OVH Community, your new community space.

File Encryption Legitimacy


BigMAC
04-10-2010, 19:33
Quote Originally Posted by DigitalDaz
"Demo User" and "WHMCS Admin" are not personal details and there may well be something in the small print regarding usernames and their viewing by others.
What has username's got to do with recording clients IP addresses along with times, Have you actually used WHMCS?

I assume your talking about the screenshot, Am talking about people saying your not awolled to record such data yet WHMCS has this readly available and does it automaticly for you.

So anyone using WHMCS in the uk is breaking the law, For recording such data of a client?

Thelen
04-10-2010, 18:17
Quote Originally Posted by BigMAC
Half of this stuff is fluff to be honest.

Since theirs no govering body for hosting how or when do they police such things?

When i block someone from the UK from my US server's using the firewall, It stores that IP in the firewall, So am breaking the law?

My WHMCS log's the IP addresses of who signs into their client area (Good for noticing is someone else is using their client area)

So WHMCS is breaking the law?

Get Real!
Well j-walking is against the law, yet never prosecuted, while downloading movies is prosecuted (or at least attempted) while it isn't again the law. it is just about money, and when enough is at stake.

DigitalDaz
04-10-2010, 09:29
"Demo User" and "WHMCS Admin" are not personal details and there may well be something in the small print regarding usernames and their viewing by others.

We choose our own usernames for example, I'm sure you real name is not BigMac, we use these names knowing they are publicly viewable.

BigMAC
04-10-2010, 08:43
Quote Originally Posted by Myatu
But if you were to store data like "John Doe logged in using IP 1.2.3.4 at 1:02 am today", then it would also become personal data.
WHMCS does just exactly that under "Recent Client Activity" and "Recent Admin Activity"

I shall be intouch with Matt from WHMCS later today and see where this stands, As WHMCS is UK based...

http://www.whmcs.com/screenshots.php

Click the "Admin Overview" image.

raidensnake
04-10-2010, 01:10
ok. the IP's that are logged are usually just the IP, the port, and the time and date it was accessed.

Myatu
03-10-2010, 23:31
Quote Originally Posted by BigMAC
Since theirs no govering body for hosting how or when do they police such things?
...
Compliance with the Act is regulated and enforced by an independent authority, the Information Commissioner's Office, which maintains guidance relating to the Act.

...
The Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offence.

...
Data controllers who are exempt from notification must still comply with the rest of the Act. Data controllers who are exempt from notification may choose to notify voluntarily.

...
The Act applies to a particular activity – processing personal data – rather than to particular people or organisations. So, if you process personal data, then you must comply with the Act and, in particular, you must handle the personal data in accordance with the data protection principles.

...
The Data Protection Act does not require you to encrypt personal data. However, it does require you to have appropriate security measures in place to guard against unauthorised use or disclosure of the personal data you hold, or its accidental loss or destruction. Encryption might be a part of your information security arrangements.
Most business are exempt to notify (because they simply deal normal business activities such as accounts and records, like who ordered what, how much it costs and monthly billing), but their DPA compliance is still required. You can find out for yourself if and how you need to notify: http://www.ico.gov.uk

I figured you'd liked that last bit about encryption

Thinking about the enforecement... I used the ICO last year to notify them of some persistent UCE - a company was sending it via the USA, claiming it was doing so in accordance with the US "CAN-SPAM Act". But given their UK presence (London office) and use of EU personal data, they were still responsible for ensuring they had to stop the UCE. It's a tedious process though; takes forever to get a response! But that's the British gov't at work...

Anyone doing anything dodgy towards servers or computers would be in breach of: http://www.legislation.gov.uk/ukpga/1990/18/contents
True. But your server's are in the US

When i block someone from the UK from my US server's using the firewall, It stores that IP in the firewall, So am breaking the law?
Here's a good guide on what exactly is considered "personal data" in the UK (and the EU): http://www.ico.gov.uk/upload/documen...ence_guide.pdf

Based on that, I deduce that an IP address is not personal data if that's all the information you keep (so blocking a EU IP on a US firewall isn't a problem). It does become a personal data if you store the IP address along with other information - ie., the person's name. Usually this is just the ISP that would know this though (so they would need to have something in place to protect that within the EU). But if you were to store data like "John Doe logged in using IP 1.2.3.4 at 1:02 am today", then it would also become personal data.

Whew... This is getting deep!

zydron
03-10-2010, 20:40
its not my invention, but true!

