French bar owners arrested for offering free WiFi but not keeping logs

At least five bar owners in Grenoble, France have been arrested for providing WiFi at their businesses without keeping logs.

The bar owners were arrested under a 2006 law that technically classifies WiFi hotspot providing establishments as ISPs, and require them to store one year's worth of logs or connection records for anti terrorism purposes. This requirement is in place even if the WiFi network is password protected. [...]

It seems that most people aren't aware that even small businesses like bars, cafes, nightclubs, and restaurants that offer WiFi to their patrons are faced with these logging requirements. One of the arrested bar owners noted that the relevant organization, Umih, never noted this requirement when renewing his license:

"Nobody, not even the professionals of Umih who provide compulsory training as part of a license IV resumption, to me never said I should keep this history."

In response to questions by BFM Business, Umih admitted that the training doesn't mention WiFi logging but noted that Umih members should have known about this important requirement because it was mentioned in a newsletter.

Previously, previously, previously, previously, previously.

Tags: , , , , ,

7 Responses:

  1. Marc Lacoste says:

    1. The illustrative pic does not show Grenoble but postcard-picturesque Montmartre in Paris;
    2. The UMIH is just an association of professionals, they are not responsible for keeping track of every law (but they could if they wanted to), every business is ultimately responsible for that;
    3. Enforcing a very seldom-used law is just a way to piss off bar owners who aren't cool with the local authorities;
    4. Nobody uses the bar wifi, 4G coverage is great everywhere;
    5. Very seldom-used laws should be ditched.

  2. tfb says:

    I suppose the answer will be that, 'well, no, we don't offer wifi any more: we have a wifi network of course because everyone has one, but it's not public as it is password-protected, and the password is very hard to guess...'

    • Nick Lamb says:

      But, that's an undesirable future. The Right Thing™ as an end goal is ambient network access. On the path there we've been training people to use global federated systems. EduROAM is the most famous, but the far superior user experience inspires other systems, which leads to OpenRoaming. Shared secret WiFi authentication is crap, it has poor security properties, bad UX and hostile privacy behaviour. If the people designing it followed best practices from the Internet it would be slightly less crap, but still crap.

      Federated auth gets you most of the way to ambient network access. Your device has credentials, it sees a compliant WiFi network, it proposes that it can authenticate if given access to the remote authentication system it trusts, the WiFi network accedes, you get network access, done. Zero touches. No stupid "captive portals", no squinting at passwords hand written on chalkboards, you just have network access because of course you have network access, we built a network, the whole point of doing that is to give everybody access.

      One of the fixes in WPA3 is that shared "secrets" that aren't secret aren't a security win any more. Previously if you did not set a password, nothing was encrypted. So the password "password" written on the outside of your building and told to every visitor was strictly more secure than not having a password because with this "password" the connections are all encrypted and that defeats passive attackers. With WPA3 the connection is always encrypted, so passive attackers can't eavesdrop even an "open" WPA3 WiFi network. So that's nice because it is one less reason to even bother having passwords.

      • tfb says:

        But, that's an undesirable future. [blah blah blah]

        Stop the fucking stupid single-bit thinking. Is it a more or less undesirable than people getting arrested for not keeping logs of their customers' access to enable surveillance?

        • Nick Lamb says:

          The "people getting arrested for not keeping logs of their customer's access" would get arrested for serving wine in the wrong shape glasses or for not checking their customers are wearing appropriate shoes or a million other things. Doesn't our host have like an entire archive of such arbitrary "enforcement" of rules if you piss off the wrong cops?

          Finding "clever" little ways to just piss them off more isn't a meaningful contribution except in as much as it helps make everything worse. So like, "hooray" I guess?

  • Previously