Schneier on Security
A blog covering security and security technology.
« The CIA and Assassinations |
| How did the CIA and FBI Know that Australian Government Computers were Hacked? »
April 11, 2011
New French Law Reduces Website Security
I didn't know about this:
The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.
This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.
Police, the fraud office, customs, tax and social security bodies will all have the right of access.
The social benefits of anonymity aside, we're all more secure if these websites do not have a file of everyone's plaintext password.
EDITED TO ADD (4/12): Seems that the BBC article misstated the law. Companies have to retain information they already collect for a year after it is no longer required. So if they're not already storing plaintext passwords, they don't have to start.
Posted on April 11, 2011 at 1:20 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
We can hope that they accept a salted-hash 'value'. And they don't get the salt value.. they really don't say plaintext, do they?
The law does not mandate that it be stored in plaintext, it only mandates that it be preserved in whatever format it had originally been preserved for a year after it's no longer required. It's not encouraging the storage of plaintext passwords, but if they do choose to do so, then they must preserve it in plaintext for an extra year.
Not being daft here but are there not obligations on retailers to retain most of that information for tax purposes anyway? Again, companies like Amazon, Paypal, etc store most of that data as a matter of course.
Non-financial services obviously have no need to retain that data but invariably do anyway, and if there is no financial transaction there is usually very little way to verify the information a user has provided is actually correct. The obligation for non-financial services to store data is a tad concerning though.
The only slightly curious item is the password.
@"The social benefits of anonymity aside, we're all more secure if these websites do not have a file of everyone's plaintext password."
Or the ability to readily decrypt a password. I know of an entity that used a weak scrambling algorithm so they could decrypt passwords. They used them as shared secrets... i.e., if someone forgot their password they would ask them for 3 of their past passwords. This was a bad policy on several accounts, and the law adds just one more reason.
"The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers."
Does the (above) French law purport to cover only French-based e-commerce sites and French customers?
Why would multinationals with servers located in the US comply with a French law that violates US privacy laws? Does the French law trump US law?
I think it would be helpful to see the text of the actual bill and the actual suit that is being filed. The BBC article is jut vague journalistic waffle and doesn't actually indicate what precisely the bill demands and what precisely is being fought. Brad -- perhaps you know more details?
"Or the ability to readily decrypt a password"
Or the ability to change a password.
The passwords do not need to be unencrypted. They can use a salt.
What the French authorities need is a way of getting access to any user's account if they ask for it -- and app owners must oblige / provide this capability.
Internet est une série de tubes.
You need to remember that it's not obvious to non-experts (e.g. legislators) that the best practice is to never store the cleartext password, or indeed that it's even possible to verify a password as correct without comparing it to a copy of the cleartext password in your possession. The people who wrote this bill have no idea why it's even a problem.
All French companies wanting to preserve their user privacy and minimize accountability should contact moi. I will host your stuff in another country and ensure nothing will be handed over to the French government thanks to my citizenship and general opposition to privacy-defeating laws. All management and control of the site will remain in your hands. We will just do the paper work and "technically" be the hosters. The fee will be a flat rate per month.
Maybe if we get enough business, then the French will toss the law out just to get more web sites back on French soil.
@j: I remember reading one of the early papers on Unix development. The idea of encrypting the password and only storing the encrypted version was presented as something new, and logins were nothing new at that time.
I am seriously puzzled how the French government can pass a law that at first sight goes directly against the 1995 EU Data Privacy Directive and that all members have subscribed to. My best guess is that - as usual - they are as paranoid as they are clueless when it comes to data privacy and encryption.
If somehow they have managed or can manage to sneak this in as yet another DPD exception, the smart move for any company serious about the confidentiality of their user's/customer's data is to relocate servers and data centres outside of French territory. I know quite some people in Luxemburg who will be only too happy to jump on this golden opportunity.
IANAL, and certainly not a french one, nor am I to be trusted blindly as a translator from French, but I believe this is the text in question: http://www.legifrance.gouv.fr/affichTexte.do?...