European data isn't allowed to be stored outside european union!

BigMAC
03-10-2010, 18:53
Quote Originally Posted by Thelen
Good question
Half of this stuff is fluff to be honest.

Since theirs no govering body for hosting how or when do they police such things?

These are the 2 principles:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

"Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data."

Anyone doing anything dodgy towards servers or computers would be in breach of: http://www.legislation.gov.uk/ukpga/1990/18/contents

Quote Originally Posted by zydron
(which means as example: american servers aren't allowed to log our ips)
or the company needs to be Safe Harbor Certified, such as Google and Microsoft
When i block someone from the UK from my US server's using the firewall, It stores that IP in the firewall, So am breaking the law?

My WHMCS log's the IP addresses of who signs into their client area (Good for noticing is someone else is using their client area)

So WHMCS is breaking the law?

Get Real!

Thelen
03-10-2010, 14:58
Quote Originally Posted by BigMAC
How does that stand to regards of using firewalls?
Good question, however the law is written such that the IP is logged with some other metadata (ie, what webpage they visited), rather than a firewall log which would only contain packet header details.

BigMAC
03-10-2010, 01:09
Quote Originally Posted by zydron
(which means as example: american servers aren't allowed to log our ips)
How does that stand to regards of using firewalls?

zydron
03-10-2010, 00:23
Check the first post, it isn't posted by bigMAC.

But still, we have here rules on how we need to protect customers data.
This is a european forum about european laws (french, british or dutch it doesn't matter).

European data isn't allowed to leave the european union if not stated different.
(which means as example: american servers aren't allowed to log our ips)
or the company needs to be Safe Harbor Certified, such as Google and Microsoft

Myatu
03-10-2010, 00:22
Quote Originally Posted by BigMAC
I think you was some what making assumption's, Remember what you said about assumption's
Touché, though my point stands (as we've just witnessed what assumptions beget )

BigMAC
02-10-2010, 23:59
Quote Originally Posted by Myatu
Right-o! As far as I know, the UK and France are still within Europe. So why bring up something that doesn't even apply to the question then (encryption and possible implications with UK/French law)?
I think you was some what making assumption's, Remember what you said about assumption's

Myatu
02-10-2010, 23:45
Quote Originally Posted by BigMAC
Because my servers are US based, So i use US based backup service's...
Right-o! As far as I know, the UK and France are still within Europe. So why bring up something that doesn't even apply to the question then (encryption and possible implications with UK/French law)?

BigMAC
02-10-2010, 23:34
Quote Originally Posted by Myatu
If OVH were to backup my server's data without encryption or without telling me it's stored outside of the EU, it would be in serious trouble. So why make an exception?
Because my servers are US based, So i use US based backup service's...

Myatu
02-10-2010, 23:15
Quote Originally Posted by BigMAC
I dont base nothing on assumption's, However nothing is encryted server side ie hosting side, So why should i backup with encryption!
Your server: full control. Third-party backup server(s): no full control.

Own house: leave your bank statements on your kitchen table. Neighbour's house: Don't leave your bank statements on neighbour's kitchen table.

Simples.

Also being that theirs no guidelines for hosting companys to follow, Hence theirs a large number of fly by night hosts who actually dont make remote backup's.
There are guidelines, plenty of them. Most people refer to them as "laws" though.

Whiles your bashing about addresses and postcodes, All is available via domain's on domain tool's which is on show for everyone. (unless your non trading and you choose to opt out like yourself)
About that "unless" part: Exactly! You need consent to give personally identifiable data to any third party - that's why a private person can opt out to giving this consent within the EU/UK (a company is not a private entity, but a public one - so it has no such option).

So if you were to ask for someone's name and address on a website, but don't put in any effort to make sure it's difficult - and hopefully impossible - for this data end up in third parties' hands, then you're legally liable under the Data Protection Act. That's unless the person gave consent to have his/her data provided to the third party, of course.

Encryption offers no bullet proof protection!
It's your duty under the DPA to use "due diligence" in protecting personally identifiable data of EU citizens. Even if it's not bullet proof (nothing truly is), "due diligence" implies every possible measure within your capabilities.

Now, if you don't store any personal data, then fine, take that risk. But if you do store such data, then you're legally obliged.

However the storage of medical files has strict guidelines, We do not host any medical records.
Any information that can directly be traced to an individual is required to be protected under EU and UK laws. A house number + postcode can lead directly to the front door of an individual, and thus needs to be protected unless this person gave consent to make it public or otherwise be revealed to someone.

