France Goes Overboard In Data Retention: Wants User Passwords Retained

Privacy

from the anti-privacy-laws dept

There have been plenty of stories about various governments, often at the behest of either law enforcement or the entertainment industry, pushing for data retention laws. It seems especially ironic in Europe, where privacy laws are a much bigger deal, that they would also push for data retention, which is the opposite of a privacy law. However, Andrew Swift points us to a new data retention law in France that goes way beyond your typical “keep the log files” data retention rule. Instead, it appears to require that ISPs and hosting companies retain all sorts of private information (Google translation from the original French). Swift summarizes for us the information that needs to be retained:

Information furnished when agreeing to a contract or opening an account, including first name, last name, business name, associated mailing addresses, and pseudonyms utilized, associated e-mail addresses and accounts, telephone numbers, and passwords as well as data permitting the verification or modification of the password.

These companies must also keep all user id’s and passwords for any internet connection, the IP address of the terminal used to connect, the time and date of every connection, and…

Here’s the kicker: for EVERY action of a user on the internet, these companies are now required to record the nature of the operation, whether it is writing an e-mail or downloading an image or video.

Just the fact that these companies would even have access to passwords should be problematic. Why aren’t these services encrypting the passwords? I’m really curious how a law like this could possibly work in conjunction with European privacy laws?

Not surprisingly, it appears that pretty much every online service provider is planning to challenge this decree in court (Google translation of the original French).

Filed Under: data retention, france, passwords, privacy

Does Your ISP Care About Protecting Your Privacy?

Privacy

from the seems-like-a-marketing-opportunity dept

We recently wrote about how Swedish ISP Bahnhof had announced plans to use a VPN to encrypt all traffic running over its network, thus making any log files it was required to store under data retention rules useless. Slashdot points us to the news that ISP Review, over in the UK, has asked a bunch of UK ISPs their thoughts on encrypting all traffic, and questioning whether they would do the same to protect user privacy.

The answers are pretty interesting. None of them seem interested going as far as VPNing all traffic, with some suggesting that it’s just too expensive. One ISP, AAISP, says that there’s a better solution than VPN, which is to just switch to a carrier grade NAT, for which there are no requirements to log those sessions. IDNet suggested that it might consider making such a service “opt-in,” since some people might want it, but it creates other downsides that not all customers appreciate. The one response that struck me as questionable was from Entanet, who seemed to indicate that the only reason to encrypt traffic was if you were doing something wrong:

As a responsible communications provider, we don’t advocate any steps to proactively create the ability to avoid the identification of parties who are deliberately committing acts of data piracy.

The focus is not to “avoid identification” of people involved in “piracy,” but to provide privacy in general. Given just how many examples we’ve seen of governments spying on users’ data habits with very little legitimate purpose, it seems like an ISP that actually protects its users privacy should be seen as a good thing.

It makes me wonder if we’ll start to see more ISPs like Bahnhof pop up, with a focus on promoting the fact that they protect your privacy. In an age when so many people flipped out about Google’s WiFi sniffing, you would think that these same people would celebrate ISPs that automatically encrypt traffic, as that would solve such problems. Yet, instead, it seems like the very same people are suggesting that such encryption is only for bad purposes.

Of course, here in the US, there are almost no choices among ISPs, and the ones that are available all have strong and close relationships with the government (hi, AT&T!), so it’s not like they have any interest in protecting customer privacy. Though, this also explains why there’s nothing serious in any US-based broadband plan around increasing competition. If there were real competition, perhaps some providers would look at better ways to protect user privacy. So, as long as the government can keep competition limited to a few entities who rely on the government, the government knows it can always get the info it wants, no matter how dubious the legal rationale.

