenty of stories about various governments, often at the behest of either law enforcement or the entertainment industry, pushing for data retention laws. It seems especially ironic in Europe, where privacy laws are a much bigger deal, that they would also push for data retention, which is the opposite of a privacy law. However, Andrew Swift points us to a new data retention law in France that goes way beyond your typical “keep the log files” data retention rule. Instead, it appears to require that ISPs and hosting companies retain all sorts of private information (Google translation from the original French). Swift summarizes for us the information that needs to be retained:
Information furnished when agreeing to a contract or opening an account, including first name, last name, business name, associated mailing addresses, and pseudonyms utilized, associated e-mail addresses and accounts, telephone numbers, and passwords as well as data permitting the verification or modification of the password.
These companies must also keep all user id’s and passwords for any internet connection, the IP address of the terminal used to connect, the time and date of every connection, and…
Here’s the kicker: for EVERY action of a user on the internet, these companies are now required to record the nature of the operation, whether it is writing an e-mail or downloading an image or video.
Just the fact that these companies would even have access to passwords should be problematic. Why aren’t these services encrypting the passwords? I’m really curious how a law like this could possibly work in conjunction with European privacy laws?