Either if people choose to hack our WHMCS which has all the data within, Or hack our backup's they will get the same information regardless.
Again, you're in full control over your own server. So if you have taken all possible measures to safeguard the server and the stored data, fine. If you store backup data on a third-party's server, like cPremote / Sysvm's backup servers in the USA (that are not Safe Harbor certified), you really need to reconsider as you're not in full control over them (so you can't guarantee to yourself that its as secure as possible, other than taking their word for it).

This is especially the case since you're backing up data of customers (so you don't know whether or not they have personally identifiable data stored unless you check each of your customer's file beforehand, like doing their web development for instance and thus knowing what goes where).

If OVH were to backup my server's data without encryption or without telling me it's stored outside of the EU, it would be in serious trouble. So why make an exception?

Now, if you still want to do without encryption, alright. But you shouldn't advocate to others that "using encryption on backups is pointless" as you can't assume whatever they store in the backup is safe to keep unencrypted - regardless of how easy it is to decrypt it by brute force or other methods. Hence I'm a bit "bashing" about this... Better safe than sorry.

Thelen
02-10-2010, 22:34
Quote Originally Posted by BigMAC
Same go's for any type of encryption.

So i dont really see what your trying to bash me for!
Erm, no it doesn't. You are pointing at poorly implemented encryption schemes and saying the scheme itself sucks, rather than the implementation.

Same with SSL certs, yes they have been 'hacked' by people using a bunch of PS3s linked together, but it is the implementation that is at fault not the algorithms themselves.

Perhaps what you mean to say is "a techno-dweeb improperly using encryption will leave his data open to being hacked into". In aforementioned case, make a backup of a server via tar or some such method, and then encrypting with GPG or the like, as long as the system isn't breached it will be 100% secure.. even if you put it in public_html and chmod +777 a wordpress install.

BigMAC
02-10-2010, 21:02
Quote Originally Posted by Myatu
That's just about the biggest mistake you can make in securing a system: assumptions. That's what the architects of the HMS Titanic did too: "This ship is unsinkable. Why do we need to waste space on life boats?" We all know how that turned out.

For one, you're assuming that the storage server is secure. There's no guarantee in that. Then you're assuming that anything above the public_html directory doesn't need to be encrypted - except during transmission.

So, a hacker with enough know-how and computing power to decrypt a 256-bit+ encryption algorithm within his/her lifetime isn't able to eavesdrop the SSH connection?

The fact that some movie encryption standards have failed, is that they were either very weak, or because the key to decrypt the movie had to be known to the movie-players (how else could it decrypt the movie?) and these keys have been obtained one way or another (including factory leaks).

Should any of that data you backup using your current method contain sensitive personal data (which may be as simple as a postcode and house number), and it be obtained from the so-called secure backup storage, then the court will definitely not consider "using encryption on backups is pointless" as due diligence in protecting that data (a company in France was fined €300,000 for that not so long ago). You shouldn't even be putting any such data on non-EU servers, unless they're part of/certified by a EU-approved program like the USA's Safe Harbor.
I dont base nothing on assumption's, However nothing is encryted server side ie hosting side, So why should i backup with encryption!

Also being that theirs no guidelines for hosting companys to follow, Hence theirs a large number of fly by night hosts who actually dont make remote backup's.

Whiles your bashing about addresses and postcodes, All is available via domain's on domain tool's which is on show for everyone. (unless your non trading and you choose to opt out like yourself)

Encryption offers no bullet proof protection!

However the storage of medical files has strict guidelines, We do not host any medical records.

Either if people choose to hack our WHMCS which has all the data within, Or hack our backup's they will get the same information regardless.

Our WHMCS stores everything from root passwords to client detail's, However we dont make remote backups of the database, We use WHMCS'S built in backup feature.

However with WHMCS is does offer some encryption on passwords and things, But if you was to get hold of the database, enject an admin, You could then see everything.

The fact that some movie encryption standards have failed, is that they were either very weak, or because the key to decrypt the movie had to be known to the movie-players (how else could it decrypt the movie?) and these keys have been obtained one way or another (including factory leaks).
Same go's for any type of encryption.

So i dont really see what your trying to bash me for!

Myatu
02-10-2010, 18:40
Quote Originally Posted by BigMAC
Using encryption on backup's is pointless, Your wasting your time, Any encryption can be undone with ease, Aslong as your backup storage server's are secure theirs no problem.

