Google, Facebook Go To Court In France: Claim Data Retention Rules Violate Privacy

from the american-companies-protecting-european-privacy dept

We've noted that, one by one, various European countries are realizing that Europe's "data retention" directive appears to be in direct conflict with EU privacy rules -- and when you put the two up against each other, privacy should win out. Germany, Romania, Cyprus, Hungary, the Czech Republic, Sweden, Greece, Ireland and Austria have all either ignored the data retention rules, or had courts rule against them. As we discussed last month, over in France, however, new data retention rules were recently published, which requires service providers to keep all sorts of info about their users -- including passwords in plain text:
According to the decree with immediate application (so in force since 1 March 2011), the data to be preserved include: the identifier of the connection at the origin of the communication, the identifier attributed by the information system to the content that makes the object of the operation, the types of protocols used for the connection and for the content transfer, the nature of the operation, the date and hour of the operation and the identifier used by the author of the operation, when provided. Moreover, the hosting companies must also preserve, for one year after the deletion of an account, even more sensitive data such as the date and time when an account is created and the identifier of the connection, his/her complete name, pseudonyms, associated post addresses, e-mail and associated addresses, telephone numbers and even password.

In case the service subscribed is a paid one, the hosting companies must also retain data related to the payment method, the amount paid and date and hour of the transaction. Furthermore, they must preserve, for one year after the contribution to the content creation, data including the connection identifier, the identifier attributed to the subscriber, the identifier of the terminal used for the connection, the date and hour of the beginning and end of the connection and the features of the subscriber's line.
If that seems like quite a lot of information (passwords? really?!?), you're correct and Google and Facebook find this requirement problematic. The two companies are taking the French government to court over this rule, saying that it violates other rules on privacy.

I find it somewhat ironic that Google and Facebook -- two American companies, quite frequently bashed in Europe for not respecting privacy, are standing up to a European government for privacy rights of their users...


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    The eejit (profile), Apr 7th, 2011 @ 5:13am

    That's not irony. Irony would be if Facebook were doing this in order to facilitate harsher rules.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    The Devil's Coachman (profile), Apr 7th, 2011 @ 6:22am

    Better start building tumbrels soon. But first, the guillotines.

    Even without tumbrels, the malefactors can be dragged by a rope behind Citroen 2CV's to their appointment with destiny. Looks like the French may have to put another Bastille Day on their holiday calendar soon.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Don, Apr 7th, 2011 @ 6:33am

    Yup. Especially for Facebook which tries very hard to make your profile public or will resurrect a deleted message if someone replies to it.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    blaktron (profile), Apr 7th, 2011 @ 6:37am

    Im not really quite sure where the Google/Facebook privacy bashing came from. Beacon and some wifi sniffing I guess? Both basially harmless compared to REAL breaches of privacy. What about Sony? What about the US Government, and every other government on the planet? Maybe I'm just griping about a ton of hypocrisy since most news publications that reported negatively on beacon store more personal data on their subscribers than that, and share it FAR more readily to their advertisers (to the point where they conduct studies about what demographics look at what sections first, and target those ads specifically). Also, neither Google nor Facebook have ever had a major security breach compromising their users privacy. So ya....

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Jay (profile), Apr 7th, 2011 @ 6:38am

    I got a question...

    Why don't they do that here in the US?

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Christopher Gizzi (profile), Apr 7th, 2011 @ 6:40am

    Not sticking up for users.

    I doubt Facebook & Google are doing this for the users. They're doing it so they don't have to spend resources dealing with the authorities - especially when most countries are leaning towards keeping less information and are at odds with France.

    That said, I'm sure they see an issue with the lack of security in plain text passwords but what makes you think those two companies aren't tracking that information already in some way? it just means they might have to keep it longer (again, not bad for them) and they have to give it up when asked.

    It's not rights they're worried about. It's their burden.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Richard (profile), Apr 7th, 2011 @ 6:45am

    Passwords

    What technical advice were the people who wrote these rules given? Surely every fool knows that no-one actually knows their users passwords. Have they never heard of password hashing?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    John Doe, Apr 7th, 2011 @ 6:45am

    Passwords should not be kept in the clear...

    Passwords should never be stored in clear text. In fact, they should only be stored using a one way encryption algorithm. Using this method, there is no way to decrypt them. If I thought my password was being stored in clear text or in a decipherable manner, I would quit using the service.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    V, Apr 7th, 2011 @ 6:49am

    French...

    Why is this surprising anyone?

    The governments will use terror and whatever else they can to justify gaining more and more control over the people they "serve".

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    blaktron (profile), Apr 7th, 2011 @ 6:50am

    Re: Passwords should not be kept in the clear...

    Congrats, stop using every service as SSL false-certificate MitM attacks can decrypt any password you send.....

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Christopher (profile), Apr 7th, 2011 @ 7:01am

    Re: Re: Passwords should not be kept in the clear...

    Only if the certificate authorities are compromised, which wouldn't happen if they wouldn't give the keys to the castle to everyone with enough cash.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Apr 7th, 2011 @ 7:28am

    Re:

    They do it in the U.S. too, but in the U.S. it is called Patriotic Act and it is done in the shadows so no one can see it happening.

