Five Bar and Cafe Owners Arrested in France For Running No-Log WiFi Networks

In one of the weirdest arrests of the year, at least five bar and cafe managers from the French city of Grenoble were taken into custody last week for running open WiFi networks at their establishments and not keeping logs of past connected users. From a report: The bar and cafe owners were arrested for allegedly breaking a 14-year-old French law that dictates that all internet service providers must keep logs on all their users for at least one year. According to local media reports, the bar and cafe owners claimed they were not aware that such a law even existed, let alone that it applied to them as they had not received notifications from their union, which usually sends alerts of industry-wide legal requirements. Nonetheless, French media pointed out that the law's text didn't only apply to internet service providers (ISPs) in the broad meaning of the word -- as in telecommunications providers -- but also to any "persons" who provide internet access, may it be free of charge or via password-protected networks.

The slow creep

[lessSockMorePuppet]

Totalitarianism starts with authoritarianism.

Re:

[Aristos Mazer]

It's a 14-year-old law. That's definitely slow creep.

Re:

[Hizonner]

The creeps have been slow to start enforcing it, especially in these most obviously idiotic cases. If you'd asked them 14 years ago whether this was what the law was about, I bet the would have denied it (while furiously masturbating).

Re:

[jythie]

I suspect this is more a case of laws just not keeping up with advances and technology spreading wider than lawmakers could have predicted.

Re:

[SerpentMage]

I read the comments and the idea that you think in your country logs are not kept is ludicrous. All countries keep logs. You just might know about it.

Re:

[drinkypoo]

France didn't even permit meaningful encryption until recently. Seems like time for another revolution.

Re: Data retention costs

[NagrothAgain]

I can't read French, can anybody tell if the Law actually states what has to be logged and to what degree?

Re:

[nospam007]

According to the 3 articles they should have kept every connection record for a year.

Re:

[Calydor]

But what exactly is that? A full list of all network activity of all connected devices, or a list of MAC addresses, associated IP addresses, and time stamps?

Re:

[Alcari]

It could even be a 1:1 copy of all network traffic, if they want to be assholes. Of course, all these options violate GDPR.

Re:

[Cederic]

That's not the case. GDPR allows capture and retention of data for legitimate interests - e.g. obeying the law.

Sharing, failing to protect or failing to subsequently delete that data would be a breach of GDPR, not capturing and storing it.

Re:

[Bert64]

If you're using NAT it's extremely expensive, since you have to log every state seen by the gateway. Anyone external would only see the ip associated with the gateway, so these detailed logs are needed to correlate activity to individual users, as required by law. A simple act like visiting a single webpage will generate multiple connections and thus multiple state entries that need to be logged.
If you have routed connectivity with unique routable addresses per customer, then you just need to log start/end

Unless...

[martynhare]

If you're using NAT it's extremely expensive, since you have to log every state seen by the gateway.

You make free WiFi exclusive to $¥€NordenTunnelBoarVPN members, and hand out free “5GB evaluation coupons” for people who would like to “try” - with no personal info required. You can hawk on about how it protects them from spying when they use Public WiFI and then proceed to log what little you see on your end.

I heard that repeating text patterns compress extremely well and they can’t stop you partnering with international companies offering complimentary service

Re:

[Darinbob]

So you have them type in a name on the connect screen? Even an open hotspot should require a connect screen, even if it's just to click yes you agree to the terms of service. The snag is that many off-the-shelf wifi routers won't do this easily, and asking a bar owner to manage a linux based router or box may be beyond their capability.

In general, it's not wise to connect to random public wifi hotspots anyway due to the lack of any security.

Re:

[sarren1901]

Hence you take a burner phone on vacation and don't do anything financial on it. Paranoid. Sure. But why should all these governments get to spy on my activities? Sounds like big brother to me. It sure as heck isn't stop any terrorist attacks.

Re:

[Bert64]

There are plenty of routers which can implement such a screen, thats the easy part...
If you assign routable addresses then that's enough, you know the user logged in at a particular time and was assigned a particular address, if you are translating multiple users through a single address then a lot more logging is required.

Re:

[arglebargle_xiv]

I wonder what really motivated this? It's likely that every second cafe, petrol station, library, and whatnot in France that offers free WiFi violates it, and it doesn't even make sense to log when you've got a bunch of random anonymous uses hooking up for the time it takes to have a coffee.

So more likely someone was trying to make a point about something, or create a parallel construction narrative, e.g. they're tracking a tax cheat who happens to use one of the cafes and need to get info on him without m

Your Honor

[Gabest]

The clients accessed the wifi network were the following: 192.168.0.1/24

Do the bar owners need to ask for an id/passport and save it as well?

