Rick's b.log - 2011/04/15
It is the 7th of May 2024 You are 18.216.230.107, pleased to meet you!

But first a word from our sponsors...

...

No idea who the hell Bieber is, I've seen the name crop up a few times. Looks like some tweeny trying too hard to be an imitation rapper. Whatever.

Failing that, click here for loveliness!

Still here? Okay, let's get on with the show!

France does it again

Anyway, the 1st of March saw the introduction of (ready?) "Décret n° 2011-219 du 25 février 2011 relatif à la conservation et à la communication des données permettant d'identifier toute personne ayant contribué à la création d'un contenu mis en ligne" (phew!).

Translation: Decree 2011-219 (of 25th Feb) relating to the preservation and communication of identifying information for everybody who puts content on-line.

Scary? Not really. For the most part this is just codifying in law that which has been kicking around for ages. Like if you're a big torrent seeder and you upload dozens of bluray rips, somebody is going to come looking for who you are based on a time and an IP address.
What we are effectively looking at is some legislation to put into place a measure of how to identify who posted specific content on-line.

Here are the requirements (from article 1):

• L'identifiant de la connexion
  The IP address of the current connection.
   
  
• L'identifiant attribué par ces personnes à l'abonné
  This means the fti/blahblah stuff you log in with, or your SIM number, etc.
   
  
• L'identifiant du terminal utilisé pour la connexion lorsqu'elles y ont accès
  The identifier or the terminal used. Probably harder to obtain, if it goes via a router or somesuch. MAC address? Only with firmware mods to routers which could expose a data leak risk to the outside world. For a smartphone, probably the IMEI (tap *#06# on any mobile to view the IMEI).
   
  
• Les dates et heure de début et de fin de la connexion
  Date and time. Really, not a surprise.
   
  
• Les caractéristiques de la ligne de l'abonné This means how you accessed the Internet - ADSL, dial-up (!), WiFi hotspot access, 3G, etc.
   
  
• Les types de protocoles utilisés pour la connexion au service et pour le transfert des contenus
  The protocol used: HTTP, FTP, SMS, etc.
   
  
• La nature de l'opération
  Did you... Create, modify, or delete.
   
  
• L'identifiant utilisé par l'auteur de l'opération lorsque celui-ci l'a fourni
  Does this mean your login credentials to another site? Now we're getting a bit Orwellian.

For subscribers they also want access to:

• Les nom et prénom ou la raison sociale
  Les adresses postales associées
  Les pseudonymes utilisés
  Les adresses de courrier électronique ou de compte associées
  Les numéros de téléphone
  Again, this is not unusual. Name, address, system pseudo, email, phone number... Any court order to a half-decent ISP would probably be able to obtain this from an IP address and a date/time.
   
  
• Le mot de passe ainsi que les données permettant de le vérifier ou de le modifier, dans leur dernière version mise à jour
  F*** me!? Say what?
  No.

There isn't enough WTF in my head to wrap around that one.

No way in hell this should have passed into legislation. Given the government and the legal process is giving themselves the ability to walk in and snarf all your information, there is absolutely nothing you can say or truths you can spin that will justify the transmission of passwords (if in cleartext) or hashes (if not). It is like your bank asking you for your PIN, or your sysadmin asking you for your login password. You bank already has access to your account, PIN not required. Your sysadmin can manage your user account, login password not required. And likewise, under the provisions of this law, officials can access your ISP's account information, password not required.
This might have been a vote-in by technically illiterate people who were given a good sob story, it might have been a data grab that didn't get noticed. But in any case it is overstepping the mark to ask for passwords. This isn't the same as a police official demanding you provide encryption passwords for files on your computer, this might not even involve you. Which means if you are "suspected" of something, sufficient information can be released to stand a reasonable chance of impersonating your identity elsewhere. Do I trust the police and the government? Tell me why I should trust a government that voted this in in the first place?

It is, however, fundamentally flawed. For only very lame sites store passwords in the clear. These are the ones that helpfully email you a non-encrypted confirmation message which... includes your password.
Better sites perform a "hash". A (usually) one-way algorithm which converts your password into a unique identification code. A dead-simple idea could be a five-digit code like "8E4F1" which is comprised of the length of the password (the '8') followed by the 16 bit CRC of the password (0xE4F1). When you enter the password in the future, the same calculation is performed and if the result value matches you are granted access. Real-world systems are better, but you get the idea.
However... Hashes are weak in that when the hash code is known, it is wide open. To give an example, I have (somewhere, it is from fifteen years ago) a big text file which provides suitable passwords for every possible hash value of the ArcBBS login system. I don't actually need this, as being the SysOp I had access to the management tools, however if my login hash was 49A1, I could just look it up in the list and find a working alternative password. How was this possible? Simple - with the hash algorithm known, somebody just threw a few spellcheck dictionaries at it, and whenever a hash result was encountered that was not already known, that result was remembered. It took time, and a fair bit of processing. But the end result was a file that provided a working word to use for any hash value.
The way around this, in addition to tweaking the hash algorithm, is to use a salt value that is specific to that particular service. For example, in our CRC routine, we could fudge in starting from the value 0xDEAD instead of from zero. So identical logins (only with different salting) would give entirely different CRC values.
Which means, in essence, that there isn't a lot of point in trying to ask for hashed passwords unless you plan to legislate that service providers are obliged to release all of the details of their security management. And if that is considered, the Sarko government might find The Big Boys pack up shop and leave France. Security and encryption are worthless if you blab (or are forced to blab) to whoever (who probably does not have a rock-solid process to ensure this data is treated with the respect it requires).

It then carries on to include for subscription payments, the type of payment (direct debit? plastic? chocolate chip cookies?), the payment reference, the amount, and the time of the transaction.

This all should be preserved for one year (and in the case of contracts, for one year following the termination of the contract).

There is little I need to say in addition to this. In fact, there is little that can be said without having to pick my jaw up off the floor.

But remember - France is the country where the idea of three strikes is, supposedly, active. Where the process is weighted strongly in favour of the content owner (to the degree of sidestepping most of the tenets of "innocent until proven guilty"), and where it was not deemed necessary to inform you of what the supposed infringement was, and who is complaining. While, I should point out, the original levy on blank media continues.
I would hope that the next government (which is unlikely to be Sarko's rowdy mob) would look to sorting out some of the dodgy legislation, but I doubt it. Only if it becomes a big election point (like UK's Con-Dem and the widely detested ID cards) will anybody bother to do anything...

Read the full text of this legislation (in French... duh! ☺)

It is a difficult call. There is unlawful activity taking place on-line. I myself have been a party to it, every time I listen to a song on YouTube that I cannot easily obtain elsewhere. Technically it is unlawful. In reality it is a missed sales opportunity, but the content providers wouldn't see it that way.

In any case, it looks as if the mood of The Powers That Be has swung from targetting known suspects to just simply suspecting and monitoring everybody.
Hello France, 2011. Just like the Soviet Bloc, 1970. Perhaps it is time to learn how to spell (and say?) "Komitet gosudarstvennoy bezopasnosti"...

Your comments:

oje, 17th April 2011, 17:03

Very scary, what's next the mind control?  It look looks like Orwel was right about our future.

Steve, 24th May 2011, 23:53

Yeah, it sucks. But it's been the same in the UK for ages, I think - RIP Act, c 2005? (We do lead the world in oppressive social monitoring.) Any idea which countries *don't* suck? I guess I need to know which language I should start learning ready to emigrate...