Five Bar Owners Arrested In France For Not Logging Internet Use By Patrons Using Bars' WiFi Connections
from the what-even-the-fuck-but-in-French dept
A seldom used mandate from France's 2006 anti-terrorism law is being wielded rather conspicuously in a single French city to lock up small business owners.
At least five bar owners in Grenoble, France have been arrested for providing WiFi at their businesses without keeping logs. The bar owners were arrested under a 2006 law that technically classifies WiFi hotspot providing establishments as ISPs, and require them to store one year’s worth of logs or connection records for anti terrorism purposes.
France has a long and inglorious history of forcing ISPs to log user activity, but this is the first time data retention laws have been used against business owners who allow customers to connect to their WiFi. In 2011, the law was expanded to demand the logging of user login info and passwords, thus ensuring service providers would always be tempting targets for malicious hackers.
The new and sudden enforcement of a nearly 15-year-old law seems pretty weird, considering it only targeted five bar owners in one city. This suggests Grenoble law enforcement might have a bit too much time on its hands. It doesn't appear to be part of a larger sweep across the country to (harshly) remind small business owners of their data retention obligations.
The bar owners -- who were all released after questioning -- said the hospitality section union (UMIH) never made them aware they needed to retain 365 days of customer internet activity, despite holding several conferences and seminars on running hospitality business. UMIH responded by saying it's not the union's fault members don't read UMIH junk mail.
Umih admitted that the training doesn’t mention WiFi logging but noted that Umih members should have known about this important requirement because it was mentioned in a newsletter.
Dystopia -- well, more of it -- has come to Grenoble, France. Five bar owners are now more than fully aware of their data retention obligations. Since these arrests have made international news, it's safe to assume customers are also now fully aware their internet activity is being logged and stored every time they connect with a bar's hotspot.
Not that staying home helps. Bar patrons face the same harvesting of data whether they stay in or go out. ISPs -- which includes anyone offering a "public" connection -- are under the same obligations. Failing to do so could net bar owners (or cable company employees) a 75,000 Euro fine and up to a year in prison.
And, in a damned if you do/damned if you don't twist, there's a good chance this kind of logging -- especially without explicit consent from patrons -- violates the far-more-recent GDPR. But few bar owners will have the money needed to challenge France's law or have the ability to run this by the EU Commission for a second look. That leaves it up to the local cops, who appear to have found a new way to make things periodically miserable for the community they serve.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anti-terrorism, bar wifi, cafe wifi, france, isps, logs, privacy, small businesses, wifi
Reader Comments
Subscribe: RSS
View by: Time | Thread
No need for the GDPR
The EU court has ruled (twice) that it is illegal to log everyone's internet and phone use. You have to have a warrant from a judge per case. So GDPR is irrelevant.
The ruling is here (in PDF):
https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-10/cp200123en.pdf
[ link to this | view in thread ]
"The new and sudden enforcement of a nearly 15-year-old law seems pretty weird, considering it only targeted five bar owners in one city"
There's always the question of how they knew that they weren't keeping logs. Did they try requesting the logs and sweep up the guys who wouldn't/couldn't comply, or did they just target these guys for something else, safe in the knowledge that there's no way anyone is complying with this law so it's a nice excuse for a fishing expedition?
I'd also question what provisions the actual ISPs are making here. In Spain, where there is no such law, most local bars are just using the same routers as they supply to domestic customers, with no real logging or other capabilities. Have some businesses been making a lot of money setting up vastly overcomplicated and expensive setups to comply with this law, or are the bars expected to just obtain and maintain their own network equipment? It seems somewhat crazy if the bar owners are buying their networking capability from an ISP, but then because the law doesn't make the distinction the ISP can sell them equipment that can't do the job.
Nothing here passes the smell test, but then a lot of French law is silly.
[ link to this | view in thread ]
That's a sweetly optimistic view of which community the cops feel they serve...
[ link to this | view in thread ]
Re:
I think they actually visited the places and requested the logs.
[ link to this | view in thread ]
Re: No need for understandable laws
so the French people are ruled by complex and conflicting laws from the local, national, and international/EU levels.
Not a good system.
the local police do whatever they feel like doing, with no fear of personal legal accountability -- just like in the U.S.
[ link to this | view in thread ]
Re:
FTFY
[ link to this | view in thread ]
Re: Re:
In which case, I suspect they knew that nobody was complying anyway and they used that as an excuse to look at something else.
I could be wrong, but I have heard of the town being described as a criminal hotbed, and it's probably easier to go after them for this sort of thing than it is for them to gather evidence about other crimes directly. Get rid of the bar owner temporarily for a minor crime, have a look around during the arrest, maybe grill them for a bit while they're in custody... it wouldn't be the first time that's happened.
[ link to this | view in thread ]
Re: Re: No need for understandable laws
"so the French people are ruled by complex and conflicting laws from the local, national, and international/EU levels."
As if things are different elsewhere.
[ link to this | view in thread ]
Re: Re: Re:
In France, such actions can only be carried out after judicial approval. If the police have time to plan an arrest, they have time to get judicial approval, and the law demands that they do so.
[ link to this | view in thread ]
Re: Re: Re: Re:
I'll admit I'm not 100% with the legal situation over there, but I can imagine it either way. On the one hand, going in to a bar and just "happening" to spot something visible from a public area could go one way. On the other hand, I did recently watch a documentary in Spain recently where the local police weren't allowed to go into an apartment and deal with the drugs that were clearly visible from the front door.