I transfer all my backup's via Rsync over SSH and store them on a cPanel based server above the public_html directory, Never had any issues or problem's.
That's just about the biggest mistake you can make in securing a system: assumptions. That's what the architects of the HMS Titanic did too: "This ship is unsinkable. Why do we need to waste space on life boats?" We all know how that turned out.

For one, you're assuming that the storage server is secure. There's no guarantee in that. Then you're assuming that anything above the public_html directory doesn't need to be encrypted - except during transmission.

So, a hacker with enough know-how and computing power to decrypt a 256-bit+ encryption algorithm within his/her lifetime isn't able to eavesdrop the SSH connection?

The fact that some movie encryption standards have failed, is that they were either very weak, or because the key to decrypt the movie had to be known to the movie-players (how else could it decrypt the movie?) and these keys have been obtained one way or another (including factory leaks).

Should any of that data you backup using your current method contain sensitive personal data (which may be as simple as a postcode and house number), and it be obtained from the so-called secure backup storage, then the court will definitely not consider "using encryption on backups is pointless" as due diligence in protecting that data (a company in France was fined €300,000 for that not so long ago). You shouldn't even be putting any such data on non-EU servers, unless they're part of/certified by a EU-approved program like the USA's Safe Harbor.

BigMAC
02-10-2010, 16:29
Quote Originally Posted by gregoryfenton
http://www.guardian.co.uk/commentisf...-data-security

A prime (and very current) example.

Those were stored "outside public_html" and are now in the wild and are allegedly well worth a read as there are great insights into getting out of filesharing lawsuits held within them.
Having just skimmed the content, I fail to see where it says anything to regards of "outside public_html"

Also with the recent 64Bit Linux Exploit (CVE-2010-3081) it could and would of happened to loads of servers...

We can also use another example of how the uk goverment used "cds" to send data via "royal mail"

EDIT: Also noticing the date on the link you gave me, It's strange such things are released just "after" an huge linux security loop hole was uncovered.

The media allways find ways to bash things, and what better hacking an server and getting content because of a linux security loop, Theirs alot more behide that story!

gregoryfenton
02-10-2010, 16:10
Quote Originally Posted by BigMAC
Hence theirs no point doing encryption on "backed-up" data.

Care to share why?
http://www.guardian.co.uk/commentisf...-data-security

A prime (and very current) example.

Those were stored "outside public_html" and are now in the wild and are allegedly well worth a read as there are great insights into getting out of filesharing lawsuits held within them.

BigMAC
02-10-2010, 15:53
Quote Originally Posted by Thelen
What universe do you live in? Since when can any encryption be undone....

Given you think cPanel based server is secure, I think I know why you think that...

As at the original question, I'd be more concerned it was a hoax email from one of the anti-piracy scumbag companies rather than a legit french company worried about french law.

but, no, there is nothing illegal about encryption and in fact you'll find it the other way around in most cases. as a small time person, you won't have to worry about it either way unless you annoy the secret police or something.
I live on earth and yes i know cPanel based servers can be attacked, hacked.

Even more just put 777 permissions on a wordpress installation and watch the exploits come in.

Rather more the film industry has poured billions of pounds into encryption yet people are finding ways to undo their encryption using software costing no more than $50, Just walking around my local sunday market is a prime example!

Hence theirs no point doing encryption on "backed-up" data.

Quote Originally Posted by gregoryfenton

"it is outside the public_html directory" is not somewhere I class as secure or even reassuringly safe.
Care to share why?

gregoryfenton
02-10-2010, 14:46
Any backup that is on a server accessible to the internet is insecure.

Maybe not today, but 0 day exploits are common.

"it is outside the public_html directory" is not somewhere I class as secure or even reassuringly safe.

Thelen
02-10-2010, 14:43
Quote Originally Posted by BigMAC
Using encryption on backup's is pointless, Your wasting your time, Any encryption can be undone with ease, Aslong as your backup storage server's are secure theirs no problem.

I transfer all my backup's via Rsync over SSH and store them on a cPanel based server above the public_html directory, Never had any issues or problem's.
What universe do you live in? Since when can any encryption be undone....

Given you think cPanel based server is secure, I think I know why you think that...

As at the original question, I'd be more concerned it was a hoax email from one of the anti-piracy scumbag companies rather than a legit french company worried about french law.

but, no, there is nothing illegal about encryption and in fact you'll find it the other way around in most cases. as a small time person, you won't have to worry about it either way unless you annoy the secret police or something.

