Using FTP is illegal

I have been working with some web agencies and I have been interviewing some developers lately and too often (i.e. all of them) they have been working in companies where releasing a new version of a website is done by pushing the code on the servers using FTP (and none of them over an encrypted tunnel (TLS, VPN…)).

FTP is a very old (47 years old…) file transfer protocol (hence the name) that is poorly designed (compared to today’s standards) and not secure (there wasn’t much need to in 1971’s internet). There are way better alternatives, for instance I have been using SSH since my first job in 2004, 14 years ago (SSH is already 23 years old and heavily used)… So I really don’t understand why so many people are still using FTP (hint: Windows).

But now there is a very good reason for not relying on FTP: it’s probably illegal to use it.

As you certainly know, since the 25th of May 2018, the General Data Protection Regulation is being enforced. This regulation includes that personal data must be stored and handled securely. So obviously, if your website or server contains personal data of European citizens, having the FTP login and password to connect to the production servers being sent has plain text over the internet is not allowed.