    Do you think you have privacy over your phone calls?
    Do you think that the NSA black box they installed on AT&T grounds is just for show?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Nicedoggy, Apr 7th, 2011 @ 7:30am

    Re: Passwords should not be kept in the clear...

    That is not entirely true, depending on how strong the password is Rainbow Tables could do the trick in minutes.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Nicedoggy, Apr 7th, 2011 @ 7:32am

    Re: Re: Re: Passwords should not be kept in the clear...

    ...and the government, all governments probably have access to those certificates if they are stored in their soil.

    Which means the U.S. for now mostly.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Nicedoggy, Apr 7th, 2011 @ 7:36am

    Re:

    Not to be confrontational, but Google and Facebook both had severe data breaches by the hands of hackers(maybe even governments).

    Google with the Chinese dissidents emails hack and Facebook on a daily basis by the hands of kids trying to out do each other and hacking each others accounts(which also happens in other platforms) mostly using XSS to steal cookie sessions, that could include automated Javascript worms that collect and store passwords and cookies.

    Which although serious pale in comparison to the deliberate attempts to breach that privacy by governments.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Richard (profile), Apr 7th, 2011 @ 7:42am

    Re: Re: Passwords should not be kept in the clear...

    You - and blaktron - are missing the point.

    The point is not "whether your password is secure" it is "whether the service provider has a plain text copy of it that the can hand over". The fact that there may be attacks is irrelevant - after all, if there are viable attacks, the authorities wouldn't need to go to the service provider for your password.

    The basic fact is that to create password security a NECESSARY but not SUFFICIENT condition is that the provider uses a cryptographically secure hashing algorithm - and therefore has NOTHING USEFUL to hand over to the authorities.

    If they don't use such a system the implication is that they have given no rational thought whatsoever to security - and therefore John Doe is quite correct not to touch them with the proverbial barge pole.

    You are of course quite correct to say that this, on its own, does not make the system truly secure - but it is surely better than storing plain text passwords - ensuring that anyone who hacks into your system can get everyone's passwords in seconds.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Richard (profile), Apr 7th, 2011 @ 7:44am

    Re: Re: Re: Re: Passwords should not be kept in the clear...

    all governments probably have access to those certificates if they are stored in their soil.
    In which case they don't need the service provider to hand the password over do they? - Talk about missing the point!

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    johnny canada, Apr 7th, 2011 @ 7:56am

    So Google can not take a picture of your house and accidentally capture a few bit of data.

    BUT

    now they have to keep your log in and password in plain text.

    Sounds good to me

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    blaktron (profile), Apr 7th, 2011 @ 8:55am

    Re: Re:

    Those breaches are individual accounts. As far as I know neither has never had their bare infrastructure laid open so people could grab data en masse.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    blaktron (profile), Apr 7th, 2011 @ 8:56am

    Re: Re: Re: Re: Re: Passwords should not be kept in the clear...

    Theres a long history of CA spoofing, dont kid yourself...

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    blaktron (profile), Apr 7th, 2011 @ 8:56am

    Re: Re: Re: Re: Re: Passwords should not be kept in the clear...

    Theres a long history of CA spoofing, dont kid yourself...

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    blaktron (profile), Apr 7th, 2011 @ 8:59am

    Re: Re: Re: Passwords should not be kept in the clear...

    I dont see how I'm missing the point, I'm just stating that as far as I know, Facebook and Google should be the last 2 companies answering questions about privacy breaches, or taking any heat at all over them.

    And my point about having passwords encrypted is that in Europe or the US, the government could just spoof the CA and break anything they want, assuming they couldnt just pressure the CA to give them copies of the certs. Plain text or not makes little difference at that point, if the government demands it, its theirs, encrypted or not.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    chris (profile), Apr 7th, 2011 @ 9:23am

    Re: Re:

    Do you think that the NSA black box they installed on AT&T grounds is just for show?

    do you think it's limited to AT&T?

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Richard (profile), Apr 7th, 2011 @ 9:46am

    Re: Re: Re: Re: Passwords should not be kept in the clear...

    You ARE missing the point - so much so that you make one half of my point yourself without noticing.

    The point is that the government doesn't NEED to get passwords from the service provider anyway (as you yourself say) and the provider WON'T HAVE THEM anyway - because to do so would lay them open to a hacker who could harvest ALL the passwords in one go - much easier than a MtM attack on every single user individually.

    In that context writing a requirement that service providers should retain passwords is JUST STUPID - which is the point you don't seem to get.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Apr 7th, 2011 @ 11:30am

    Re: Re: Re:

    Do you really think that Facebook and Google...and AOL and Yahoo and Hotmail and MySpace and LinkedIn and and and haven't already been served with NSLs requiring that they not only provide a complete copy of everything they have, but a realtime feed of everything new that they're getting? (Oh, and that of course they refrain from disclosing this.)

    REALLY?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Aerilus, Apr 7th, 2011 @ 11:19pm

    Meanwhile western digital and seagate are diving into there pools of money

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This