Anti-Terrorism Law: Understanding the Problems of URL Analysis

A new anti-terrorism bill tabled by the government intends to perpetuate and strengthen surveillance on the net. The text targets in particular addresses pointing to resources on the Internet, suggesting that the web addresses of sites visited by Internet users could be collected and processed. But this path faces certain limits and raises some problems.

It is on Wednesday April 28 that a new anti-terrorism bill must be presented to the Council of Ministers – one more in the long list of texts which have been adopted for more than thirty years. We already know that this legislation will perpetuate an experimental provision in place since 2015, namely the detection, by algorithms, of signals on the net that are linked to terrorism.

But the bill relating to the prevention of acts of terrorism and intelligence, which was shared before the time by the Next Inpact site, revealed another more surprising facet: it appears that the executive wants to add in the loop of online monitoring the web addresses (or URLs) of the sites that Internet users visit from France.

Legally, the document provides for updating article L851-3 of the internal security code to include in automated processing “”, always with the aim of “”. Here again, this collection is done “”, which the law already provides for the other data collected.

Does this mean that this is the prelude to the mass surveillance of the sites visited by the French? The drafting of the Internal Security Code declares that these provisions are operated “”, for “”, and require specific authorization.

What about personal or sensitive data in URLs?

Unlike classic metadata (i.e. peripheral information giving context to content, such as what time a content was sent, to whom, by what means, from what location, etc.), web addresses have a profile a little apart, because they can say a lot about a person, including directly or indirectly indicating personal or even sensitive data.

Not all web addresses say the same thing about a person. Collecting addresses may seem trivial when it comes to google.fr or facebook.com. However, we change the register with, for example, victorcrelamuco.org or dialogai.org. These two sites, which we take here at random, may suggest the status of the person visiting them. However, illness or sexual orientation are particularly sensitive data

For further

This issue is far from new. Already in 2016, the National Commission for the Control of Intelligence Techniques indicated, in its opinion, that if the collection of the addresses of visited sites can be considered for supervised Internet users, this must be done if they are not too precise. Only, the concern can arise from the domain name, such as victorcrelamuco.org.

The Commission explained at the time that the connection data “”. How, then, to sort the addresses, if they carry information? Between those which are only a simple container (for example doctissimo.fr), and those which reveal content (doctissimo.fr/html/dossiers/cancer/cancer-vie-quotidienne.htm?

ISPs don’t care about addresses

Another obstacle that this law faces: the lack of storage and processing of addresses by operators. Article L34-1 of the Postal and Electronic Communications Code states that these tasks “”

This was confirmed to us in 2017 by Alexandre Archambault, lawyer specializing in networks and former head of regulatory affairs at Free, on a completely different subject. “”, He would say then, adding “”.

In the routing of connections, certain technical information is not useful to operators. // Source: CommScope

Operators need IP addresses, that is, addresses to contact machines on the network and thus establish a connection. This is how the Internet user (via his Internet box, which has his IP address) can go to the site (whose server also has an IP address) that interests him. The address typed in the browser is on the other hand useful for the service.

Commenting on the new legislation, Alexandre Archambault took the opportunity to recall on Twitter that the Constitutional Council has explicitly made it known that the connection data cannot relate to the information consulted (URL, DNS requests…). The body ruled on a priority question of constitutionality concerning administrative access to connection data

The web is increasingly encrypted

In addition to the legal provisions which mean that in France, operators neither process nor store addresses, there is also a technical reality: online traffic today is massively encrypted, partly in response to … mass surveillance which was revealed in 2013 by Edward Snowden, when he pulled out documents showing NSA activity on the net.

Thus, secure links to websites thanks to the HTTPS protocol have become overwhelmingly the majority – the dashboard that Google provides to track its use shows that more than 90% of web pages seen by Chrome are loaded in HTTPS (and even around 95% in France). HTTPS has supplanted the insecure HTTP, which also secures the Internet user against other threats.

Added to this is the emergence of another technical development, called DNS over HTTPS, or DoH. With this mechanism, requests and responses between your PC and the DNS servers (which indicate which web address which IP address corresponds to) are no longer sent in the clear. DNS resolution is done with a layer of cryptography. We went into the DoH a bit more in this article.

Stéphane Bortzmeyer, R&D engineer at AFNIC, the organization which manages the top-level domain name attributed to France (“.fr”), explained that the DNS turns out to be “” – in any case, not yet . The point is, browsers like Chrome and Firefox shouldn’t make French counterterrorism plans any easier.