Filed Under: data retention, digital economy act, encryption, ipred, privacy, vpns

Swedish ISP Will Automatically Encrypt All Traffic To Protect Privacy Under New Data Retention Laws

Privacy

from the how-it-all-works dept

When Sweden first put in place its IPRED law, which required ISPs to hand over identifying info on people accused of file sharing, one of the first ISPs to respond was Banhof, who immediately put in place a new policy to delete all log files. Now that Sweden is pushing forward with a data retention law that would require ISPs to keep log files, Banhof has taken things up a notch by encrypting all traffic on their network via a VPN. That means that even if it keeps logfiles, the information will be effectively useless. Honestly, I’m surprised that more ISPs haven’t done something similar and pitched themselves as focused on protecting privacy. It’s difficult to see how Swedish politicians can really respond to this. They can’t exactly order ISPs not to encrypt traffic. Just think of the mess that would cause. So, as the US starts looking (again) at data retention laws, they might want to consider what’s happening in Sweden.

Filed Under: data retention, encryption, sweden, vpn
Companies: banhof

US Government Pushing Pro And Anti-Privacy Internet Rules At The Same Time

Privacy

from the figure-this-one-out dept

Ah, the hypocrisy of politicians. We’ve pointed out in the past how often politicians seem to push for data retention laws and privacy laws at the same time, without realizing the two are in fundamental conflict. It looks like the Obama administration is going through a bit of that as well. The FTC has been threatening to force browser makers to include a do not track feature, that would let people surf without having their data retained. And yet… at the same time, the Justice Department is pushing for extensive data retention laws, with the help of the supposed “small government” Congressional reps who don’t even seem to realize what they’re supporting. Even worse, Congress seems so eager to push for a data retention law that some Congressional Reps are apparently annoyed that the Justice Department hasn’t just handed them a bill to approve.

The problem, of course, is that these politicians don’t actually fully understand what the issues are involved here. They’re viewing the issues on a very narrow basis. On the “do not track” issue, they think “privacy is important, of course we support privacy — do not track is important.” On the “data retention” issue, they think “well, law enforcement needs to have access to data to solve crimes, and without requiring internet companies to retain data, then it’ll make law enforcement harder, so of course we need to have data retention.” What they don’t recognize is that these two things are in fundamental conflict with each other. Requiring data retention means less privacy. Period. But these politicians never actually think that far.

Filed Under: data retention, do not track, privacy

Should Data Just Fade Away?

(Mis)Uses of Technology

from the sometimes-yes,-but-often-no dept

Michael Scott points us to a report suggesting that one way to deal with the privacy issues of data stored online is to set up databases that automatically have plans to let data “fade away” over a certain period of time. Of course, I’m not sure what’s particularly new or unique about this. Lots of companies have systems in place to purge types of data after it reaches a certain age. Most companies have log files that delete after 6 or 12 months or whatever. The other issue, of course, is that with new data retention laws in place, many companies are forced by the government to retain certain types of data. And, finally, even if you plan for certain data to be deleted, there’s not necessarily a guarantee that it actually has been deleted.

Filed Under: data, data retention, privacy

Australian Gov't Says ISPs Should Spy On Users… At The Same Time It's Trying To Attack Google For Doing Less?

Privacy

from the um,-hypocrisy-much? dept

We’ve been writing about the Australian government — mainly Stephen Conroy — the politician who is actively trying to censor the internet, who is absolutely livid at Google, mainly because the company has accurately pointed out what a bad idea the censorship program would be. He’s been making ridiculous and uninformed fear mongering statements about Google for a few weeks now. The latest, which is a blatant falsehood, is that Google’s WiFi snarfing collected personal banking details. But, of course, as anyone who actually knows how these things work can tell you, banking sites use encryption. Google can only read unencrypted data, and all of the evidence suggests that Google discarded any encrypted info (not that it could do anything with it anyway).

Of course, while Conroy is grandstanding about how Google might have possibly, maybe collected a tiny snippet of unsecure info that passed through an open WiFi network while it was driving by — saying that it was “the largest privacy breach in history across Western democracies,” — his government, in his area of regulation, is working on data retention plans that would require ISPs to spy on your internet usage. They don’t just want ISPs to store your IP addresses. They want your browsing history and every email stored — just in case the government wants to go back and check it some time.

That seems like a significantly bigger privacy breach than anything Google did.

