France re-writes the rules of data retention When Europe introduced a <http://en.wikipedia.org/wiki/Data_Retention_Directive> Data Retention Directive in 2006, it struck a very very careful political and legal balance between the interests of privacy and the interests of Law Enforcement/ Government access to data. The core distinction of the laws was to impose an obligation on service providers to retain and produce traffic data relating to communications, but to exclude contents of communications. Notwithstanding this careful balance, the Directive has always been highly controversial. There has been a long debate about whether this Directive, and the balance it struck, is Constitutional under national privacy laws, and indeed, last year its German-implementation was held un-constitutional by the <http://works.bepress.com/cgi/viewcontent.cgi?article=1052&context=serge_gut wirth> German Constitutional Court. Surprisingly, very few people have noticed what just happened in France. The law ( <http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=?cidTexte=JORFTEXT0 00023646013&dateTexte=&oldAction=rechJO&categorieLien=id> decree, technically) adopted a few days ago in France up-ended the careful political/legal balance of the Directive by inserting one little word: "passwords". In other words, passwords are added to the list of "traffic data" that ISPs have to retain and produce to the French police on demand. Interestingly, the version of the law that had been circulating for discussion in France for the last two years, and which was reviewed by the French privacy authority the CNIL and by industry associations, did not contain that little word "password". The word "password" was inserted at the last minute, with no public or privacy review, as far as I can tell. Stop to reflect for just a minute. Why would police want a password and what would they do with it? Well, obviously, they would use it to look at "content" of communications. In other words, a password would grant them access to all the things that the Directive explicitly chose not to subject to Data Retention in the interests of privacy. All the years of work by privacy advocates has been chucked aside, in one little word. Well, three in French: "mot de passe". I'm sure legal challenges to this French law will not be far behind. Curiously, only a few lone voices in the <http://hightech.nouvelobs.com/actualites/20110301.OBS8924/les-hebergeurs-ob liges-de-conserver-les-mots-de-passe.html> press or advocacy community seem to have noticed all this. Dal blog di Peter Fleischer: http://peterfleischer.blogspot.com/2011/03/france-re-writes-rules-of-data.ht ml