Google, Facebook Go To Court In France: Claim Data Retention Rules Violate Privacy
from the american-companies-protecting-european-privacy dept
We've noted that, one by one, various European countries are realizing that Europe's "data retention" directive appears to be in direct conflict with EU privacy rules -- and when you put the two up against each other, privacy should win out. Germany, Romania, Cyprus, Hungary, the Czech Republic, Sweden, Greece, Ireland and Austria have all either ignored the data retention rules, or had courts rule against them. As we discussed last month, over in France, however, new data retention rules were recently published, which requires service providers to keep all sorts of info about their users -- including passwords in plain text:According to the decree with immediate application (so in force since 1 March 2011), the data to be preserved include: the identifier of the connection at the origin of the communication, the identifier attributed by the information system to the content that makes the object of the operation, the types of protocols used for the connection and for the content transfer, the nature of the operation, the date and hour of the operation and the identifier used by the author of the operation, when provided. Moreover, the hosting companies must also preserve, for one year after the deletion of an account, even more sensitive data such as the date and time when an account is created and the identifier of the connection, his/her complete name, pseudonyms, associated post addresses, e-mail and associated addresses, telephone numbers and even password.If that seems like quite a lot of information (passwords? really?!?), you're correct and Google and Facebook find this requirement problematic. The two companies are taking the French government to court over this rule, saying that it violates other rules on privacy.
In case the service subscribed is a paid one, the hosting companies must also retain data related to the payment method, the amount paid and date and hour of the transaction. Furthermore, they must preserve, for one year after the contribution to the content creation, data including the connection identifier, the identifier attributed to the subscriber, the identifier of the terminal used for the connection, the date and hour of the beginning and end of the connection and the features of the subscriber's line.
I find it somewhat ironic that Google and Facebook -- two American companies, quite frequently bashed in Europe for not respecting privacy, are standing up to a European government for privacy rights of their users...
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data retention, france, passwords, privacy
Companies: facebook, google
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Better start building tumbrels soon. But first, the guillotines.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Why don't they do that here in the US?
[ link to this | view in thread ]
Not sticking up for users.
That said, I'm sure they see an issue with the lack of security in plain text passwords but what makes you think those two companies aren't tracking that information already in some way? it just means they might have to keep it longer (again, not bad for them) and they have to give it up when asked.
It's not rights they're worried about. It's their burden.
[ link to this | view in thread ]
Passwords
[ link to this | view in thread ]
Passwords should not be kept in the clear...
[ link to this | view in thread ]
French...
The governments will use terror and whatever else they can to justify gaining more and more control over the people they "serve".
[ link to this | view in thread ]
Re: Passwords should not be kept in the clear...
[ link to this | view in thread ]
Re: Re: Passwords should not be kept in the clear...
[ link to this | view in thread ]
Re:
Do you think you have privacy over your phone calls?
Do you think that the NSA black box they installed on AT&T grounds is just for show?
[ link to this | view in thread ]
Re: Passwords should not be kept in the clear...
[ link to this | view in thread ]
Re: Re: Re: Passwords should not be kept in the clear...
Which means the U.S. for now mostly.
[ link to this | view in thread ]
Re:
Google with the Chinese dissidents emails hack and Facebook on a daily basis by the hands of kids trying to out do each other and hacking each others accounts(which also happens in other platforms) mostly using XSS to steal cookie sessions, that could include automated Javascript worms that collect and store passwords and cookies.
Which although serious pale in comparison to the deliberate attempts to breach that privacy by governments.
[ link to this | view in thread ]
Re: Re: Passwords should not be kept in the clear...
The point is not "whether your password is secure" it is "whether the service provider has a plain text copy of it that the can hand over". The fact that there may be attacks is irrelevant - after all, if there are viable attacks, the authorities wouldn't need to go to the service provider for your password.
The basic fact is that to create password security a NECESSARY but not SUFFICIENT condition is that the provider uses a cryptographically secure hashing algorithm - and therefore has NOTHING USEFUL to hand over to the authorities.
If they don't use such a system the implication is that they have given no rational thought whatsoever to security - and therefore John Doe is quite correct not to touch them with the proverbial barge pole.
You are of course quite correct to say that this, on its own, does not make the system truly secure - but it is surely better than storing plain text passwords - ensuring that anyone who hacks into your system can get everyone's passwords in seconds.
[ link to this | view in thread ]
Re: Re: Re: Re: Passwords should not be kept in the clear...
In which case they don't need the service provider to hand the password over do they? - Talk about missing the point!
[ link to this | view in thread ]
BUT
now they have to keep your log in and password in plain text.
Sounds good to me
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Passwords should not be kept in the clear...
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Passwords should not be kept in the clear...
[ link to this | view in thread ]
Re: Re: Re: Passwords should not be kept in the clear...
And my point about having passwords encrypted is that in Europe or the US, the government could just spoof the CA and break anything they want, assuming they couldnt just pressure the CA to give them copies of the certs. Plain text or not makes little difference at that point, if the government demands it, its theirs, encrypted or not.
[ link to this | view in thread ]
Re: Re:
do you think it's limited to AT&T?
[ link to this | view in thread ]
Re: Re: Re: Re: Passwords should not be kept in the clear...
The point is that the government doesn't NEED to get passwords from the service provider anyway (as you yourself say) and the provider WON'T HAVE THEM anyway - because to do so would lay them open to a hacker who could harvest ALL the passwords in one go - much easier than a MtM attack on every single user individually.
In that context writing a requirement that service providers should retain passwords is JUST STUPID - which is the point you don't seem to get.
[ link to this | view in thread ]
Re: Re: Re:
REALLY?
[ link to this | view in thread ]
[ link to this | view in thread ]