Re:

[lsllll]

This reminds me a little of Section 230 a bit. We won't hold you responsible if you provide free, unlogged WiFi and block BitTorrent and Child Porn (a task just not doable), or require login and log so we can go after the offenders. Personally I think they should be able to provide free WiFi (if permitted under their contract with their service provide) without logging and the government can just go fuck itself.

Re:Your Honor

[guruevi]

This is the EU, so yes, you need to log them by ID, they probably need a certification and permit to be able to provide it. Then you need to conform to GDPR as you save those logs and if someone asks, you need to delete all information they provided to you unless, off course, the government wants it, then you need to be able to produce those logs that someone asked you to delete. If you don't delete it, you're up for an arrest and a fine, if you don't keep it, you're up for an arrest and a fine. If your company is a chain or bigger company, or happens to have foreign investors, then you're more likely to be prosecuted for these same crimes.

That is pretty much the state of small business ownership within the EU.

Re:

[fazig]

In 2014 the UK enacted their Data Retention and Investigatory Powers Act [legislation.gov.uk] especially as a reaction to the EU Court of Justice https://curia.europa.eu/jcms/u... [slashdot.org]">invalidating the data retention directive on the grounds of violating fundamental rights.

Ever since then it was a thing of individual member states. And surveillance happy states like the UK and France of course did their own thing, while other nations repealed these laws despite politicians trying repeatedly.
Germany for example was sued for no

Re:

[fazig]

The non messed up link to the press release of the invalidation from 2014: https://curia.europa.eu/jcms/u... [europa.eu]

Re:

[jonbryce]

If the Government requires to to keep certain information, the GDPR allows you to keep it. However you are not allowed to use it for any purpose other than handing it to the relevant government officials on receipt of a legal request to do so.

Re:

[pak9rabid]

Geez, I can't image why most of the world'd innovation happens outside of the EU...

Re:

[AlexHilbertRyan]

yup those europeans, they never invetned the industrial revolution, banned slavery, gravity, modern medicine, chemistry, discovering of elements. One has to wonder why so many sorry basically all scientific / international units are named after them.

Re: Your Honor

[ArmoredDragon]

Europeans had slavery well into the 20th century, they just changed what exactly was meant by it. Effectively, their idea was that it's not slavery if it happens in a colony. France alone had 3 million slaves at the turn of the century in French West Africa, and still maintained slavery in a limited form in French Indochina until they revolted in 1954.

Re: Your Honor

[Alcari]

Americans have slavery right now, they just call it "prison labor".

Re:

[Darinbob]

I hadn't realized the Europeans had banned gravity. What a bunch of kooks!

Re:

[chispito]

Geez, I can't image why most of the world'd innovation happens outside of the EU...

Because the EU is not a majority of the world by population?

drinking age in France is 18, or 16 if the person

[Joe_Dragon]

drinking age in France is 18, or 16 if the person is in the presence of adults so they must not check lot's of ID's there

Re:

[youngone]

Drinking at age 18 is standard for almost all of the civilised world.

Re:

[thegarbz]

Actually you'd be surprised how variable it is. Some places even segregate the age based on the alcohol concentration. e.g. You can buy a beer at 16 but need to be 18 to drink shots in Switzerland.

Re:

[youngone]

I wouldn't be that surprised, as I have drunk in maybe 40 countries. The major variable is more about how strictly they enforce the rules.

But Switzerland are a bunch of weirdos generally, so no surprises they have some weird rule.
The really odd one was Iceland. The first time I was there you couldn't buy beer. At all. A glass of wine could be drunk in any pub or restaurant however.

Like almost everywhere though, the drinking age was 18.

Re:

[itsme1234]

Yea, funny thing they were having in Switzerland something like they can't sell beer but can sell wine from a certain hour. I'm talking supermarkets here, some were even having the whole shelves locked in some cage, but the others were just "well, we can't sell you that right now".

Re:

[U0K]

You should have been drinking in some more countries then.

In German speaking countries, iE, Germany, Austria, and Switzerland, as well as Denmark (where German is only spoken by a small subset in the southern region), as a general rule alcoholic drinks with a lower %vol like beer and wine can be bought and consumed in public from the age of 16. Distilled alcoholic drinks like vodka, whiskey, rum, and so forth can be bought and consumed in public from the age of 18.

Some small local variations may apply.

Re:

[Cederic]

You still can't buy beer in Iceland.

It's for sale but nobody can actually bloody afford it.

Re:

[Voice of satan]

I got my first (small) glass of wine at 12. It was considered an important part of my education. Develop taste.

Re:

[whoever57]

I got my first (small) glass of wine at 12.