As far as I can tell, things like names and phone numbers need only be stored "to the extent that [the operator] normally stores them." ("dans la mesure où les personnes les collectent habituellement").
This law has been subject to many discussions on various French mailing-lists (such as FrNOG, equivalent of the NaNOG). Notably, journalists poorly doing their jobs saying wrong things about this law says or not.
Anyway, yes, these days in France, evolution of the Internet on a law side is definitly not going on a good path. We, French people, usually do not like the way things go for a couple of years.
@Nick P, Dirk Praet, others:
As the article states that "more than 20 firms are involved, including eBay and Dailymotion", I would suppose that the French state intends to include online services that operate in France, even if they are hosted elsewhere.
segue: It's a very common excuse of sovereign states and local provinces/municipalities to extend their jurisdiction, creating the problem of having to be in compliance with all the regulations, or effectively the most restrictive combination of them (the union of all restrictions, or the intersection of all permissions). In the case of speech this is often said to be censoring to the "lowest common denominator". This is substantially the same argument as one presented by car companies et al. in opposing the California enhanced MPG laws.
I would think that the physical location of the servers is less relevant than the domiciling of the business entity. In this case entity isolation *may* be of value, in conjunction with delineation and/or technical separation of the separate entities.
1. Customer tries to buy premium access on French website
2. Site redirects to cart on a different domain (registered to U.S. entity)
2. "You are purchasing online content from online company USA, a Delaware corporation. The terms of your purchase will be governed by your agreement with online company USA. Includes: Worldwide access"
3. User profiles are stored at the U.S. website. SSO is used to access the French website, where the US login server passes an assertion back to the "French entity" which never sees the password traffic.
This is actually common practice within (e-)commerce with separate legal entities for Internet sales (ecom divisions) and Gift Card sales (called "giftcos") in convenient "flag states" with little or no taxes on revenue from Internet sales and gift card breakage. Intellectual property is another fun one. This is an Amazon favorite for various purposes, which is one reason you see so many different legal names being used by them: they have one for Amazon Digital Services, Amazon Web Services, Amazon Technologies (Kindle), ACI Gift Cards, Warehouse Deals Inc.
I've been having a hunt around for further information, and by far the bulk of it on the Internet in English appears to be regurgitated quotes from ASIC's ( http://www.lasic.fr/ ) Secretary General Benoit Tabaka Who is also the general counsel for one of ASIC's members and is thus very likely to be legaly qualified in French Law.
[For those that can read French try Googling " conserver les mots de passe" which will pull up the likes of http://m.commentcamarche.net/news/... or http://hightech.nouvelobs.com/actualites/... ]
"[Benoit Tabaka as] the head of ASIC, not only considers the decree issued in March to disregard the users’ privacy, but considers the involvement of the European Commission as imperative since ASIC members have businesses established in several European countries. Tabaka also states that it is impossible for companies to comply with the regulation as at the moment these companies do not store the passwords in full."
The decree he is refering to was published in the French Official Journal on 1 March 2011 [Decree 2011 219 of 25 February 2011] ( http://www.legifrance.gouv.fr/... ).
The decree requires 'subjects who offer access to online communications services' to retain for a year users' accounts passwords - as well as users' full names, addresses and telephone numbers. if known. Apparently all in a bid to promote the fight against terrorism (and not furthering the whims of French President Nicolas Sarkozy who as many know has a pet project about disconecting Internet service from users without due process or evidence gathering just the suspicion of IP holders).
What is not clear is exactly who the "subjects" are, they could concevably be any and all of those who supply,
1, Client connectivity (ISP's Mobile phone provders etc.)
2, Network infrustructure
3, Terminating Services (such as Google, Facebook etc).
Nor is it clear who the data should be gathered on, that is, just French citizens and residents, or also those not within the French jurisdiction who use terminating services within a French jurisdiction, or anybody who's traffic just happens to pass through network infrastructure within a French jurisdiction, or if they take the UK position (via RIPA) of on any infrastructure that connects dirdctly or indirectly to infrastructure within a French jurisdiction...
