French Cybercrime Expert Discusses Loppsi 2 Legislation Drew Wilson | June 7, 2009 It’s been one of the more heated debates surrounding technology in France today. The Loppsi 2 law proposal which would allow the French government to censor websites and allow police to upload key loggers and trojans onto people’s computers without their consent has been a heavily debated piece of legislation and now a cybercrime expert, Guillaume Lovet, has taken some questions and comments from the public and posted his responses. Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes For many, it’s viewed as a country going from bad to worse in terms of law proposals. First, there was the French three strikes laws and other similar pieces of legislation and now LOPPSI 2. Last month, we broke the news for English speakers about this legislation and now a French cybercrime expert was able to discuss various aspects of the law in French newspaper Le Monde (Google translation) and there were some interesting points being made throughout the numerous responses. The first response noted that, traditionally, surveillance involved microphones and video cameras. Since it requires a lot of time and money to have them installed covertly on someone, it’s not scalable – that is to say, you can’t spy on tens of thousands of people because it requires too much time and money. The same cannot be said for installing key loggers and trojan horses on peoples computers for covert surveillance purposes since once one creates a trojan or a piece of spyware, theoretically, they can be installed on thousands of machines at no extra cost because the scalability is far greater. This leads to the fact that this legislations paves the way for unprecedented surveillance powers for police and the government. Another point is the fact that people with malicious intent, or criminals for that matter, use precisely the same kind of technology that is suppose to be used by police. The reason that is important is because anti-virus and anti-spyware technology is specifically designed to block such technology. It then leads into a more disturbing question – are anti-virus companies going to be ordered by the French government to create white-lists for Trojans and spyware? Not mentioned in the response is if someone is going to create their own programs to detect and remove such technology should that happen. In one part of the conversation, there was the question on who these viruses and spyware intended in terms of geography. The legislation is intended to be for traditional criminals on French soil. Not mentioned in the response is that given how networked todays society is on the internet, how malware can be confined to one country in particular is going to be an extremely difficult proposition in and of itself. Still, in another response, Lovet discussed the fact that the legislation is intended to stop child pornography and terrorists – yet, in practise, that turned out to not be the case in countries like Australia, England and Thailand where legitimate websites wound up being in the blocklist as well – both Australia and Thailand had sites on the blacklist for nothing more than political purposes. Lovet touched on the fact that, while malware exists to covertly activate microphones and webcams, the legislation doesn’t cover such activity as the legislation talks about content that appears on the individuals computer screens. While discussing the web censorship side of things, there was discussions about SSH and TOR that exists. Those who are familiar with such technology could easily bi-pass the web censors of France. Therefor, informed people can, indeed, escape the censors while uninformed people would be affected. When asked whether or not bi-passing web censors was legal or not, Lovet responded, saying that this is a very good question, but he didn’t have an answer. There was a question about which operating system the malware would target. In response, Lovet suggested that it’s impossible to have malware programmed for all systems given how deep the malware would be embedded. This, of course, doesn’t rule out the possibility that different malware could be used for different operating systems. The topic of how the blacklist would be compiled was brought up. Unfortunately, just like Australia and Thailand, the list would be compiled in secret and away from public scrutiny. While it’s a great idea for an independent entity to offer some checks and balances, this doesn’t seem to be a part of the legislation – thus opening the door for a similar incident that happened in England where Wikipedia was blocked, not just what happened in Australia and Thailand. All in all, Lovet says that this new legislation gives a government a foot in the door toward government censorship on the internet. From what we can observe on an international level, when it comes to topics like censorship and surveillance, this follows a worldwide trend of legislate first, address accountability later – and it always has been this kind of thing that ends badly for the government. From the examples we’ve seen, the blacklist ended up being leaked, legitimate websites are discovered on the list and the government looks bad (this is putting it mildly) as a result. Still, the awareness of such a law doesn’t necessarily present this law in a good light. When legislation requires a certain amount of effort to be portrayed in a positive light, should it be considered at all given the negative impacts on online rights? More importantly, what does this legislation open the door to when the copyright industry pressured the world to follow the French model of three strikes? Drew Wilson on Twitter: @icecube85 and Google+.