HADOPI, France’s three strikes law and organization that oversees the enforcement of this law, has taken quite a beating on the PR front. Now they seem to be trying to push back by denying that they are forcing users to install spyware to prove innocence. They also called the initiative SOS-HADOPI – a commercial service dedicated to helping those who find themselves on the other end of a copyright accusation – an “abuse”.
Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes
Nearly two weeks ago, we interviewed Renaud Veeckman, the person who beat the French government to getting a trademark for HADOPI (though whether Veeckman or the government owns that particular trademark is currently in dispute and is being worked out in the French court system). During the interview, he mentioned one of the services currently starting up called SOS-HADOPI.
The service is suppose to launch by around September 15. Veeckman, during the interview, described the service as, “a helpline for people who have been affected by Internet Piracy or want to prevent it. For this, we created a national network of lawyers.”
Apparently, this didn’t sit well with HADOPI.
“The Hadopi denounced this practice and made the amalgam by the proponents of this commercial service,” said the High Authority (Google translation), which “warns users against such abuses.”
As for the spyware that HADOPI was mulling, they had this to say:
“The Creation and Internet law, passed by Parliament, confirmed by the Constitutional Council, no obligations installation by users of specific software to “prove their innocence” at any time the user is presumed “guilty” in the process of graduated response implemented by Internet Piracy” said the High Authority.
“One of the legal responsibilities of Internet Piracy is to offer users a label for a means of securing their subscription Internal t” he said. “To this end, and in accordance with the law, Internet Piracy has committed an initial consultation on a first draft of specifications defining the characteristics of such security means”.
“Calling this project in the state of spyware – software that installs without the knowledge of the user – is tendentious and inaccurate. In any event, this project has been the subject of no validation by the High Authority. Consultation is not closed and will, moreover, be prolonged “continues the statement.
Numerama, a French news site, posted the following comments on this (Google translation):
Currently, as we pointed out during the operation Hadopi leaflets , the label “Hadopi security means” has not yet been awarded to any software enabling secure Internet connection. The difficulty in developing an effective mechanism is emerging through this press release, since the High Authority indicates that the consultation on the specification will be extended.
So, in other words, the French government is arguing that users, specifically under the law, to install spyware to prove their innocence. Technically, this is true for the time being. Still, as we found out back in July, one of the issues within the law is that users have to protect their internet connection in case someone, say, hacked their Wifi connection to download infringing material. If someone is accused of copyright infringement and they didn’t actually infringed copyright, and their connection is insecure, then they can be charged with gross negligence under the law. The problem is, what is defined as a secured internet connection so that users have to prove their innocence? That is why the French government launched the public consultation.
One of the proposals is that everyone install what amounts to spyware on their computers. The document was leaked in early August which showed that this was a proposal that HADOPI was interested in. HADOPI requested that the software satisfy the following:
* the real time observation of protocol traffic;
* analysis of configuration files, including static analysis of the programmes installed and the router, and dynamic analysis of the use of the connection;
* logs of all activity on the Internet access â€” including activation /deactivation, modification of any security profiles â€” to be kept for a year;
* a system of alerts warning users if they are about to use a P2P connection: for example, “You are about to download a file using a P2P protocol â€” do you want to continue?”.
HADOPI argued that this wasn’t spywar because spyware is installed without the users consent. So what is Spyware? We can look this up on Wikipedia to find out:
Spyware is a type of malware that can be installed on computers and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user’s personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users.
While the term spyware suggests that software that secretly monitors the user’s computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.
So, just reading the first paragraph in its entirety and not just the first two sentences, suggests that what is being proposed is technically spyware because spyware can be installed with a users knowledge and still technically be called spyware because it logs the users activities and collects information about the users computer.
At the time when we found out about the leaked document, we commented that, on a technical front, this is a very poor idea because this would give hackers not only a specific kind of software to hack in to should an idea like this fly, but extra moral motivation to do so in an effort to protect users privacy from the government. This goes over top of the rather scary concept of the state having such direct access to knowledge of the activities of its own citizens. So, if the government is wise, it would avoid this kind of idea.
Ultimately, though, the government seems to be bending the truth. The spyware idea is a proposal that HADOPI is considering. HADOPI is saying that users are not currently obliged to install such software. This is true as of right now, but if HADOPI does choose to use the spyware solution, then they can later say that this was a new development. This is a fact that Numerama is pointing out too. What will be interesting to see is what the government chooses to do after the consultation is over. As far as we know, mandatory spyware is not off the table nor is it the solution HADOPI has officially chosen yet.