Hadopi's Secret Internet Spying Spec Leaked

from the now-doesn't-that-make-you-feel-good dept

As a part of France's three strikes law, the organization in charge of implementing the program, Hadopi (which, we should remind you, was caught infringing itself in using a font it did not license for its logo), has been tasked with figuring out a way to actually block people from the internet, or to stop them from using certain file sharing programs. While there were public consultations on how to do this, the actual technical spec was supposed to have been kept secret. Not surprisingly, that didn't last very long. Glyn Moody points us to the news that the tool's spec has leaked. Basically, it's your everyday snooping software, that will monitor all internet traffic, including searching through files on your computer, and checking the router configuration. It will also act as a creepy form of Big Brother, with an alert system which, if it notices you using a file sharing program, says things like: "You are about to download a file using a P2P protocol - do you want to continue?" One hopes that it would include a button that says "Yes, Dammit, I'm Downloading Linux" or something of the sort, but that seems unlikely. The link above also notes that this appears to violate EU law, which prohibits a "general obligation to monitor."
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hadopi, spying


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Keven Sutton (profile), 4 Aug 2010 @ 1:58pm

    once again....

    At least now I know why the french rep in that ACTA Conference was so uppity about france being a "totalitarian state". It's becoming one.

    Thank you mike for all the wonderful articles.

    link to this | view in thread ]

  2. identicon
    ShadowSix, 4 Aug 2010 @ 2:04pm

    Encrypted everything

    The web is moving to a uni protocol stream anyway. Websockets over SSL will be the new internet, and encryption routines will be scaled up until the burden of decryption becomes too CPU intensive... then the governments of the world will have to ban encryption for non certified parties... that's where were going folks... Criminals, sentenced for privacy not piracy. Funny, that used to be unthinkable. Now it just seems likely.

    link to this | view in thread ]

  3. icon
    Jay (profile), 4 Aug 2010 @ 2:14pm

    Let's remember, the politicians don't know anything about HADOPI other than what the lobbyists tell them. How they would implement this without snooping was practically anyone's guess.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 4 Aug 2010 @ 2:56pm

    SSL is crap, any government can have access to the certificates servers that is why they don't need to ban them.

    link to this | view in thread ]

  5. identicon
    Michael Lockyear, 4 Aug 2010 @ 3:07pm

    How will the French government force its citizens to install this spyware?

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 4 Aug 2010 @ 4:31pm

    @4

    you want to have net access
    install this .....

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 4 Aug 2010 @ 4:38pm

    Re: @4

    If I install that on a virtual machine does it count?

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 4 Aug 2010 @ 4:40pm

    Re: @4

    ...or get the patched version from the internet.

    link to this | view in thread ]

  9. identicon
    abc gum, 4 Aug 2010 @ 5:48pm

    Re: @4

    If it didn't work in China, what makes them think it will succeed in France ?

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 4 Aug 2010 @ 5:49pm

    Re: Encrypted everything

    "Funny, that used to be unthinkable"

    Didn't the RSA algorithm used to be considered an "Ammunition", and, therefore, illegal? It has happened before and surely will happen again.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 4 Aug 2010 @ 7:18pm

    I knew the French were particularly smart! They've just figured out a way to create a whole new level of bureaucracy and lower their unemployment rate by a point or two...gosh darn.

    link to this | view in thread ]

  12. identicon
    Mih Yah, 4 Aug 2010 @ 11:36pm

    Re:

    It's not an obligation. That's only a stupid idea (the idea it that you give logs to the justice), because... you can start on a live CD.

    link to this | view in thread ]

  13. icon
    Hephaestus (profile), 5 Aug 2010 @ 6:20am

    Re:

    "any government can have access to the certificates servers that is why they don't need to ban them."

    And of course that leads to an escalation where people are genning their own certificates. Creating their own VPN's. and an all out nuclear war of encryption.

    link to this | view in thread ]

  14. icon
    Hephaestus (profile), 5 Aug 2010 @ 6:42am

    "The link above also notes that this appears to violate EU law, which prohibits a "general obligation to monitor.""

    About half of whats in ACTA violates EU law. Which it why it is so easy to screw with it. Read a section of ACTA. Read EU law. Contact the correct office via e-mail, express your concerns and ask for clarification, CC a bunch of people in the press, watchdog groups, and rights organizations. Like magic people take notice, and unlike the US people actually do something.

    3 strikes, ISP monitoring of citizens, high fines, disconnection from the internet, criminalization of infringement, searches of iPods and mp3 players, etc, will all be struck down by the EU courts. Agreements to do any of these things between rights holders and ISP's will also be struck down.

    In the beginning the only countries that ACTA will affect are Canada, Australia, America, South Korea, and Mexico. In South Korea, Australia, and Canada the level of internet access and communications will scare politicians into dumping or not enforcing large sections of ACTA. Piss off 80% of the population and you dont get re-elected.

    link to this | view in thread ]

  15. icon
    Hephaestus (profile), 5 Aug 2010 @ 6:42am

    "The link above also notes that this appears to violate EU law, which prohibits a "general obligation to monitor.""

    About half of whats in ACTA violates EU law. Which it why it is so easy to screw with it. Read a section of ACTA. Read EU law. Contact the correct office via e-mail, express your concerns and ask for clarification, CC a bunch of people in the press, watchdog groups, and rights organizations. Like magic people take notice, and unlike the US people actually do something.

    3 strikes, ISP monitoring of citizens, high fines, disconnection from the internet, criminalization of infringement, searches of iPods and mp3 players, etc, will all be struck down by the EU courts. Agreements to do any of these things between rights holders and ISP's will also be struck down.