I have memories of being tipsy if not drunk at that age. Usually at some kind of family event.

Re:

[Darinbob]

I remember sneaking a drink of Coors as a kid and thinking "ugh, how can adults drink this?"

Re:

[sodul]

I remember sneaking a drink of Coors as a kid and thinking "ugh, how can adults drink this?"

I'm an adult and think "ugh, how can anybody drink this?" about Coors.

The first time I got drunk was with Chimay so my standards are biased.

Re:

[cusco]

My entire family makes wine or beer, some used to have stills. We would have a glass of wine with any holiday dinner from the age of 6 or so. I made wine by myself for the first time when I was 12, mulberry. I still pick four gallons of blackberries every summer and make another five gallon carboy of wine, and sometimes another carboy if I find a good deal on fruit. I just found a recipe for banana wine that looks interesting the other day.

Re:

[Aighearach]

Do the bar owners need to ask for an id?

LOL

You're talking about a country where they get angrily triggered if you suggest that daily drinking is a sign of alcoholism.

Re: Your Honor

[Anonymouse Cowtard]

Which it is NOT. Now stop annoying me until I've had a couple of wines.

Re:

[Darinbob]

Which is why it is untrue that the French are a rude people. They are only rude when you meet them on the street as that is when they are not at home drinking.

Re:

[Darinbob]

Log the MAC address. Sure, someone really attempting to secretly control a terrorist cell from the bar's hotspot will likely use a fac MAC but you're never going to catch them this way anyway.

From the summary

[bobstreo]

"Nonetheless, French media pointed out that the law's text didn't only apply to internet service providers (ISPs) in the broad meaning of the word -- as in telecommunications providers -- but also to any "persons" who provide internet access, may it be free of charge or via password-protected networks."

There may be an issue with people within their homes or businesses providing this service "For Free" and not appropriately logging.

Re:

[Aristos Mazer]

Seems like, yes, there is an issue, and people in France should probably shut down WiFi access to friends/family/public until they can organize enough to get this law repealed. Or start logging.

Re:

[SerpentMage]

As I am in France and about to run a Gite I know about this law. The ISP will log the data and whenever something odd comes up they will delegate it down to the client of theirs. Then the police goes to the client, and confronts them. If this case is a GITE and a client, then unless you can prove it was a client, you are liable. They will apply this law for terrorism, and copyright violations.

Re:

[MobyDisk]

How could this not be absolutely explicitly clear in the law? Unless the law was written 25 years ago, any members of their government would have a Wifi router at home so it's not like they wouldn't think about it.

Re:

[sxpert]

french citizen here. trust me, the lawmakers are pretty clueless with regards to technology, whichever party they are from

Re:

[Cederic]

No, I think this law was absolutely intentional. The French Government want to be able to backtrack any Internet activity to the device and individual involved, and this law intentionally limits the 'public access wifi' route to avoiding that.

Re: From the summary

[bumblebees]

Well you can get a prepaid sim with just paying cash. Sold in every kiosk in Finland for 19â / 31days unlimited internet. But sure if you want a subscription that is billed at the end of the period then yes you need to be identified with id or passport.

Re:

[fazig]

Here's a map [patrick-breyer.de] of EU countries (still including the UK), compiled by an EU MEP of the Pirate Party's German chapter.

The roaming regulations in the EU technically allow you to use any of these prepaid cards everywhere in the EU where you have a signal. But there is no guarantee that for permanent function as it is up to the ISP if they allow long term roaming or not.

Ahhh, nothing like it

[Excelcia]

Ahhh, nothing like dredging up a fourteen year old law that nobody knows applies to you and tossing some indictments around, you know, just to spice up people's lives which have been in grave danger of becoming dull and too easy as of late. Go France! You fine upstanding bastion and showcase of freedom to the world!

Re:Ahhh, nothing like it

[freeze128]

"Off with their Headers!"

Re:

[Excelcia]

"Off with their Headers!"

Oh God, I hope they have deep packets.

I wonder if the cafes were serving too much port.

Re: Ahhh, nothing like it

[Anonymouse Cowtard]

Most cafe owners don't WAN to do anything about logging users. This law is terminal. The government must do some ping about it. Clients drinking Java aren't criminals!

Re:

[Bert64]

Well the law has been around for 14 years, there really is no excuse for not being aware of it...

Re:

[chadenright]

If, in the last 14 years, it's -never- been enforced or interpreted in this way, to the point that the union's team of lawyers whose job is to know such things, didn't know it, then there is perhaps a justifiable reason to not be aware of this law which they are allegedly violating.

