14 DAY TRIAL // A French trade association composed of large Internet companies including Google, Microsoft and Facebook, is challenging a new law that requires its members to store extensive data about their users, including clear text passwords, for a year.
The draconian legislation, which far surpasses in scope the recommendations of the European Union data retention directive, was published at the beginning of March.
It forces companies to store visitors' usernames, email addresss and passwords, coupled with logs of what they did on the website.
In addition, if postal addresses and phone numbers are also available, those should been kept too, according to the new law.
All the information is to be made available upon request to police officers, fraud investigators, tax collectors, social security officials, and other law enforcement agents.
The French Association of Internet Community Services (ASIC), which represents 26 international and local companies, has lodged a complaint with the Conseil d'Etat (State Council), the French equivalent to the Supreme Court.
"Several elements are problematic. For instance, there was no consultation with the European Commission," said ASIC secretary general, Benoit Tabaka.
"Our companies are based in several European countries. Our activities target many national markets, so it is clear that we need a common approach," he added.
The requirements are a burden, both financially and from a security perspective. For one, most Internet services are not currently storing passwords, but their hash representations.
When users attempt to log in, the system calculates a hash of the passwords they provide on the fly and compare them to the ones in the database. If they match, they are authenticated.
This makes it impossible, if a secure algorithm is used, to recover passwords and protects them if the database is hacked into.
Reverting back to a system where passwords are stored in plain text form is a big security setback and increases risks a lot, especially since users tend to reuse passwords over multiple services.