BigMAC
02-10-2010, 12:53
Quote Originally Posted by raidensnake
I can't see why it should be a problem. I mainly encrypt server backups so it can't be hacked into.
Using encryption on backup's is pointless, Your wasting your time, Any encryption can be undone with ease, Aslong as your backup storage server's are secure theirs no problem.

I transfer all my backup's via Rsync over SSH and store them on a cPanel based server above the public_html directory, Never had any issues or problem's.

tim2718281
29-09-2010, 19:27
Quote Originally Posted by raidensnake
I need to know something as I recently got a email from some french company saying I can't use file encryption to protect users information cause aparently it violates the DADVSI law.
It's rubbish; ignore it.

Alternatively, ask them to cite the relevant part of the law.

(Here's a French government site; see article 30:

"I. - L'utilisation des moyens de cryptologie est libre."


http://www.legifrance.gouv.fr/affich...TI000006421577

And are you in France? If not, the law would not apply to you anyway.

raidensnake
21-09-2010, 23:08
the thing I'd like to know is what exactly has file encryption and this DADVSI law have to do with protecting users information anyway???

Myatu
21-09-2010, 18:02
Quote Originally Posted by raidensnake
actually what I think they said is that any form of file encryption is outlawed in france but I'd like confirmation of this. I do know other countries do outlaw file encryption but why i don't know.
That's way back, when it had similar laws to the US. You had to have official permission to encrypt files, or you could only use a very weak encryption algorithm (something like 40-bits). I doubt it's still the case.

If it's truly a concern, send me a PM and I can put you in contact with a friend; she's a French IP/IT Lawyer here in London and deals a lot with these types of questions.

YouWhat
21-09-2010, 16:44
I thought it was down to the geographical location of the server that effects what laws are governed by it, eg OVH's based in france so goverened by french law.

LawsHosting
21-09-2010, 15:30
Sounds like a law the UK government practises here - when they lost those CDs of people's details, doubt they were encrypted.

zydron
21-09-2010, 12:36
is password hashing also outlawed then?

raidensnake
21-09-2010, 10:41
Quote Originally Posted by Myatu
It relates to copyright infringement. But it basically comes down that if one of your users/clients is suspected of copyright infringement, you are to co-operate with authorities by providing them full details on file. But obviously, as with any EU country, this cannot be done without court approval.

So to say "can't use file encryption to protect user information" is a bit ridiculous, as you actually have to put in every possible measure to ensure that protection.

So if this was actually what that French company told you, then it would be akin to a hacker telling you "Don't use a password or security certificate to secure your root shell", in other words: disregard that nonsense.
actually what I think they said is that any form of file encryption is outlawed in france but I'd like confirmation of this. I do know other countries do outlaw file encryption but why i don't know.

Myatu
20-09-2010, 17:47
Quote Originally Posted by raidensnake
I need to know something as I recently got a email from some french company saying I can't use file encryption to protect users information cause aparently it violates the DADVSI law.
It relates to copyright infringement. But it basically comes down that if one of your users/clients is suspected of copyright infringement, you are to co-operate with authorities by providing them full details on file. But obviously, as with any EU country, this cannot be done without court approval.

So to say "can't use file encryption to protect user information" is a bit ridiculous, as you actually have to put in every possible measure to ensure that protection.

So if this was actually what that French company told you, then it would be akin to a hacker telling you "Don't use a password or security certificate to secure your root shell", in other words: disregard that nonsense.

raidensnake
20-09-2010, 07:29
Quote Originally Posted by zydron
Well you ordened by a british company, in my believing you are only bound by british law...

(for me dutch law then :P)
As far as I know those laws also applies to european countries where they are provided also as file encryption isn't illegal to use. but I don't know for certain that's why I'd like OVH to clarify this.

zydron
20-09-2010, 07:11
Well you ordened by a british company, in my believing you are only bound by british law...

(for me dutch law then :P)

raidensnake
20-09-2010, 06:57
I need to know something as I recently got a email from some french company saying I can't use file encryption to protect users information cause aparently it violates the DADVSI law. I'd like some clarification on this from OVH weather using file encryption on their dedicated servers does violate laws or not cause as far as I am concerned file encrypted is used to protect information under the data protection act as part of server security. I can't see why it should be a problem. I mainly encrypt server backups so it can't be hacked into.