Filed Under: australia, data retention, isps, spying, stephen conroy

As Google Hands Over Collected WiFi Data In Germany, France And Spain, Ireland Tells Google To Destroy It

Privacy

from the mixed-messages dept

We recently covered how the data that Google collected via its Street View WiFi efforts was caught in this weird legal limbo, between privacy laws, data retention laws and rules about destroying evidence. However, it looks like that’s getting settled… but in very different ways in different countries. Somehow, Google has worked out a way to hand over the data in Germany, France and Spain… but over in Ireland, Google has been ordered to destroy the data. Not quite sure how this squares with the privacy laws in Germany, France and Spain… but hopefully we’ll find out that the data collected by this system was mostly meaningless and we can get over the hype surrounding this whole thing.

Filed Under: data collection, data retention, europe, france, germany, ireland, privacy, spain, wifi
Companies: google

EU Politicians Tricked Into Supporting Data Retention On Search Terms… 'For The Children'

Privacy

from the privacy-vs.-data-retention dept

Slashdot points us to a story about how many EU Parliament Members signed on to a declaration supporting the creation of an “early warning system to combat sexual child abuse.” Sounds good, right? But the devil is very much in the details. Christian Engstrom notes that many of the MEPs who signed on didn’t realize that part of the declaration was to extend already controversial data retention laws to search engines, meaning that Google would need to store your search results far beyond what they currently do, just in case law enforcement wants to go trolling through your search history.

Of course, this seems doubly ironic since so many European countries are up in arms over Google collecting data via open WiFi networks. So, which is it, Europe? Do you want Google not to collect data, or do you want Google to save data for years in case police want to snoop through it? No, the two situations are not identical, but there is a clear conflict between EU privacy rules and EU data retention rules. On the one hand, they give Europeans the ability to supposedly take control over their private info, including requiring companies to delete it. On the other hand, they demand that companies store data in case the police would like to look through it.

Filed Under: data retention, eu, privacy, search

German Court Says Data Retention Rules Are Illegal

Legal Issues

from the privacy-trumps dept

Around the world, law enforcement has pushed for stronger data retention rules for years, despite little evidence that it actually helps stop crimes (in fact, there’s evidence that it helps to obscure important data by burying the data in tons of more data). Yet, since law enforcement and the media can team up to create moral panics, politicians usually end up passing such laws. However, over in Germany, the highest German court has ruled that the data retention law passed in 2008 is illegal, saying that “the law’s erosion of personal privacy outweighed its usefulness in combating terrorism.” Furthermore, the court has ordered that data retained under the law should be destroyed immediately. The court noted that the German law went well beyond EU requirements and potentially harmed the rights of German citizens by having them feel like they’re under constant observation:

The storage of data could “cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one’s basic rights in many areas,”

Filed Under: data retention, germany, privacy

Swedish ISP Refuses To Give Up Info; Says IPRED Violates EU Privacy Rules

Legal Issues

from the privacy-or-copyright? dept

Since the Swedish IPRED law went into effect, basically requiring ISPs to hand over info on those accused of copyright infringement, many ISPs have begun questioning the legality of the law itself — specifically noting that the law clearly conflicts with privacy laws already in place in Sweden, as well as wider EU privacy rules. Last year, the ISP Ephone appealed a demand for info, and now Swedish telco giant Telia Sonera is doing the same in appealing a demand for info on whoever runs SweTorrents:

In its appeal, the ISP argues that IPRED is in direct violation of the EU’s data retention directive, under which the privacy of the SweTorrents owner would be protected….

“The protection of privacy contained in the directive prevents the application of the Swedish IPRED law in this case,” TeliaSonera’s lawyer Patrick Hiselius said in a comment.

Separately, TeliaSonera also pointed out that the court doesn’t seem to understand the most basic technical aspects of BitTorrent, in that it spoke of “the material that is uploaded on the website” in referring to SweTorrents. But SweTorrents is just a tracker, and thus there is no infringing material uploaded to its website. TeliaSonera points out that the demands for information on SweTorrents, then, is “based on faulty technical knowledge.”

Filed Under: copyright, data retention, eu, ipred, privacy, sweden
Companies: teliasonera