The French government's “three strikes” approach to online copyright infringement relies on a private company that scans file-sharing networks and gathers the IP addresses of alleged Gallic content pirates. But that company, TMG, suffered an embarrassing security breach last week, and the French government has “temporarily suspended” its acquisition of new TMG data while an investigation is underway.
The embarrassing episode began last week when a French writer found a highly insecure TMG server on the Internet and managed to extract internal TMG executables and scripts, along with a cache of IP addresses. According to the initial report, the security on the server was so bad that "one wonders if TMG recently became a Sony subsidiary"—or if the server was a honeypot.
The problems appear to be real. Eric Walter, the head of the French HADOPI antipiracy agency that administers the "three strikes" regime, took to Twitter to tell the world that "par mesure de précaution l' #hadopi a décidé de suspendre provisoirement son interconnexion avec #TMG."
This temporary suspension of the interconnect agreement means that TMG—the only private firm cleared to collect the IP addresses needed for HADOPI to function—can't provide new addresses for the moment.
French tech sites like Numerama have run with the story, posting lists of questions that "need to be answered" by HADOPI and by French data security authority CNIL.
The BBC today provided a British perspective on the news, noting that "the UK is due to introduce similar legislation, although at this stage it has no plans to punish offenders with disconnection. But it will need to employ a firm similar to TMG."
Data security is taken seriously in Europe; to take one recent example, British P2P lawyer Andrew Crossley was recently fined by the government for leaking the IP addresses of alleged porn file-sharers after being attacked by the hacker group Anonymous. The revelation that TMG has also revealed IP addresses, some of which appear to belong to alleged infringers, has sparked gleeful comment among HADOPI opponents about just what a bad idea the system was all along.
The irony in all this is that the law creating HADOPI forced French citizens to secure their own connections to the Internet; claiming that "a neighbor used my WiFi" wasn't going to cut it any more. HADOPI is actually drafting its own label at the moment to slap on security products that meet its requirements—the fact that its own data supplier can't lock down its servers hardly inspires confidence.
On its website, TMG boasts about its security. "TMG has secured the entire production platform and we have closed access thanks to high reliability security systems," it says. "We guarantee the confidentiality of our customers' strategic information."
reader comments
38