Last week, the private company responsible for enforcing France's "three strikes" copyright law was found to be massively insecure
, prompting France to suspend the program. Under France's HADOPI copyright law, households lost their Internet connection if they received three accusations of copyright infringement committed on their network. TMG, the private contractor that maintained the system, suffered a massive breach when hackers showed that they hadn't taken even the most rudimentary steps to secure their servers.
Now, Ars Technica reports that it's not just TMG's security that's flawed -- the breach has also revealed that its data-gathering system is as untrustworthy as its perimeter security:
TMG's server was running a custom-written administration program coded in Delphi. It had the unusual security feature of not requiring any authentication at all, allowing anyone connecting to port 8500 to send commands to the server. The commands it supports are limited--shutdown or reboot the computer, stop or start a peer-to-peer client, and update the software on the server--but due to their shoddy design these commands are sufficient to allow hackers to do whatever they want. The update command connects to an FTP server, retrieves a file, and then executes it--all without authentication--and rather than connecting to a specific FTP server, it allows the server to be specified when the update command is given.
French "three strikes" anti-piracy software riddled with flaws
This allows an attacker to set up their own FTP server, put their malicious program onto the server, and then tell the TMG system to update from the hacker-controlled server. In this way, they can make the TMG server run whatever software they want. If all of TMG's anti-piracy servers are running the same administrative program, then they are all susceptible to being attacked in this same, trivial way.
(Image: Drapeau Hadopi, a Creative Commons Attribution (2.0) image from 17962689@N08's photostream)
TMG, a private contractor that administers France's HADOPI copyright system, has been hacked, resulting in a temporary suspension of HADOPI. Under HADOPI, people who use an Internet connection where one or more users have been accused of multiple acts of copyright infringement lose their Internet access for a year. TMG was in charge of storing the entertainment industry's enemies list of networks that had been used by accused infringers, and their security was basically nonexistent. The hack resulted in a dump of administrative material and IP addresses, and the head of the HADOPI agency announced that they would not gather IP addresses while they got their house in order. The UK has a plan to gather the IP addresses of networks used by accused infringers as well -- will they pick a better contractor to administer it than France did?
The problems appear to be real. Eric Walter, the head of France's HADOPI antipiracy agency that administers the "three strikes" regime, took to Twitter to tell the world that "par mesure de précaution l' #hadopi a décidé de suspendre provisoirement son interconnexion avec #TMG" [as a precautionary measure, #hadopi decided to temporarily suspend its interconnection with #TMG].
France Halts 'Three Strikes' IP-Address Collection After Data Leak
This temporary suspension of the interconnect agreement means that TMG -- the only private firm cleared to collect the IP addresses needed for HADOPI to function -- can't provide new addresses for the moment.
French tech sites like Numerama have run with the story, posting lists of questions that "need to be answered" by HADOPI and by French data-security authority CNIL.
(Image: HADOPI, a Creative Commons Attribution (2.0) image from goodvibez's photostream)
In a fascinating interview with TVOntario's Search Engine podcast, Michael Geist describes and predicts the likely outcome of the years and years of wrangling over Canada's new copyright bill,
, which includes a sweeping DRM clause that makes it illegal to modify your own equipment, even if you're not otherwise breaking copyright law, making it one of the most radical DRM laws in the world. Michael sees reason to hope for a more moderate C-32 in its final form -- I hope he's right.
It All Comes Down to This on Copyright?
New Zealand's three-strikes Internet law is back. Under this proposed copyright law, people who are accused without proof of multiple copyright infringements can eventually face disconnection from the Internet, along with their families. A substantively similar law was passed and then rescinded in 2009, after enormous public outcry. The parliamentary committee responsible for the legislation describes it as being based on the presumption of guilt (not innocence, as is customary in democratic societies).
Such fines would be levied by a Copyright Tribunal after a particular account holder racked up several notices, and these notices would adopt a "guilty until proven innocent" approach. As the committee report puts it, "an infringement notice establishes a presumption that infringement has occurred, but this would be open to rebuttal where an account holder had valid reasons, in which case a rights holder would have to satisfy the tribunal that the presumption was correct. We consider that such a change would fulfill more effectively the aim of having an efficient 'fast-track' system for copyright owners to obtain remedies for infringements."
New Zealand P2P proposal: guilty until proven innocent
It's hard to argue with the logic of speed here; creating a presumption of liability certainly will "fast-track" the process, though concerns about accuracy remain. As a New Zealand legal blogger noted this week, almost one-third of all New Zealand copyright litigation fails because rightsholders can't actually show they own the copyright and that the copyright is governed by New Zealand law. And Google has previously indicated that large percentages of the infringement claims it routinely receives are defective in some way.
InternetNZ, which runs the top-level .nz Internet domain, said in a statement that the new presumption of liability "reverses the burden of proof in the regime by saying that rights owners' notices will be considered conclusive evidence of infringement, with alleged infringers having to prove they have not done so. This reversal of proof is not a welcome development, and our initial view is that it should not be passed by Parliament."
(Image: Blackout, a Creative Commons Attribution (2.0) image from leighblackall's photostream)
France's HADOPI administrator (which processes copyright accusations against Internet users) is now receiving 25,000 complaints a day
. A family whose household attracts three unsubstantiated complaints is disconnected from the Internet for a year. Meanwhile, use of non-P2P downloading sites to get access to infringing copies is way up.
