The French government has recently published a law, and some details of the application degree have led to strong reactions from the industry, including a suit by the French association of social online services. The suit is about a recent law that forces sites to retain a lot of information about their users, and to give it to law enforcement on request, and in some cases without any involvement from a judge.
The best part is about the data you provide when subscribing (you can find a copy of the original decree in this article). Here is a rough translation of this part of the text:
3° For persons abovementioned in 1 and 2 of I in the same article, information provided when subscribing a contract by a user, or for creation of an account:
a) The idenfier of the connection, at the moment of the account creation;
b) The first name and last name or the business name;
c) The associated postal addresses;
d) The pseudonyms used;
e) The associated electronic mail addresses or account identifiers;
f) The phone numbers;
g) The password as well as the data allowing to verify and modify it, in their latest up-to-date version ;
All of this is pretty scary, but the last one is the scariest: the government wants my password! This is going to simplify the gathering of evidence for anti-terrorist teams (they are the ones who don’t require a warrant or any judge order to get the information): they can just login as you and send the incriminating e-mail. This part of the story has been widely discussed on French media, with wide-ranging opposition to the measure, so it is not very interesting.
I would like, however, to point to a sentence that we can found at the very bottom of the decree:
Data mentioned in 3° and 4° only need to be kept if the persons [sites] usually keep them.
OK. So, they will get any information that I give to Internet sites. However, it should be more difficult for the government to get access our passwords, forat least two possible reasons:
- Good service providers hash/encrypt passwords. This means that the government will get data that allows them to perform dictionary attacks, but not the passwords directly, because the service providers simply don’t keep that data as such.
- Federated identity doesn’t use passwords. Nothing in the list mentions authentication tokens or things like that, so this is a good way not to disclose your passwords.
This last sentence can therefore be considered as a reminder to be very careful about our authentication methods on Internet. Even if this decree eventually gets repelled and/or modified, you can never be sure that your next government is not going to do something similar. So, here are some reminders:
- Use good passwords. It is the only way to protect yourself from dictionary attacks.
- Use different passwords. Do not use the same passwords on all sites. This is another layer of protection against dictionary attacks, but also an obvious protection once one of your passwords is disclosed and/or compromised.
- Use a federated identity provider, like an OpenId service. If possible, use one that is not represented in your country, in order to make sure that your passwords are out of reach of your government.
- Use alternative authentication methods. Choicces are difficult, but there are programs that will generate random passwords, manage them for you in a secure manner (that’s the tough part), and have you authenticate in original ways (n-factor, biometry, etc).
All of this is sound advice, and it will also contribute to protecting you against other bad guys.
To conclude, I will make a political comment, which is unusual here: I hate the sentence just above, and I hate to consider my government as one of the “bad guys”. I am French, European, and I believe that government should be on our side. However, having a government that promotes the use of Internet for “freedom fighters” in oppressed countries and collects passwords from “terrorists” at home is a bit scary, as we all know that someone’s terrorists often are someone else’s freedom fighters. And, as mentioned by Simon Phipps, the U.S. is not doing any better by developing an Internet panic button for democracy activists that is probably illegal in the U.S.