Sounds to me like some county's having revenue issues and trying to get creative to drum up business for the corporations that run their prisons, but then, I'm an American and that sort of thing happens all the time around her

Re:

[Bert64]

There are many laws for which enforcement is very lax, but that doesn't change the fact that they are published laws that people need to be aware of and comply with.
There is also typically a grace period with new laws, giving people chance to comply and law enforcement time to become aware of how to identify those who are breaking the law... That would make sense here as it gives providers time to acquire new equipment capable of storing the necessary logs, although 14 years seems a long time.

There are also

Re:

[jm007]

"...published laws that people need to be aware of and comply with..."

how much time do you personally spend perusing the law books looking for something that might apply to you? don't forget local laws, state and national, if applicable

there are literally tens of thousands of them, written in a semi-foreign language

when common sense and the law diverge, always go with common sense

Re:

[jythie]

And in this case, laws written for industries you are not part of. I can see how a bar simply providing wifi for its customers did not think to look into ISP regulations.

Re:

[Bert64]

If you're running a business, then absolutely you must familiarise yourself with all laws that apply to your business.
If your business is running a cafe, then you need to be familiar with all the food standard laws etc.
If you start providing internet access, then your business has now changed - you are now a service provider and must comply with the legislation that exists there.
It's irresponsible to start providing a new service without obtaining legal advice first.

when common sense and the law diverge, al

Re:

[jm007]

business or personal, doesn't matter.... how much do *you* know about all the laws that apply to you? are you actively seeking them out so you don't go to jail?

are you holding others to standards you yourself don't adhere to?

Re:

[Hizonner]

Sounds more like they're trying to eliminate competition for overpriced paid hotspots run by people they control.

Almost - who controls who?

[raymorris]

> Sounds more like they're trying to eliminate competition for overpriced paid hotspots run by people they control

Close, I suspect. I don't know a lot about French politics, but I know who is paying for the politician's campaigns in the US. Our top law maker, Nancy Pelosi, is paid for by:

1 University of California
2 Disney
3 Google
4 Microsoft
5 Comcast

That's the top 5 keeping Pelosi in office. If they're the ones who keep their favored politicians in office and stop financing the campaigns for politician

Re:

[sxpert]

there are no private prisons here.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jm007]

beautiful, thanks for putting that up there

Re:

[SerpentMage]

No actually people in France know about this law, but they flaunt it. Until it bites them in the ass. For reference I am in France.

That's just stupid

[Murdoch5]

Companies who don't keep logs and who don't spy on users, when it makes sense, should be awarded, not arrested. All this kind law does is to strip privacy rights from innocent people, for very little to no reason. You could argue that it's in the cafe's interest to keep logs, because if person X surfs to Y or does Z and Y and Z are illegal, the cafe could get in trouble, bu in the same boat the cafe should not be held responsible for that.

Re:

[Bert64]

There's a difference between spying on user's activity, and logging the presence of users and duration of their sessions.

Logging that user X connected at 14:00 and disconnected at 15:00 is reasonable, and what ISPs have always done. The ISP has no idea *what* exactly they did while they were connected.
Logging that user X connected to www.slashdot.org at 14:01 is not.

Traditionally every user connecting would have exclusive use of an Internet-visible IP for the duration of their session, so any given action r

Re:

[sxpert]

indeed, that's the only real logging that needs to be done...

Re:

[Bert64]

None of this is anything new, and has been around as long as fixed line phone services have.

Logging presence and duration is also (and was traditionally) used for billing, since users were billed by the minute while they were online.
Traditional services were always tied to a physical address, so they knew by default where you were whenever you used the service.
If you used a phone in a cafe or other public place, then you had exclusive use of the phone line at the time you used it.

The idea of a shared resour

Our NSLs (National Security Letters) no different

[sideslash]

Ethical cloud business owners sometimes have to choose between continuing to exist while lying to their customers, or shutting down to protest an intrusive government mandate. And they are gagged from even talking about it, which in my opinion is unconstitutional.

The owner of Lavabit received such a letter, and did what he could to stand up to such tyranny, including delivering a key as a hard copy printout. He eventually shut down his operation rather than lie to his customers. This is what a digital hero looks like, kids.

Re:

[chadenright]

Gag orders on NSL's are blatantly unconstitutional. Warrantless search and seizure of any sort is also blatantly unconstitutional, although that's a second violation that is perhaps more open to debate (arguably, the NSL is itself a kind of warrant). So long as we tolerate evil long past what is reasonable or just, in the name of our love of peace, those in power will continue to abuse whomever they can for their own gain.