Further it is unclear how it will relate to requests from other equivalent European agencies via EU legislation to easy law enforcment (which has given us the already discredited "European Arrest Warrant" and pan European enforcment of judgments in other EU nations).
Googles perspective is probably going to be best represented publicaly by Peter Fleischer who is their Global Privacy Counsel. However his personal view point can be read on his blog ( http://peterfleischer.blogspot.com/ ).
I'm trying to figure out the checksum function used in this data file I'm trying to modify. The checksum is only one word long. It's not an Xor or a mod sum, but it's not sensitive to word order, so it's obviously quite simple. When the data is a string of 0 bytes, it's 0. What else would be obvious?
If you want to take a crack at the problem (fun puzzle? Clive could probably do it in 5 minutes) I have posted the data and further info at my blog, here:
@xyz: "Does the French law trump US law?"
Werrllll... as the 'merkins often seem to think that the opposite is true it's only fair play, innit? ;-)
I've been hunting for the fear'n paranoia that followed this poorly worded BBC article for days.
Let's have a summary of the exact law.
The law is in fact the application text which spells clearly what was written in a previous, existing law from over SIX (yes, SIX) years ago. That law said that service providers had to retain some data; the offending text spells out what and how.
Regarding the silliness of the "store plaintext passwords" meme, the provision is in item 3 of article 1. The last of the item 3 states that you must retain "passwords and the means to validate them or to change them". But, the end of the article clearly states that the data must be retained if it was collected (which has a very clear meaning in data-related law: it means you asked for it, and stored it). Ture Pålsson spotted that correctly.
The whole item 3 is about retaining data after an account opened for an on-line service is closed. When you close the account, you must retain all items spelled out in item 3 & 4 for a duration of one year after the account closes.
So the whole bugaloo is that:
1) If you store the password itself, you must keep it for a year after the account closes. In plaintext if it's plaintext, reversibly encrypted if it's reversibly encrypted.
2) If you store the means to validate a password (a hash), you must keep the aforementioned hash for the year.
3) If you store a "security question" for password change, you must also keep the security question around for the year.
And that's it. No mandate to store things you didn't keep around in the first place (unlike item 1 & 2, about on-line content, which DO mandate that you MUST keep specific things in your logs).
And it's all about keeping things after you close the account. If the account is still open when the authorities ask for information, they could ask for about every piece of data in your possession, including those not mentioned in this specific law. It's just that you can't tell the authorities "oops, that account was closed yesterday, we're sorry" now. If you tell them that, you still have to provide the listed info if you collected it.
@Clive Robinson: The "subjects" are spelled out in another text (whose reference escapes me, it's a commentary from the french legal review board, who did publish their full evaluation of the text). It's anyone offering the service, i.e. the ISP/mobile operators/wifi hotspot services (yes, them too - your local starbucks should do all that) for the connection, and the end-user services.
If you're a network infrastructure operator, no one connects to you (well, your peering partners do, and those, you must log) so item 1 is irrelevant, you don't manage content (item 2 is irrelevant) and you don't have user accounts (item 3 & 4 are irrelevant).
The law doesn't state who, so all data must be retained on everyone.
While the law does add administrative overhead and implementation complexity (always bad), I believe it is possible to comply with the requirements of this law in a fashion which does not create undue risk for users. [Unless those users have the government as their adversary...]
One method would be to one-way encrypt any retained private information to a specified law enforcement public key. Essentially create a write-only vault (from the service provider's perspective) with the LI stuff.
Modulo implementation and key management flaws, this would significantly reduce the risk of sensitive information being stolen while at rest.
It almost seems like there is a gap in the market for a product here ;)
However, I do not support this law.
No problerm at all.
There is no need to buy in a french web shop.
The law does not say to store the passwords in clear. It says that you should provide a password if they need one. You can just reset a users password and send it to the police if they require it. All services have that feature. Even your "security" blog!
