UK Domain Seizures: Nominet Admits It's Helped Police Seize 3,000 Sites

Google, Facebook Go To Court In France: Claim Data Retention Rules Violate Privacy

from the american-companies-protecting-european-privacy dept

Thu, Apr 7th 2011 5:57am — Mike Masnick

We've noted that, one by one, various European countries are realizing that Europe's "data retention" directive appears to be in direct conflict with EU privacy rules -- and when you put the two up against each other, privacy should win out. Germany, Romania, Cyprus, Hungary, the Czech Republic, Sweden, Greece, Ireland and Austria have all either ignored the data retention rules, or had courts rule against them. As we discussed last month, over in France, however, new data retention rules were recently published, which requires service providers to keep all sorts of info about their users -- including passwords in plain text:

According to the decree with immediate application (so in force since 1 March 2011), the data to be preserved include: the identifier of the connection at the origin of the communication, the identifier attributed by the information system to the content that makes the object of the operation, the types of protocols used for the connection and for the content transfer, the nature of the operation, the date and hour of the operation and the identifier used by the author of the operation, when provided. Moreover, the hosting companies must also preserve, for one year after the deletion of an account, even more sensitive data such as the date and time when an account is created and the identifier of the connection, his/her complete name, pseudonyms, associated post addresses, e-mail and associated addresses, telephone numbers and even password.

In case the service subscribed is a paid one, the hosting companies must also retain data related to the payment method, the amount paid and date and hour of the transaction. Furthermore, they must preserve, for one year after the contribution to the content creation, data including the connection identifier, the identifier attributed to the subscriber, the identifier of the terminal used for the connection, the date and hour of the beginning and end of the connection and the features of the subscriber's line.

If that seems like quite a lot of information (passwords? really?!?), you're correct and Google and Facebook find this requirement problematic. The two companies are taking the French government to court over this rule, saying that it violates other rules on privacy.

I find it somewhat ironic that Google and Facebook -- two American companies, quite frequently bashed in Europe for not respecting privacy, are standing up to a European government for privacy rights of their users...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data retention, france, passwords, privacy
Companies: facebook, google

26 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

The eejit (profile), 7 Apr 2011 @ 5:13am

That's not irony. Irony would be if Facebook were doing this in order to facilitate harsher rules.
[ link to this | view in chronology ]
The Devil's Coachman (profile), 7 Apr 2011 @ 6:22am

Better start building tumbrels soon. But first, the guillotines.
Even without tumbrels, the malefactors can be dragged by a rope behind Citroen 2CV's to their appointment with destiny. Looks like the French may have to put another Bastille Day on their holiday calendar soon.
[ link to this | view in chronology ]
Don, 7 Apr 2011 @ 6:33am

Yup. Especially for Facebook which tries very hard to make your profile public or will resurrect a deleted message if someone replies to it.
[ link to this | view in chronology ]
blaktron (profile), 7 Apr 2011 @ 6:37am

Im not really quite sure where the Google/Facebook privacy bashing came from. Beacon and some wifi sniffing I guess? Both basially harmless compared to REAL breaches of privacy. What about Sony? What about the US Government, and every other government on the planet? Maybe I'm just griping about a ton of hypocrisy since most news publications that reported negatively on beacon store more personal data on their subscribers than that, and share it FAR more readily to their advertisers (to the point where they conduct studies about what demographics look at what sections first, and target those ads specifically). Also, neither Google nor Facebook have ever had a major security breach compromising their users privacy. So ya....
[ link to this | view in chronology ]
- Nicedoggy, 7 Apr 2011 @ 7:36am
  
  Re:
  Not to be confrontational, but Google and Facebook both had severe data breaches by the hands of hackers(maybe even governments).
  
  Google with the Chinese dissidents emails hack and Facebook on a daily basis by the hands of kids trying to out do each other and hacking each others accounts(which also happens in other platforms) mostly using XSS to steal cookie sessions, that could include automated Javascript worms that collect and store passwords and cookies.
  
  Which although serious pale in comparison to the deliberate attempts to breach that privacy by governments.
  [ link to this | view in chronology ]
  - blaktron (profile), 7 Apr 2011 @ 8:55am
    
    Re: Re:
    Those breaches are individual accounts. As far as I know neither has never had their bare infrastructure laid open so people could grab data en masse.
    [ link to this | view in chronology ]
    - Anonymous Coward, 7 Apr 2011 @ 11:30am
      
      Re: Re: Re:
      Do you really think that Facebook and Google...and AOL and Yahoo and Hotmail and MySpace and LinkedIn and and and haven't already been served with NSLs requiring that they not only provide a complete copy of everything they have, but a realtime feed of everything new that they're getting? (Oh, and that of course they refrain from disclosing this.)
      
      REALLY?
      [ link to this | view in chronology ]
Jay (profile), 7 Apr 2011 @ 6:38am

I got a question...

Why don't they do that here in the US?
[ link to this | view in chronology ]
- Anonymous Coward, 7 Apr 2011 @ 7:28am
  
  Re:
  They do it in the U.S. too, but in the U.S. it is called Patriotic Act and it is done in the shadows so no one can see it happening.
  
  Do you think you have privacy over your phone calls?
  Do you think that the NSA black box they installed on AT&T grounds is just for show?
  [ link to this | view in chronology ]
  - chris (profile), 7 Apr 2011 @ 9:23am
    
    Re: Re:
    Do you think that the NSA black box they installed on AT&T grounds is just for show?
    
    do you think it's limited to AT&T?
    [ link to this | view in chronology ]
Christopher Gizzi (profile), 7 Apr 2011 @ 6:40am

Not sticking up for users.
I doubt Facebook & Google are doing this for the users. They're doing it so they don't have to spend resources dealing with the authorities - especially when most countries are leaning towards keeping less information and are at odds with France.