If they were just going in to bars to catch people not logging their wifi, it's not hard to imagine they could have some leeway to take action on other things if they found them. I suppose I'm just more willing to believe on a logical level that they were going in with some ulterior motive rather than literally just grabbing people who didn't set up a logging server in their local bar.
[ link to this | view in thread ]
Maybe...
Maybe some local Computer Tech business was looking to drum up more business by calling the police about places with only plain old home router wifi.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
From the wikipedia article:-
As evidence of not logging WiFi requires a search to gain any evidence of a crime has been committed, I would suspect that the police had evidence of some crooks using the WiFi, and got a magistrate to .authourize them to obtain the logs. No logs, and the police and magistrate are frustrated and.....
[ link to this | view in thread ]
i think the eu gdpr law would over ride local laws about data retention,
and also should bars owners not put up a sign,
your passwords and browsing data will be retained for 1 year for government inspection for security purposes.if you choose to use our wifi
the eu law on gdpr was signed and brought in to force by representives of the eu states including France .
There are many cases ongoing against facebook for not correctly following gdpr and also for sending eu user data to america where it can be acessed by the nsa .
[ link to this | view in thread ]
Re: Re: No need for understandable laws
Right. And here in the USSA cops in one city were excused for falsifying evidence in arrest procedures with the excuse of not knowing it was illegal.
While “ignorance of the law” has long been a so-called standard for the public, in recent court cases the police are excused for not knowing the law in their various shakedowns, er, asset forfeiture shenanigans.
It is a matter of enforcement of “because I say so” of the whim of the Sheriff of Nottingham du jour. The law? What law?
[ link to this | view in thread ]
Re: No need for the GDPR
I know that it wouldn't have very good optics but maybe it is time to invade France to force compliance with laws.
[ link to this | view in thread ]
If you have to Log people's Wifi use, I'd just drop WIFI support at my business, it wouldn't be worth it.
[ link to this | view in thread ]
When is a tax not a tax?
If you record this data, we will fine you.
If you do NOT record this data, we will fine you.
In other words, we are going to "fine" every business to make up for our budget shortfalls since we can't increase the taxes on the business.
[ link to this | view in thread ]
Re: Re: No need for the GDPR
All you need is an ambassador with a gun. They'll immediately raise the white flag.
[ link to this | view in thread ]
Department of Redundancies Department
I'm pretty sure the bars are buying their internet services from an ISP which is already required to collect and maintain these records. Why should businesses that aren't actually ISPs be required to ALSO keep such records?
Makes me wonder how popular VPN services are in France. Perhaps this law is an attempt overcome situations when the business itself connects to a VPN such that the ISP cannot discern the actions of the business' patrons.
[ link to this | view in thread ]
Re: Department of Redundancies Department
"I'm pretty sure the bars are buying their internet services from an ISP which is already required to collect and maintain these records. Why should businesses that aren't actually ISPs be required to ALSO keep such records? "
The ISP providing said business with internet access does not have visibility into the logs of said business as they lease out connections via their wifi.
You are talking about two separate logs.
[ link to this | view in thread ]
Re: Re: Department of Redundancies Department
"The ISP providing said business with internet access does not have visibility into the logs of said business as they lease out connections via their wifi"
No they don't, but the bar will usually obtain their network equipment from the ISP as part of their business package. They're not normally going to set the thing up themselves, they'll be paying someone else to do it, be that the ISP or another provider. If they got the ISP to set it up for them, then it's the ISP's fault if they didn't install a legally compliant setup.
[ link to this | view in thread ]
Re: Re: Re: Department of Redundancies Department
Agreed.
Heh, the cheap ass router/modem I was required to have does not have a log rotation function and needs a hard reset when the log becomes full.
[ link to this | view in thread ]
See any problems with this?>
"demand the logging of user login info and passwords,"
And who gets to decide the name and password?
Are they taking pictures of the users? Mathcing them to the accounts?
HOw many accounts can you make with New/different names and passwords?? All over France.
OR
Are you tagging each machine as it connects and reading internal data, and connecting it threw GMAIL, Hotmail, and soforth?
Horrendous idea.
That would be so Cool, and logical. But dont think they did it that way.
[ link to this | view in thread ]
Re: Maybe...
Consumer routers kinda SUCK. And cant handle more then a few connections at 1 time.
A good shop should have 10+ connection possible.
[ link to this | view in thread ]
Oh those crazy French
Punishing people for crimes against humanity!
[ link to this | view in thread ]
Re: No need for the GDPR
"The EU court has ruled (twice) that it is illegal to log everyone's internet and phone use. You have to have a warrant from a judge per case. So GDPR is irrelevant. "
Not irrelevant, perhaps. You do get multiple strikes against you.
The issue is that the old Data Retention Directive was pursued with fanatical zeal by every tinpot authoritarian in the EU - including, of course, France - to such a degree that when the EUCJ struck the data retention directive down as being in blatant violation of the EU charter a number of member states simply...abstained from abolishing it on a local level.
Meaning that in theory the bar owners have a case for getting France curbstomped by the EU but in practice that's a long hard road they might as well not bother with over a case of flexing flatfeet.
[ link to this | view in thread ]
Re: Re: No need for the GDPR
This is happening in other places already where the government refuses to comply and are getting sued. Here's one from Denmark:
https://ulovliglogning.dk/en/
[ link to this | view in thread ]