"more than 20 firms are involved"
We must be mindful of the knock on effect.
After having spent the last 6 months working with a
couple of cloud service providers I've come to the
conclusion that companies with very large infrastructures
do not like supporting lots of varying configurations
to satisfy individual clients. 's too costly.
If it becomes required in France and not specifically
forbidden elsewhere chances are they'll implement the
same data retention policies in those elsewheres.
"As the article states that more than 20 firms are involved, including eBay and Dailymotion", I would suppose that the French state intends to include online services that operate in France, even if they are hosted elsewhere."
Even if that were the case, me thinks any company serious about the privacy of its customers could easily turn to its lawforce to find an elegant workaround. Just look at all the multinational companies in Europe that have set up all kinds of organisational and fiscal constructions under which they technically operate out of Ireland in order to benefit from a more favourable tax regime.
@Dirk Praet "operate out of Ireland in order to benefit from a more favourable tax"
And the Guiness is better there than anywhere else in the world.
To state the obvious you don't have to USE a plaintext password for your site even if you have to keep it around for legal purposes. The website itself can continue to use a salted hash. The only difference is that the 'change password' routine needs to encrypt the plaintext password and send it off to some write-only offline storage facility.
I'm not saying that the general idea isn't a bad idea - you can't reveal something you don't know. But it doesn't have to be as catastrophic as many people seem to think.
I believe the law applies to only to Service Providers, not ALL sites.
(chuckles) Back in the 1990s I worked in a Pharmaceutical R&D organization that had offices in France... and we couldn't use BoKS to secure their logins, etc, since encryption wasn't allowed.
Heck, I'm not even sure if they allowed 40bit keys for HTTPS at the time.
So... When I worked for IBM in the late 1990s I heard plans to put a Universal Server Farm facility in France... and that got pushed back when it turned out that the "no encryption" rule was still in place. (I'd heard, later, that the law was changed shortly thereafter and a USF _was_ deployed in France. Until a reasonable level of encryption was allowed any kind of internet commerce really couldn't happen.)
It always comes down to "Who do you trust?" (Gawd, that sound *so* Babylon-5-ish!)
I guess the government wants to make sure they can masquerade as anyone they arrange a disappearance for. (They are unpersons but someone in the gov't picks up your twitter/facebook page whilst you are in prison somewhere.)
Hmmmm... do these remarks make it impossible for me to visit France or any French possessions?
Project Genie, which preceded and influenced Unix, stored a hash of the password, in a world-readable file. Unix added salt, and eventually the shadow password file. That may have been the result of a hack in 1969 or so where a student noticed that a professor's password was only three characters, typed with only the left hand, only on the bottom two rows. He also observed that he did not have to match the password, only the (24 bit, IIRC) hash. The rest is history... :-)
I hear, and I read, that a certain amount of people, I believe primarily from the US, thinks in terms like "It's a French problem, concerning the French. It's not important for the rest of the world." and I beg to disagree.
The French population is about 65 million people and as such it has quite an influence in Europe. If nothing but by the numbers.
"It still doesn't matter to the rest of the world. It's still a European problem."
I still beg to disagree.
Any major and global problem will start small and local.
I think that the whole world should care about "the French problem". As the whole world should care about the British "you have to disclose your encryption key when we ask you for it and you're prohibited to let your friends know about it" laws. (As you may have guessed, IANAL.)
If we do not all start to take these kind of problems as global, but we consider them as national, then we will actually commit the same error as do the current governments and administrations in that we forget one of the biggest changes to our global society over the last decades; Internet made (wo)man act across national borders. And to even ignore the existence of some national borders. (OK. Not the Internet alone, but it has had a huge influence on our lives in this direction.)
We tend to laugh at governments, administrations and certain industries (the media industry comes to mind) for their narrow minded view of the world. Let's not commit the same error, we who puff up and think that we have understood how things work in the new global society.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.