That said, I'm sure they see an issue with the lack of security in plain text passwords but what makes you think those two companies aren't tracking that information already in some way? it just means they might have to keep it longer (again, not bad for them) and they have to give it up when asked.

It's not rights they're worried about. It's their burden.
[ link to this | view in chronology ]
Richard (profile), 7 Apr 2011 @ 6:45am

Passwords
What technical advice were the people who wrote these rules given? Surely every fool knows that no-one actually knows their users passwords. Have they never heard of password hashing?
[ link to this | view in chronology ]
John Doe, 7 Apr 2011 @ 6:45am

Passwords should not be kept in the clear...
Passwords should never be stored in clear text. In fact, they should only be stored using a one way encryption algorithm. Using this method, there is no way to decrypt them. If I thought my password was being stored in clear text or in a decipherable manner, I would quit using the service.
[ link to this | view in chronology ]
- blaktron (profile), 7 Apr 2011 @ 6:50am
  
  Re: Passwords should not be kept in the clear...
  Congrats, stop using every service as SSL false-certificate MitM attacks can decrypt any password you send.....
  [ link to this | view in chronology ]
  - Christopher (profile), 7 Apr 2011 @ 7:01am
    
    Re: Re: Passwords should not be kept in the clear...
    Only if the certificate authorities are compromised, which wouldn't happen if they wouldn't give the keys to the castle to everyone with enough cash.
    [ link to this | view in chronology ]
    - Nicedoggy, 7 Apr 2011 @ 7:32am
      
      Re: Re: Re: Passwords should not be kept in the clear...
      ...and the government, all governments probably have access to those certificates if they are stored in their soil.
      
      Which means the U.S. for now mostly.
      [ link to this | view in chronology ]
      - Richard (profile), 7 Apr 2011 @ 7:44am
        
        Re: Re: Re: Re: Passwords should not be kept in the clear...
        all governments probably have access to those certificates if they are stored in their soil.
        In which case they don't need the service provider to hand the password over do they? - Talk about missing the point!
        [ link to this | view in chronology ]
        
        blaktron (profile), 7 Apr 2011 @ 8:56am
        
        Re: Re: Re: Re: Re: Passwords should not be kept in the clear...
        Theres a long history of CA spoofing, dont kid yourself...
        [ link to this | view in chronology ]
        
        blaktron (profile), 7 Apr 2011 @ 8:56am
        
        Re: Re: Re: Re: Re: Passwords should not be kept in the clear...
        Theres a long history of CA spoofing, dont kid yourself...
        [ link to this | view in chronology ]
- Nicedoggy, 7 Apr 2011 @ 7:30am
  
  Re: Passwords should not be kept in the clear...
  That is not entirely true, depending on how strong the password is Rainbow Tables could do the trick in minutes.
  [ link to this | view in chronology ]
  - Richard (profile), 7 Apr 2011 @ 7:42am
    
    Re: Re: Passwords should not be kept in the clear...
    You - and blaktron - are missing the point.
    
    The point is not "whether your password is secure" it is "whether the service provider has a plain text copy of it that the can hand over". The fact that there may be attacks is irrelevant - after all, if there are viable attacks, the authorities wouldn't need to go to the service provider for your password.
    
    The basic fact is that to create password security a NECESSARY but not SUFFICIENT condition is that the provider uses a cryptographically secure hashing algorithm - and therefore has NOTHING USEFUL to hand over to the authorities.
    
    If they don't use such a system the implication is that they have given no rational thought whatsoever to security - and therefore John Doe is quite correct not to touch them with the proverbial barge pole.
    
    You are of course quite correct to say that this, on its own, does not make the system truly secure - but it is surely better than storing plain text passwords - ensuring that anyone who hacks into your system can get everyone's passwords in seconds.
    [ link to this | view in chronology ]
    - blaktron (profile), 7 Apr 2011 @ 8:59am
      
      Re: Re: Re: Passwords should not be kept in the clear...
      I dont see how I'm missing the point, I'm just stating that as far as I know, Facebook and Google should be the last 2 companies answering questions about privacy breaches, or taking any heat at all over them.
      
      And my point about having passwords encrypted is that in Europe or the US, the government could just spoof the CA and break anything they want, assuming they couldnt just pressure the CA to give them copies of the certs. Plain text or not makes little difference at that point, if the government demands it, its theirs, encrypted or not.
      [ link to this | view in chronology ]
      - Richard (profile), 7 Apr 2011 @ 9:46am
        
        Re: Re: Re: Re: Passwords should not be kept in the clear...
        You ARE missing the point - so much so that you make one half of my point yourself without noticing.
        
        The point is that the government doesn't NEED to get passwords from the service provider anyway (as you yourself say) and the provider WON'T HAVE THEM anyway - because to do so would lay them open to a hacker who could harvest ALL the passwords in one go - much easier than a MtM attack on every single user individually.
        
        In that context writing a requirement that service providers should retain passwords is JUST STUPID - which is the point you don't seem to get.
        [ link to this | view in chronology ]
V, 7 Apr 2011 @ 6:49am

French...
Why is this surprising anyone?

The governments will use terror and whatever else they can to justify gaining more and more control over the people they "serve".
[ link to this | view in chronology ]
johnny canada, 7 Apr 2011 @ 7:56am

So Google can not take a picture of your house and accidentally capture a few bit of data.

BUT

now they have to keep your log in and password in plain text.

Sounds good to me
[ link to this | view in chronology ]
Aerilus, 7 Apr 2011 @ 11:19pm

Meanwhile western digital and seagate are diving into there pools of money
[ link to this | view in chronology ]