Protests Against French Data Storage Law Shaping Up
The French Association of Community Internet Services (ASIC) that consists Google Inc., Facebook Inc., and eBay, among others, has called on the attention of State Council to strike down the data storage law requiring technology firms to retain personally identifiable information of their customers.
The Electronic Communications Privacy Act passed in 1986 parallels the new cyber regulations allowing authorities to gain access to personally identifiable data of internet users, with the Department of Justice supporting the removal of restriction to access of such information.
The French data storage decree, which was issued on February 25, updated the 2004 Legal Regime for E-Commerce Trust (LCEN) to make it mandatory for all service providers, Web mail providers, e-commerce companies, and online music and video sites to store the usernames, passwords, and IP addresses of their customers for at least a year.
The decree seeks to give government authorities access to such information when needed in an investigation.
Chester Wisniewski, a Senior Security Advisor at Sophos Canada, described the new legislation as having “stepped a little too far over the privacy line.”
In a blog post, Wisniewski wrote that a one year data storage of passwords “will make data loss events even more tragic.”
He argued that passwords must be either in plain text or in some reversible hashing algorithm for them to be transferable to police authorities upon request.
Moreover, Wisniewski warned that the decree may lead to more instances of compromise on the back of the observation that internet users are not inclined to creating unique passwords, so a “single small internet services firm could reveal all the information necessary to compromise” their other accounts.
The new data storage decree is the implementation of the European Union’s E-Commerce Directive. Other than passwords and usernames, the decree also requires retention of the customers’ financial transaction data, duration of their visits, pseudonyms, mailing addresses, and phone numbers.
Far from security issues, the members of ASIC raised concerns over the cost of storing large volumes of data for at least one year and argued that the data storage requirements went beyond the mandate of LCEN.
Nonetheless, the move will lead towards protecting the data of customers from unwanted exposure to third parties according to Wisniewski.
However, ASIC general secretary Benoit Tabaka said in an interview with a French paper that the decree’s coverage remains vague when it comes to global firms like Google Inc. Upon release of the data storage law, the types of information to be collected and retained were even unclear.
But when updates to the decree included other personally identifiable information, debates on whether to implement the data storage regulations started to burst.