46 comments

[ 0.28 ms ] story [ 115 ms ] thread
Any sensible company would store passwords as hashes... I sure hope google would.
I hope so. But handover all hashes?
That's most likely what will happen, simply so that the companies can say that they complied with the law.
Let's hope they're salted and they use something very slow to bruteforce
Hope is not a security solution.
Sure isn't, but that's how proprietary software is, you only have hope.
(comment deleted)
They can always alter the login code to secretly log the passwords in plain text the next time the designated users log in.
Gdpr violation?
There's an explicit exemption for state security in GDPR (and indeed ECHR Article 8)
There is no law in Germany (or anywhere else that I'm aware of) that would compel a company to do this.
I hope there isn't. But my point was that in the event they are indeed compelled by law to reveal passwords, this would be the only way they'd achieve that.
See my other comment - the law is about access codes like SIM PUKs and drive encryption keys, not passwords.
Given the Hong Kong police state situation, once again who watch the watchman.
This is not the combined force of the German Nation State, this is a part of a proposal by our Federal Justice Minister, framed to counter "hatecrime".

Still far from Merkel calling Zuck und Sundar to hand over the passwords.

The current title ("Germany requests WhatsApp, Gmail etc. to hand over passwords in plaintext to DOJ") makes it sound like this law already passed, which is not the case according to the article.
Yes, but

- the title length is limited

- from my PoV, this needs some attention

What would you propose as a title?

"German ministry of justice proposes law to force WhatsApp, Gmail etc to hand over sensitive user data"
"22 too long"

I really tried to summarize with the available title length. And to be honest, laws like this tend to be passed in Germany.

Sorry if you disagree. Please provide a better title. Honestly, I couldn't come up with one.

German govt proposes law to force WhatsApp Gmail etc to hand over user passwords
From my PoV, this needs some attention, so I'm going to make stuff up so people click
"DOJ" is also confusing: this is not referring the US Department of Justice but the German Ministry of Justice (Bundesjustizministerin/BMJV)
This is a bit too long for the title. If it was shortened no-one would understand it. And "Ministry of justice" in Germany equals "DOJ" in the U.S, which almost anyone understands.
(comment deleted)
One problem with this kind of debate today is that fewer lawmakers than in the past have direct knowledge of communication systems and how to keep them secure.

For example, in the 80's there was concern about 'bugging' in the UK. But at the time, there was actually informed debate in parliament about the technical details. This could happen because since there was so much labour involved in maintaining the old systems, large numbers of people actually knew how they worked. There were MPs who had formerly been telecom linemen, and followed the trade->union official -> Labour party -> MP route into parliament.

Nowadays I can't think of an MP who would actually have the background to know that this is a bad idea, themselves.

I'd have thought that Germany would have enough representatives from the DDR to know why this is a bad idea. Which is why they're usually one of the most anti-surveillance countries in Europe and leaders of GDPR campaigning.
Yes, that is true. It's not a way of getting informed politicians that we can follow, though. At least, I hope not.
Even though we are fairly anti-surveillance as a whole, a lot of fairly radical surveillance laws get proposed all the time. Most die early, some die after push-back from the population, some get voted in and are thrown out by the constitutional court, and a few survive. It's a never ending fight.
So glad the EU is imploding.
(comment deleted)
The HN title is inaccurate. The article itself actually says:

The draft does not provide for an explicit obligation to provide identifiers in plain text. When providing information, however, "all company-internal data sources must be taken into account".

(comment deleted)
This is the draft in question: https://drive.google.com/file/d/1gV4FIr6cNu2s1W37vd7NJZC4HNc...

Translated to English: https://www.scribd.com/document/439773952/BMJV-GE-Bekampfung...

One of the notable proposed changes is that providers are required to notify federal law enforcement about content that they removed from their platform and which the provider determined to likely violate German laws, including the content and the user's IP address and [source] port number. The intention is to prosecute these cases. There is a provision that requires the user to be notified about this, except if law enforcement specifically requests not to notify the user.

The changes to §15a are very broad and allows a variety of government institutions to request not just customer contract data ("Bestandsdaten", which would be regulated by §14), but also "Nutzungsdaten", i.e. user IDs, IP addresses, logs or similar usage data, even for misdemeanor-level offences. It's a bit of a hyperbole, but to my understanding, this would, in theory, include parking violations and littering, which feels wrong.