    In the beginning the only countries that ACTA will affect are Canada, Australia, America, South Korea, and Mexico. In South Korea, Australia, and Canada the level of internet access and communications will scare politicians into dumping or not enforcing large sections of ACTA. Piss off 80% of the population and you dont get re-elected.

    link to this | view in thread ]

  16. identicon
    anon, 5 Aug 2010 @ 9:40am

    Re: Re: Encrypted everything

    well its not ammunition, but "a munition", and it still is defined as such. thats why export of encryption greater than 128bit is still restricted.

    link to this | view in thread ]

  17. identicon
    Ivan, 5 Aug 2010 @ 10:25am

    Re:

    "any government can have access to the certificates servers that is why they don't need to ban them."

    Irrelevant. A Certificate Authority is never handed more than a *public* key (In a PKCS#10 Certificate Request). Once they assert you are who you claim to be, the PKCS#10 cert req is signed and the appropriate X.509 certificate is sent back to the requestor.

    No - I repeat - NO *private key* is ever sent to the CA - and the CA is no more capable of decyphering encrypted traffic than anybody else having access to the Public key - which as its name implies - is public and does not need to be hidden.

    The sole role of the CA is to assert (with its own signature - signed with their OWN private key) that the private key owner of a Public Key present in a X.509 cert is indeed the entity present in the X.509 cert (usually the CN field).

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 5 Aug 2010 @ 10:38am

    Re:

    Uhm. Ever heard of self-signed certificates?

    Or you are one of those people who still think 'trusted' certificates are really more secure? :)

    link to this | view in thread ]

  19. identicon
    Charlie, 5 Aug 2010 @ 10:42am

    Re: Re:

    Your right, but a friendly CA makes man in the middle much easier. I was looking through the CA list in a recent product and it seemed there were a great deal of government CA's in there. Unless people are paying attention to who signed the certificate of the web site they visit, I am sure man in the middle attacks are already happening.

    link to this | view in thread ]

  20. identicon
    Dan, 5 Aug 2010 @ 11:26am

    Re:

    HADOPI nor Gov will force you to install this crap.
    But if your IP is "seen" by the "Hadopi dogs", you can be charged for illegal use of a P2P software, or maybe downloading from Rapidshare.... You are done.
    You don't have the possibility to discuss even if you were downloading the latest Linux distro , once your IP caught, your ISP has 15 days to give all your personals details to the Hadopi.
    Then, without any lawyer or court, your Internet will be cut for a year, and you will receive a fine from € 45.000 to € 300.000 !!

    link to this | view in thread ]

  21. identicon
    gymno, 5 Aug 2010 @ 11:35am

    Re: Re:

    Man-in-the-Middle doesn't require Government CAs....
    Private Products already do it transparently see:

    http://www.m86security.com/products/web_security/m86-web-filter.asp

    it spoofs certs to watch https traffic.

    This is commercially available to anyone with $$$ and governments have plenty of those.....

    link to this | view in thread ]

  22. icon
    vivaelamor (profile), 5 Aug 2010 @ 3:38pm

    Is this even possible?

    They want: "a system of alerts warning users if they are about to use a P2P connection: for example, "You are about to download a file using a P2P protocol - do you want to continue?"". How the hell do they expect to remotely inform a user that they are about to do anything? They could replace a web request with their own message but that's not going to be able to tell when you're clicking on a magnet link, or do anything while you're in a p2p application.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 5 Aug 2010 @ 4:54pm

    Re: Re: Re:

    > I am sure man in the middle attacks are already happening.

    People have been saying this for a long time. Show me at least one certificate, signed by one of these CAs, which does not belong to the entity named in the certificate, and which was being used for MITM attacks.

    Even better, post it to Mozilla's bug tracker - it will cause them to seriously consider removing that CA from the trusted list. The story will be picked by Slashdot and the rest of the tech media, and everybody will know.

    Or, in simpler words: pics or it didn't happen.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 5 Aug 2010 @ 4:58pm

    Re: Re:

    Self-signed certificates are less secure.

    Anyone can make a self-signed certificate which says "yes, I am www.example.com, honest". Only one of the hundreds of trusted CAs can make a signed certificate which says "I certify the one with the private key corresponding to this public key is www.example.com".

    Still not as secure as it should be (hundreds of CAs can make one), but much more secure than self-signed certificates (anyone can make one).

    Of course, both protect against passive interception; the difference matters only for active attacks.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 5 Aug 2010 @ 11:19pm

    Re: Is this even possible?

    link to this | view in thread ]

  26. identicon
    Copkilla, 6 Aug 2010 @ 7:23pm

    Freenet

    Well, I guess it's time to install Freenet and Tor.

    link to this | view in thread ]

  27. icon
    vivaelamor (profile), 7 Aug 2010 @ 2:30am

    Re: Re: Is this even possible?

    "http://en.wikipedia.org/wiki/Hooking" I had missed the bit where they plan to offer software to people. As a voluntary rootkit this proposal sounds even more ridiculous.

    link to this | view in thread ]

  28. identicon
    Jonnie D., 27 Sep 2010 @ 8:52am

    Here in México some hardcore downloaders use a certain program to use/steal your IP so they can keep downloading in servers like rapidshare without restrictions. I supose it happens in another countries too...

    What would Hadopi would do at this case? Will it punish me or the Ip's Burglar?

    In the case of ACTA, I'm in the understanding that if someone uses your wi-fi connection without asking permission, they will punish you.

    Let's hope Hadopi and Acta soon die...

    link to this | view in thread ]

  29. identicon
    Will Miller, 13 Sep 2011 @ 6:41pm

    @gymo

    Yeah, the M86 filter is pretty powerful. I know some guys in IT for a big company, and it can do some amazing (and scary) stuff, especially if it's being used with the M86 Security Reporter

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.