France's "3-strikes" rule comes into effect this week, and multinational corporations are already flooding French ISPs with more than 10,000 requests a day for the personal information of accused infringers; they estimate that this number will go up to 150,000 users/day shortly. Once a user has received three unsubstantiated accusations of infringement, the entire household is cut off from the Internet for a year, and it becomes a crime for any other ISP to connect that family or household. The only opportunity to defend yourself from the charge is a brief "traffic-court"-like streamlined judiciary.
ISPs that are not able to turn over 150,000 personal identities per day face a fine of €1,500 per accused infringer.
The Internet providers will be tasked with identifying the alleged infringers' names, addresses, emails and phone numbers. If they fail to do so within 8 days they risk a fine of 1,500 euros per day for every unidentified IP-address.
France Starts Reporting 'Millions' of File-Sharers
To put this into perspective, a United States judge ruled recently that the ISP Time Warner only has to give up 28 IP-addresses a month (< 1 per day) to copyright holders because of the immense workload the identifications would cause.
All the major French ISPs have to cooperate with the identification process, and the first 'victims' are expected to be disconnected or fined in a few months when they receive their third warning. At this point it is doubtful whether Hadopi will in fact decrease the piracy rate.
Canadian Heritage Minister James Moore made headlines last month when he called opponents of his US-style copyright bill "radical extremists" and urged his supporters to "confront them" at every turn.
Now the Minister is declining requests from his local mainstream press to defend his own bill, which ignores the results of his own public consultation, wherein an overwhelming majority of Canadians were against protecting "digital locks" on ebooks, movies, games, and music: "Moore, who besides being heritage minister is also the Conservative MP for Port Moody-Westwood-Port Coquitlam, refused to comment on Bill C-32."
Canadian copyright bill opens up debate on digital locks
(via Michael Geist)
(Image: Soy Sauce Chicken, a Creative Commons Attribution Share-Alike (2.0) image from fotoosvanrobin's photostream)
Michael Geist sez, "When Canadian Heritage Minister James Moore delivered his speech last month labeling any opponents of his copyright bill 'radical extremists,' some noted that the comments ran counter to many well-known groups and individuals who had expressed concern with the digital lock provisions found in C-32. Working with one of my research assistants Tamara Winegust, we've created an annotated edition of the speech that mixes in comments from politicians and groups involved in copyright issues."
James Moore's "Radical Extremists" Speech: Annotated Edition
Remember Balanced Copyright for Canada
, the shadowy "citizen's group" that encouraged members to send form letters
to media outlets skeptical about Canada's new, US-style copyright law?
Turns out it's a front for the big US labels.
Michael Geist sez,
After several weeks of delays, the Balanced Copyright for Canada site which has been engaging in astroturfing on Canadian copyright reforms, revealed its funding and advisory board late on Tuesday night, hours before the Canada Day holiday. The primary source of funding is not a surprise: this is a Canadian Recording Industry Association production.
Balanced Copyright for Canada Board and Funding Revealed
The composition of the advisory board is interesting. First, of the 13 members, more than half are either record company executives, former record company executives, or lawyers who represent record companies. No surprise given the site's backing, but not exactly the promised "employees, unions, artists and creators." In fact, it is notable that there are very few prominent creators and not many representatives from creator groups outside the music industry such as authors, performers, directors, or artists. In fact, despite an earlier claim that Loreena McKennitt would be on the advisory board, those plans apparently changed.
The board also includes one lawyer who just three months ago argued in a paper that form letters carry little value in public policy process, yet is now on the board of a site that requires a form letter that cannot be edited in order to participate.
Hapodi, the French agency that's in charge of the country's new anti-piracy scheme (if someone you live with is accused of three acts of infringement, your whole household is taken offline and added to a list of address to which it is illegal to provide Internet access) has been accused of pirating the font used it its logo. The font designer is talking lawsuit. Hadopi says it wasn't infringement, just an "error of manipulation."
It's tempting to count coup here, but it's more important to recognize that Hadopi has proved that the copyright minefield is an unnavigable mess and that the guillotine is too blunt an instrument to use in its policing. If an organization charged with policing copyright with absolute, unaccountable power can't stop its employees from committing unwitting acts of infringement, how can a mere family ensure that no act of infringement takes place over its network connection?
In the meantime, I'm sure that if Hadopi commits two more acts of infringement, it will order its own offices taken offline for a period of a year.
The logo, already officially registered for 2 months with the National Institute of Industrial Property, had been created with an unlicensed font called "Bienvenue."
French 3 Strikes Group Unveils Copyright Infringing Logo
This font was originally created by an employee of France Telecom in 2000, designer Jean-François Porchez. Writer Julien L from French news site Numerama told TorrentFreak that the problem goes even deeper.
"The problem is, this font was an 'exclusive corporate typeface'. It couldn't be used for other purposes than France Telecom/Orange products," he told us...
Yesterday there was panic, as Hadopi tried to repair the damage by sourcing new matching fonts they could license legally.
Hadopi has issued an apology through gritted teeth, but while France Telecom-Orange has confirmed it won't be taking legal action over the infringement of its rights, the same cannot yet be said of Jean-François Porchez. He has contacted his lawyer to see what can be done.