||France and the Storage of Passwords (and other things)
There's an interesting new law in France that deals with data retention by ISPs and other web hosts.
Interestingly enough, it defines web host as "the natural or legal persons that provide, even gratuitously, for provision of public services to the public online communication, storage signals, writings, images, sounds or messages of any kind provided by recipients of these services. ". It doesn't come right out and say, but it looks like if you allow the creation of online content, or the sharing of such content from within France, you need to keep this information.
Application of article 6 II of the LCEN
Enforcement Decree of the LCEN on data retention by ISPs and hosters "Digital Crime
The following is the Google Translation from here.
On 1 st March 2011 was published in the Official Journal Decree No. 2011-219 of 25 February 2011 on the conservation and communication of data to identify any person involved with the creation of an online content . These include specifying the measures provided for in Article 6, paragraph II, of the Law on confidence in the digital economy of June 21, 2004 (implementing itself into French law the provisions of EU Directive 2000/31/EC ).This text is divided into two main sections. The first clarifies the data to be retained by ISPs and web hosts to allow identification of individuals who contributed to the creation of content on a communication service to the public online. The second explains how to access this information within the administrative inquiries relating to the prevention of acts of terrorism. It is in this latter case an extension to this context of existing provisions for access to data held by operators of electronic communications under Section A34-1 of the Post and Electronic Communications.These data are intended to be accessed through a requisition judicial or administrative application provided by law.We recall that the criminal investigation, judicial requests include framed by articles 60-1 and 60-2 of the Code of Criminal Procedure.Unlike Section A34-1 of the Post and Electronic Communications , it was not requested by the regulatory authority to specify the categories of data that must be preserved, but more precisely the data that are affected by this obligation.Thus, we end up with a text that is both more accurate than the decree more generally operators - cf. Articles R.10 to R.10-12-22 of the Post and Electronic Communications (and therefore also for providers of Internet access), but difficult to compare. Note, however, in passing that the shelf life was uniform in both cases a year .Examples and details that I give here only represent my personal views on this text, they could not directly engage in any jurisdiction in its interpretation. However, this information is based on my knowledge of practices, both on the side of technical service providers to the needs of investigators.Article 1 lists the data to be retainedThe terms used in the decree are deliberately generic and seek to maintain a certain technological neutrality. The goal is in all cases to help identify the person who posted a given content.- For those providing access to the Internet:
- The identifier of the connection (in practice an IP address);
- The identifier assigned by such persons to the subscriber (based ISP, it will be a login name, a pseudonym chosen by the user, an ID card or a SIM phone number );
- The identifier of the terminal used to connect
where they have access ( MAC address of the equipment for example);
- The dates and time of beginning and end of the connection (this notion is superfluous for ISPs who do not manage login sessions);
Depending on the configuration, there is no permanent access sessions but possible during the subscription period, in this case the dates and times of start and end have no meaning. In contrast, an ISP may allow different connection modes for a single subscriber. And for example, a single subscriber could connect from home via ADSL (not necessarily a concept of beginning and end of session) and timely access via WiFi access points, with authentication and the beginning and end of sessions.
- The characteristics of the subscriber's line (if it is an ADSL connection, telephone call
PSTN through a modem via a wireless access point, etc.).
- For hosting and for each create operation:
Remember that the hosts are, according to the law on confidence in the digital economy, "the natural or legal persons that provide, even gratuitously, for provision of public services to the public online communication, storage signals, writings, images, sounds or messages of any kind provided by recipients of these services. "