Wednesday, 13 April 2011

France and the Storage of Passwords (and other things)

There's an interesting new law in France that deals with data retention by ISPs and other web hosts.


Interestingly enough, it defines web host as "the natural or legal persons that provide, even gratuitously, for provision of public services to the public online communication, storage signals, writings, images, sounds or messages of any kind provided by recipients of these services. ".   It doesn't come right out and say, but it looks like if you allow the creation of online content, or the sharing of such content from within France, you need to keep this information.


More Information:
Application of article 6 II of the LCEN
Enforcement Decree of the LCEN on data retention by ISPs and hosters "Digital Crime


The following is the Google Translation from here.


On 1 st March 2011 was published in the Official Journal Decree No. 2011-219 of 25 February 2011 on the conservation and communication of data to identify any person involved with the creation of an online content . These include specifying the measures provided for in Article 6, paragraph II, of the Law on confidence in the digital economy of June 21, 2004 (implementing itself into French law the provisions of EU Directive 2000/31/EC ).This text is divided into two main sections. The first clarifies the data to be retained by ISPs and web hosts to allow identification of individuals who contributed to the creation of content on a communication service to the public online. The second explains how to access this information within the administrative inquiries relating to the prevention of acts of terrorism. It is in this latter case an extension to this context of existing provisions for access to data held by operators of electronic communications under Section A34-1 of the Post and Electronic Communications.These data are intended to be accessed through a requisition judicial or administrative application provided by law.We recall that the criminal investigation, judicial requests include framed by articles 60-1 and 60-2 of the Code of Criminal Procedure.Unlike Section A34-1 of the Post and Electronic Communications , it was not requested by the regulatory authority to specify the categories of data that must be preserved, but more precisely the data that are affected by this obligation.Thus, we end up with a text that is both more accurate than the decree more generally operators - cf. Articles R.10 to R.10-12-22 of the Post and Electronic Communications (and therefore also for providers of Internet access), but difficult to compare. Note, however, in passing that the shelf life was uniform in both cases a year .Examples and details that I give here only represent my personal views on this text, they could not directly engage in any jurisdiction in its interpretation. However, this information is based on my knowledge of practices, both on the side of technical service providers to the needs of investigators.Article 1 lists the data to be retainedThe terms used in the decree are deliberately generic and seek to maintain a certain technological neutrality. The goal is in all cases to help identify the person who posted a given content.- For those providing access to the Internet:

  • The identifier of the connection (in practice an IP address);



  • The identifier assigned by such persons to the subscriber (based ISP, it will be a login name, a pseudonym chosen by the user, an ID card or a SIM phone number );



  • The identifier of the terminal used to connect

  • where they have access ( MAC address of the equipment for example);


  • The dates and time of beginning and end of the connection (this notion is superfluous for ISPs who do not manage login sessions);



  • The characteristics of the subscriber's line (if it is an ADSL connection, telephone call

  • PSTN through a modem via a wireless access point, etc.).

Depending on the configuration, there is no permanent access sessions but possible during the subscription period, in this case the dates and times of start and end have no meaning. In contrast, an ISP may allow different connection modes for a single subscriber. And for example, a single subscriber could connect from home via ADSL (not necessarily a concept of beginning and end of session) and timely access via WiFi access points, with authentication and the beginning and end of sessions.
- For hosting and for each create operation:
Remember that the hosts are, according to the law on confidence in the digital economy, "the natural or legal persons that provide, even gratuitously, for provision of public services to the public online communication, storage signals, writings, images, sounds or messages of any kind provided by recipients of these services. "

  • The identifier of the connection to the origin of the communication (originating IP address, or any other relevant information - in a structure fully managed by a mobile operator might consider using the mobile phone number or IMSI number of its subscribers who publishes information on a site managed by the same operator);



  • The identifier assigned by the system information content, in the transaction (a reference article or comment, the URL or position in a tree of a web page, a reference to a classified ad , etc.).



  • The types of protocols used to connect to the service and to transfer content (access via the Web interface, FTP access, by sending SMS or MMS, etc.).



  • The nature of the operation (creation, modification or deletion);



  • The date and time of the transaction;



  • The identifier used by the author of the operation when it was provided (for example, if the person uses a pseudonym to connect or e-mail address, whether or simple authentication statement);


- In cases where there is a contract, or creating an account with the ISP or the host, and to the extent that these data are collected:

  • When creating the account, the identifier of this connection (for example, the IP address from which the person connects to create the account);



  • The full name or business name;



  • The mailing addresses associated;



  • The pseudonyms used;



  • The e-mail addresses or account involved;



  • Telephone numbers;



  • The password (if the system used stores the password in plain text) and the information needed to verify (

  • hashes or other techniques to securely store a password) or to amend its latest version Update;

- In cases where payment transactions are made through the service provided by the ISP or the host, and for each payment transaction:

  • The type of payment;



  • The payment reference;



  • The amount;



  • The date and time of the transaction.


Section 2 clarifies what constitutes a transaction of content creation
"The contribution to the creation of content includes transactions involving:

  • a) Initial creation of content;



  • b) Changes in content and data related to contents;



  • c) deletion of content.

  • "

Article 3 sets the shelf life
The shelf life of such information shall be one year from each connection or contribution to content. For the record containing the personal information of account or contract, they must be kept for one year after the close of this account.
Article 4 specifies the conditions of conservation
It is recalled that their sensitivity justifies proportionate security measures in accordance with Article 34 of the Data Protection Act.
The storage conditions should also be able to respond "promptly" to requests from the judiciary.
Conclusion
In the wide majority of cases, this text does not change the existing practice by professionals or hosting platforms including based on free software. For providers of Internet access, these are exactly the same data they already hold in the context of the implementation of Article L34-1 code postal and electronic communications made differently because answering separate legislation and objectives that are not exactly the same.
For hosts, this is a welcome clarification on what might be asked, each concerned with the data it collects itself.
Thus, in complex situations where multiple players are involved in the hosting process, it is their responsibility to fix - perhaps through contracts - the responsibilities of each other and be able to tell the authorities may the request the right person. For example, a blog and his comments, even if it is the responsibility of the proprietor, may be administered on a technical platform for hosting thousands of different blogs. It is good to have the responsibility to retain data and respond to requisitions.
Where a person, firm, association rents a server and manages itself with a "great" host, he returns to configure (or have it set by a provider) to retain the right information when it will install a forum or opportunity to post comments.The "great" host mentioned here, however, has the obligation to have the details of the person to whom he rents the server, and possibly payment information.
Already, in these situations and in most cases, investigators have come very easily to identify the right person.