Recently, here in Germany several laws were passed concerning law enforcement access to user data stored with internet access or service providers, like mail, social media or cloud storage. There are all kinds of things wrong with those laws, threatening privacy in principle, being overly broad, and severly lacking controls (details vary by state, summary in German here). Suits against them in front of the Federal Constitutional Court are being prepared, see stopp-bda.de (German) for the one against the federal law. It is organized by members of the German Pirate Party, but anyone affected can join, whether they’re German citizens or not.
In this post, however, I’m going to focus on just one thing included in some of these laws that is not only dangerous for privacy and civil rights, but also entirely pointless for law enforcement – unless they were made with the plan to abuse them: access to users’ passwords.
Intercepting communications or subpoenaing stored data may be appropriate under certain circumstances (although I think the restrictions in current German law are not strict enough by far), but there cannot ever be a justification for giving police or intelligence agencies access to passwords. If it’s about data stored in the accounts in question, that data can be intercepted or subpoenaed where appropriate, and there is no need to get the password. Instead, that would create two new problems.
Access to passwords provides complete control of the account, making it possible to impersonate the user. This includes performing illegal acts using the account in question. In fact, I will go as far as to say that if police had such access to someone’s account, all evidence gathered from it should be considered unreliable and therefore unusable. I’m not going to play criminal mastermind here, but I’m sure you can all imagine something that someone with full access to a social media or mail account of yours could do to implicate you of a crime, or otherwise ruin your life.
Breaking real security
Also, service providers that observe proper security practice will never, ever store passwords in a way that makes them recoverable. When a security breach occurs, the account database is usually one of the most interesting targets for the attacker, so storing passwords in plain text is essentially handing them over. Thus a responsible provider will never be able to fulfill a request to reveal passwords. As far as I know, the new laws do not contain rules that would force services to store passwords in plain text, but such demands could still severely harm security.
I don’t know if the reason such rules were written into law was malice or incompetence. Either way, this has to stop.