Re:

[Entrope]

Courts have, unfortunately, held that the gag orders are binding. Your lawyers are not even allowed to see why the government claims gag orders are necessary.

https://www.eff.org/deeplinks/... [eff.org]

I'm calling bullshit on this until...

[geekmux]

...every Starbucks in France proves their compliance with a shitload of log files.

I have this feeling this is where we'll find certain regulations are for thee, but not for me.

Politicians are bean sucking addicts too.

Re:

[Aighearach]

Nobody ever claimed the problem was that logs were not accessible to slashdot user 1040042.

The More You Know!

Re:

[aralin]

We do their Wifi, they've got the logs.

Coffee Shop Canaries

[A10Mechanic]

Easy solution, just put a dead canary in a cage by the front door. Let your patrons draw their own conclusions.

Re:

[Kaenneth]

He's pining for the Fjords.

IP is proof of identity in France

[Voice of satan]

Unless they have changed that an IP is proof of identity in France. If someone uses your Wifi to download Child Porn you will be condemned. In fact if i recall well, having an unprotected Wifi in France is a crime. At the time it was a move against piracy.

Running a TOR node can be dangerous too. If you have an exit node and child porn come through it, the judges will consider you have downloaded child porn.

Yeah, French internet laws are idiotic and the French IT people are aware of that. I recall the commotion when they were voted.

Caveat, some aspects of some of these laws might have been amended but i doubt it.

Re:

[bobbied]

Even in France, the people get the governance they elect, thus they deserve what comes from stupid laws like this.

Re:

[AmiMoJo]

They need to log the MAC addresses and the IP address assigned to them, and the DNS queries they make.

Hopefully people are aware they need to use a VPN on public networks.

libraries

[swell]

In the US, librarians were once the protectors of privacy and freedom. If you wanted to check out a book that the government didn't like, you could do so knowing that the library won't tell the government. Even if the storm troopers charged into the library and demanded to know the names of everyone who read [Mein Kampf, for instance], the librarian would protect your privacy. Across the nation, this was standard procedure.

Now, of course, if you want to use the library computer you have to scan your library

How is that going to work for Starlink?

[schwit1]

Was the user in France?
What are the log retention laws for each country I'm flying over or driving through?

The technical challenges could be daunting.

Modern times

[Dunbal]

There are so many laws nowadays that if anyone wants to throw you in jail they can easily find an excuse. And every year they add more.

Godwin's law

[Y2K is bogus]

Yeah, I'm gonna go there. We liberated France and drove out the NOTzis, just so they could return 60 years later...

Re:

[sxpert]

you elected one as president, for god's sake !

Re:

[Aristos Mazer]

Maybe ISPs should be buying cafe franchises?

Re:

[Kaenneth]

Comcast/Starbucks merger.

Re:

[Aristos Mazer]

Starcast? Probably too easily confused with SpaceX's new offering.

Combucks? Yeah. That sounds like a cable company thing.

Re:

[Aighearach]

I have had this dilemma on behalf of my client, and we were instructed officially to leave this to ISP

Wait, wait, you're involved enough to have "clients" but you can't figure out how to advise them to turn on logging?

Instead of advising them to "leave this to ISP," by which you mean, not make any effort to comply, perhaps instead you could have advised them to pay a local Rent-a-Nerd type of person for $100/month of support services, including a router and log health checkup?

Re:

[jythie]

Does the 'logging' switch in an off the self wifi router meet the requirements of the law?

Re:

[bobbied]

I have had this dilemma on behalf of my client, and we were instructed officially to leave this to ISP, who has MEANS to handle it professionally. The issue is, no bar or cafe is itself in position to handle it, being only distribution point for ISP.

I'm just guessing here, but I'll bet their ISP would be aghast that their customer was sharing access to their network over an open WiFi connection. My ISP would consider that a violation of my TOS, though admittedly I'm a residential customer.

Re:

[Cederic]

No, the bar, cafe or hotel is acting as an ISP in this regard and should gain access to the necessary skillsets to do it properly.

The ISP has no visibility or access to the wifi access points unless they're explicitly being paid to provide public access as a service, in which case the establishment has paid for access to the necessary skillsets.

Re:

[chadenright]

How will big business screw you over if they can't monitor your every second of internet usage, though? Just think of the children!

Re: Anonymous Cowards banned from Slashdot

[Anonymouse Cowtard]

There is no difference, it's despicable. Every injustice comes back to the banning of ACs on dotslash

Re:

[Nikademus]

If you read the articles in french, it seems they have been arrested with handcuffs and all and put into some mild form of detention. But I guess people connected to their wifi have done 'bad' things and that's why they have been targeted. Also, french providers are able to give you an access point made for sharing which logs everything according to the law, but this is more expensive.