Requesting such data was, to my understanding, regulated only superfically by the TMG in §15 (5) with unclear scope. Previous court cases established that this would include IP address data (LG Frankfurt/Main, 2-03 O 174/18). The new paragraph expands on this by explicitly allowing requests to be made using just an IP address (rather than a user identifier), by clarifying the scope to include all usage data, and requiring security measures to be taken to ensure that the data is transmitted securely.

The draft document only mentions about passwords in the comments (page 29), not the actual proposed changes to the law, which only mentions "data which can be used to access storage media on a device".

This is an oddly specific provision that likely targets full disk encryption schemes that have a server-side key backup (i.e. Windows Bitlocker). This was copy-pasted from the existing §113 TKG, which regulates ISPs, and calling these "passwords" is a very unfortunate choice of words by the authors of this draft document.

Disclaimer: Not a lawyer, but I dealt with law enforcement requests in Germany in a past job.

I changed the URL from https://translate.google.de/translate?sl=de&tl=en&u=https%3A... to the original source, as the site guidelines request.

I know this is a tradeoff that leaves something on the table, but HN is an English-language site, so articles here need to be in English. We don't allow machine translations as a workaround. I could imagine exceptions for topics of particuar intellectual curiosity—something that is so obscure that it only exists in one form and hasn't been translated. But articles on current affairs are the opposite—in those domains, if a story is important enough to be covered here, it will certainly appear in the English-language media.

Put conversely: in popular domains like current affairs, if there's no English-language article worth submitting on a topic, mostly likely that's because the topic isn't significant enough yet. When it comes to politicians proposing bills, that's certainly the case. Most bills go nowhere (https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...), and if anything comes of this one, it will surely receive much closer attention.

You're right.
> Yeah. You're totally right, anything outside of US doesn't matter :)

I was just in the process of replying to your comment and question when you replaced it with that snarky one-liner.

HN is a highly international community. Plenty of international stories appear here. Nor does HN being an English-language site imply any disrespect for other languages, including the wonderful German language. Quite the contrary.

In this case the language issue is secondary anyhow, since "politician is working on drafting a bill" is an even less substantive story than "politician introduces bill", which is one of the classics of off-topicness for HN (https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...). We would have demoted the story regardless of the language it was written in.

In cases like this, we've learned that there's no harm in waiting for a story to actually become real before having a thread about it. https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

(comment deleted)
If you're asking why we downweighted the submission, moderators routinely do that on HN when a story doesn't fit the site guidelines, isn't substantive enough, is overly sensational, and so on. If we didn't, HN's front page would consist of the same few hot topics and flamewars repeated over and over. Maintaining a site for intellectual curiosity requires active pruning.

Sure, we've routinely downweighted tons of election campaign stories, which is what most policy proposals from candidates are. That includes Elizabeth's among many others. I could see making an exception for proposals that come with detailed arguments and make a genuinely new contribution to debate on something that's on topic here. But most aren't anything like that, they're just attempts to gain attention for a candidate.

I just spent almost an hour reading the drafts in question and converting documents back and forth to provide an English translation and a summary of what exactly the proposed changes are in a comment below, and this makes me a bit sad since it means the effort was mostly wasted.

This is not an election story or a random politician drafting a bill, but a draft by the relevant ministry of the elected government in Germany. It raises important questions about the relationship between large multinational companies and law enforcement in a country other than the US, with quite a bit of nuance and potential for in-depth discussion.

If you feel strongly about this issue and you think it's worth being debated then the best thing you can do is to write an in-depth analysis in your personal blog and then submit the link
I hear you and am sorry about the wasted effort. vsadu's advice sounds good.
In spite of the draft status this already makes some waves in the german mainstream press, not only some computer magazine.

[1] https://www.faz.net/aktuell/wirtschaft/digitec/hassrede-bund...

Though the last paragraph cites a politcian saying something along the lines of this can't stand as it is and needs further discussion and changes, otherwise it would be contested in germanys highest court and canceled there.

edit: 2nd link [2] https://www.stern.de/politik/deutschland/hetze-und-drohungen...

edit: 3rd link [3] https://www.spiegel.de/netzwelt/web/facebook-twitter-co-mill...

(comment deleted)
Hand it over. It's hashed anyways