Friday, March 11, 2011

France re-writes the rules of data retention

When Europe introduced a Data Retention Directive in 2006, it struck a very very careful political and legal balance between the interests of privacy and the interests of Law Enforcement/ Government access to data. The core distinction of the laws was to impose an obligation on service providers to retain and produce traffic data relating to communications, but to exclude contents of communications. Notwithstanding this careful balance, the Directive has always been highly controversial. There has been a long debate about whether this Directive, and the balance it struck, is Constitutional under national privacy laws, and indeed, last year its German-implementation was held un-constitutional by the German Constitutional Court.

Surprisingly, very few people have noticed what just happened in France. The law (decree, technically) adopted a few days ago in France up-ended the careful political/legal balance of the Directive by inserting one little word: "passwords". In other words, passwords are added to the list of "traffic data" that ISPs have to retain and produce to the French police on demand. Interestingly, the version of the law that had been circulating for discussion in France for the last two years, and which was reviewed by the French privacy authority the CNIL and by industry associations, did not contain that little word "password". The word "password" was inserted at the last minute, with no public or privacy review, as far as I can tell.

Stop to reflect for just a minute. Why would police want a password and what would they do with it? Well, obviously, they would use it to look at "content" of communications. In other words, a password would grant them access to all the things that the Directive explicitly chose not to subject to Data Retention in the interests of privacy.

All the years of work by privacy advocates has been chucked aside, in one little word. Well, three in French: "mot de passe".

I'm sure legal challenges to this French law will not be far behind. Curiously, only a few lone voices in the press or advocacy community seem to have noticed all this.


Anonymous said...

This law has passwords grouped with other identifying data. However, those who drafted the Directive surely intended identifying data to mean data that are useful to an external entity. A password is only identifying within the service provided, and then only in conjunction with a user ID.

Passwords don’t belong in a transposition of the Directive into national law, but not because of any blurring of traffic and content data. The Directive is about the past, retaining data speculatively that might not otherwise be retained. A password is about the present and the future. What does a password get you? Access to the account. If the police want to see the current contents of an account or know about future messages, they can go to the service provider and request that data. They might need court approval, they might not. And, if they don’t think a court would approve, going ahead and using the password to gain access probably isn’t a good idea.

It’s highly unlikely that the absence of passwords would stop an investigation. Assume a communications system that includes long-term storage, where those running it could not be compelled to assist. Assume the communications can’t be intercepted. Assume neither device at the ends of the communications can be compromised, either through physical access or remote hacking. Then, assuming the suspect had reused a password and the system uses no other authentication factor, it would allow law enforcement or security services to gain access.

Another example where law enforcement or security services might consider password reuse is in breaking encryption used on stored data. If a password hasn’t been reused directly, they might still look at other known passwords a suspect has used in the hope of turning a hopeless brute-force attack into a successful, limited search. They want passwords because they’re like content data, giving an insight into someone’s mind. Does the French Constitution provide a right to silence or protection from self-incrimination? The UK doesn’t have these absolute principles and has made failure to disclose encryption keys a criminal offence punishable with up to five years in prison, although that’s an equally shocking piece of legislation.

Leaving aside the legality, it’s crazy from a technical point of view. Service providers shouldn’t retain passwords, because it’s really bad security practice. Good practice is storing salted hashes of the passwords. You know a correct password when you see one, but if someone walks off with your user database, the loss of passwords would be limited to those that are very short or common. The computational effort required might protect the weak passwords too.

It’s now not possible to run an email service like Hushmail or Lavabit in France. Messages are encrypted when stored on a server, and only the user retains the password to decrypt them. This is a a way to improve the security of any cloud service; any unencrypted data, encryption keys and passwords are limited to volatile memory and wiped as soon as they’re not needed. This doesn’t stop a service provider from being legally compelled to retain the password of a specific user when that user next logs in.

It looks like some flic or spook bent the ear of a politician and said that having passwords would be useful, and the politician dutifully slipped it in with no understanding of whether it is necessary or if there’d be any downside.

Anonymous said...

The decree has nothing to do with data retention legislation, it is a secondary legislation for the French E-commerce directive implementation (LCEN) and it imposes obligations only for hosting providers, not ISPs. The draft was actually made in 2007, when CNIL was asked to comment on it...

The problem with the password remains.. but this is NOT data retention.

See more info at:
Or in French

Monica Schaffhauser said...

Dear Peter

Sorry, this might be a bit off-topic, but I had to contact you with an idea.

I live in Zurich, Switzerland and I am really sorry about the Swiss court's decision that Google Streetview has to manually anonymize photos now to achieve 100% anonymization.

I really love Google Streetview and it is a tool greatly appreciated by the vast majority of Swiss internet users; especially small business owners.

I am very sure that Swiss internet users would love to help Google to achieve the 100% anonymization. I therefore suggest a wiki-approach to the problem: Interested volunteers could register online to help Google review streetview pictures and blur remaining faces / number plates online. A second or third volunteer could then sign-off their work and clear the picture for publishing.

This way, with thousands of volunteers, effort would be limited for Google (apart from providing the wiki blurring software) and this approach (wiki software) could be used around the globe where needed.

Best Regards

Monica Schaffhauser