12:14 PM

Tech Giants Challenge French Data Retention Law

Facebook, Google, Microsoft, Yahoo, and others are appealing a legal decree that would require companies to store and share usernames, passwords, and other personal details with authorities.

A consortium of technology companies is fighting a recent French decree requiring them to store and provide the government with the usernames, passwords, and IP addresses of anyone who creates or accesses online content.

On Feb. 25, the French government released a legal decree, updating the 2004 Legal Regime for E-Commerce Trust (LCEN), which is France's implementation of the European Union's E-Commerce Directive. One of the decree's updates is that Internet access and hosting providers -- including service providers, Web mail providers, e-commerce companies, and online music and video sites -- must now retain numerous types of data on their users and customers. That data includes financial transaction details, the duration of their Web site visits, usernames, passwords, pseudonyms, mailing addresses, phone numbers, and passwords.

The decree requires that companies share this information with government agencies, at their request, and retain the data for at least one year.

Tuesday, the French Association of Community Internet Services (ASIC), which counts eBay, Facebook, Google, Microsoft, Wikipedia, and Yahoo amongst its members, petitioned France's highest administrative court to annul the decree -- although not the LCEN. The group is challenging the cost required to store large amounts of data for a long duration, charging that the data-gathering requirements exceed what's specified in the LCEN and the EU's E-Commerce Directive, and also that France failed to consult the EU on the changes, which may be a violation of EU law.

That's because the directive specifies "that member states mustn't restrict people's rights, or change these data collection and retention obligations, and that every member state has a requirement to consult with the EU Commission," said French lawyer Stephane Lemarchand, a partner at DLA Piper in Paris, in an interview. "And apparently -- this appears to be true -- the EU Commission wasn't consulted."

Whether the decree would apply to global companies, such as Google, is unclear. Benoit Tabaka, ASIC general secretary, as well as the director of legal affairs for French e-commerce giant PriceMinister, told the French newspaper Liberation that it was unclear whether international companies would be forced to comply with the new law, should his organization's annulment attempt fail. (ASIC expects its appeal process to take up to a year.)

Tabaka also said that for security reasons, Internet companies such as Google store user passwords in encrypted format, and are loathe to transmit them in plaintext, given the security implications. Indeed, should the information get stolen or lost -- via a targeted attack or simply government carelessness -- then users of related Web sites would be at risk of having their accounts hijacked and identities stolen.

What's the rationale for the French government issuing the new decree? In fact, according to Anne-Sophie Lampe, a lawyer who specializes in Internet law and copyright for DLA Piper, when the LCEN was first released, it stated that a forthcoming decree would specify exactly what data hosting and access providers would have to store. The decree has thus been over a decade in the making.

When the LCEN was released, it was unclear what types of information needed to be collected. "The judge, in the absence of the decree, tended to consider that the IP address of the person who had posted content was sufficient," said Lampe in an interview. Successful claimants could then take the IP address and request that an Internet service provider furnish them with the IP address' owner.

The decree, however, now stipulates that much more data must be collected. "So it creates now additional discussions because the scope of the data is wider than the case law has defined," said Lemarchand.

The French government's push to have ready access to more information about Internet users parallels recent discussions in the U.S. Senate over the degree to which American's personal information should be protected -- satisfying privacy concerns -- or made available on demand to government agencies, to aid law enforcement agencies in their investigations.

Recent interpretations of the Electronic Communications Privacy Act (ECPA), passed in 1986, have tended to allow law enforcement agencies to access any Internet user data with a subpoena, as opposed to having to convince a judge to issue a warrant. As Congress debates overhauling that law, the Department of Justice has argued against restricting its access to information.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.