France Goes Overboard In Data Retention: Wants User Passwords Retained
from the anti-privacy-laws dept
There have been plenty of stories about various governments, often at the behest of either law enforcement or the entertainment industry, pushing for data retention laws. It seems especially ironic in Europe, where privacy laws are a much bigger deal, that they would also push for data retention, which is the opposite of a privacy law. However, Andrew Swift points us to a new data retention law in France that goes way beyond your typical "keep the log files" data retention rule. Instead, it appears to require that ISPs and hosting companies retain all sorts of private information (Google translation from the original French). Swift summarizes for us the information that needs to be retained:Information furnished when agreeing to a contract or opening an account, including first name, last name, business name, associated mailing addresses, and pseudonyms utilized, associated e-mail addresses and accounts, telephone numbers, and passwords as well as data permitting the verification or modification of the password.Just the fact that these companies would even have access to passwords should be problematic. Why aren't these services encrypting the passwords? I'm really curious how a law like this could possibly work in conjunction with European privacy laws?
These companies must also keep all user id's and passwords for any internet connection, the IP address of the terminal used to connect, the time and date of every connection, and...
Here's the kicker: for EVERY action of a user on the internet, these companies are now required to record the nature of the operation, whether it is writing an e-mail or downloading an image or video.
Not surprisingly, it appears that pretty much every online service provider is planning to challenge this decree in court (Google translation of the original French).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data retention, france, passwords, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yeah, Sure
After people get wind of this, I hope they have fun sorting through logs that look like:
3-11-2011@19:27 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
3-11-2011@19:31 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
3-11-2011@19:34 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
3-11-2011@19:47 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
3-11-2011@19:58 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
3-11-2011@20:06 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
3-11-2011@25:04 - XXX.XXX.XXX.XXX - Connection To: YYY.YYY.YYY.YYY (Tor Gateway Node)
[ link to this | view in chronology ]
Re: Yeah, Sure
[ link to this | view in chronology ]
Re: Yeah, Sure
[ link to this | view in chronology ]
Re: Re: Yeah, Sure
[ link to this | view in chronology ]
Re: Re: Yeah, Sure
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
;-P
[ link to this | view in chronology ]
Re: Re: Re:
Clearly their laws and practices don't make for good security policy. Maybe it's a culture thing?
And why would you ever need a user's password? Any decent program has a "become" feature for admins, so you can log in as that user. All the ones I write have it, anyhow.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Remind me never to use any service that you have set up!
Proper services are setup so that the service provider can't see user data.
[ link to this | view in chronology ]
Wow
What's next in France?
Will their postal service be required to open each and every piece of mail and record everything in a log? How much you owe on your credit card, that fantasy filled letter form your girlfriend or that package from Victoria's Secrets would all be fair game.
Also, in the US here we have very strict rules (HIPAA Privacy Rule) concerning the privacy of medical records and it could mean that the US medical establishment wouldn't be able to corroborate with their French counterparts on diagnoses.
[ link to this | view in chronology ]
Re: Wow
Taylor Negron is reprising his role from "Better Off Dead" for the French postal service instructional films.
[ link to this | view in chronology ]
French site administrators will now have the fun choice of obeying the law or putting their customers' data in danger of being compromised. Brilliant!
[ link to this | view in chronology ]
Re:
This law is for ISP's not for Websites... your gmail password will stil be encrypted, it is just your password you use to CONNECT to the internet, not what you do once your online.
That being said this is obviously so they can connect as you, visit a bunch of nasty sites, and then sue you saying "You visited StealCopyrightedMusic.com and downloaded the internet, pay us or goto jail."
Also it doesn't say (yet) that it has to be plain txt, thats an assumption, If anything I hope this encourages ISP's to encrypt more data (with reversible encryption) like your address, billing info, and browsing history.
Again I think the idea is horrible, but lets not confuse ISP's and Websites, or assume they have to be completely unencrypted.
[ link to this | view in chronology ]
Re: Re:
Private correspondence (ie email services) is excluded from the scope of this law.
[ link to this | view in chronology ]
I absolutely agree with you on encrypting passwords...
[ link to this | view in chronology ]
I am sure more than anything it's being driven by the need to put some sort of control on spamming and trolling, neither of which I am interested in. However because of this sort of restriction, places like ARSTechina and Torrentfreak no longer receive any sort of comment from me. (maybe that's a good thing)
I do at times comment here, strictly because I can do so anonymously without the requirement to be counted, datamined, and tied to some sort of identification. Yes, I know that my IP is recorded because I haven't used VPN or TOR and have not to this point chosen to do so.
It is rapidly reaching the point that I am considering the last two as self protection. It's not that I'm guilty of anything, it's that I don't want to be followed where ever I go, linked to everything under the sun on the internet in a casual browse.
The one thing I am very sure of is that if you have a huge database being kept track of, somewhere a hacker will figure a way in. Governments are honey pots for them as that's where large databases are. Info is key to money in one form or another. So making sure a large database to keep track of things like passwords will surely open their citizens to hacker access, simply because it is there.
[ link to this | view in chronology ]
Re:
It is rapidly reaching the point that I am considering the last two as self protection
Indeed. I have an older machine sitting about, and my current plan is to craft it into a "secure" desktop running a hardened version of Linux, with full disk encryption, TOR, and a bevy of other offerings both large and small to make tracking a virtual impossibility.
Should be a fun project.
[ link to this | view in chronology ]
Re: Re:
I have been thinking about doing this too.
MAC Address Spoofing is important too (and easy in Linux - MacChanger)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And I'll say it out loud (with head above parapets): Any government that tries to inflict control over the internet does so without the consent of those that it would control - so is illegitimate, and must be got rid of.
[ link to this | view in chronology ]
Use OpenId
Anybody know that the person that wrote the application doesn't need the password to look into its database. I can only see that since the regular people use the same password everywhere, with one password you can get into other services to dig more dirt.I'm pretty sure that if you dig hard enough on somebody else past, you can find him guilty of something.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A. The people.
B. Ongoing struggle of good versus evil.
C. Because lives are at stake here!
or
D. Thwart al-Qaeda.
[ link to this | view in chronology ]
suggested password
[ link to this | view in chronology ]