Is it right that police upload malware to users merely suspected of a crime without their consent, knowledge, or a court order? That might be what supporters of this controversial piece of legislation might think. The surveillance legislation known as LOPPSI 2 has made its way to the senate.

HADOPI, France's three strikes law and organization that oversees the enforcement of this law, has taken quite a beating on the PR front. Now they seem to be trying to push back by denying that they are forcing users to install spyware to prove innocence. They also called the initiative SOS-HADOPI - a commercial service dedicated to helping those who find themselves on the other end of a copyright accusation - an "abuse".

"The Creation and Internet law, passed by Parliament, confirmed by the Constitutional Council, no obligations installation by users of specific software to "prove their innocence" at any time the user is presumed "guilty" in the process of graduated response implemented by Internet Piracy" said the High Authority. "One of the legal responsibilities of Internet Piracy is to offer users a label for a means of securing their subscription Internal t" he said. "To this end, and in accordance with the law, Internet Piracy has committed an initial consultation on a first draft of specifications defining the characteristics of such security means". "Calling this project in the state of spyware - software that installs without the knowledge of the user - is tendentious and inaccurate. In any event, this project has been the subject of no validation by the High Authority. Consultation is not closed and will, moreover, be prolonged "continues the statement.

Currently, as we pointed out during the operation Hadopi leaflets , the label "Hadopi security means" has not yet been awarded to any software enabling secure Internet connection. The difficulty in developing an effective mechanism is emerging through this press release, since the High Authority indicates that the consultation on the specification will be extended.

* the real time observation of protocol traffic; * analysis of configuration files, including static analysis of the programmes installed and the router, and dynamic analysis of the use of the connection; * logs of all activity on the Internet access – including activation /deactivation, modification of any security profiles – to be kept for a year; * a system of alerts warning users if they are about to use a P2P connection: for example, “You are about to download a file using a P2P protocol – do you want to continue?”.

Spyware is a type of malware that can be installed on computers and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users. While the term spyware suggests that software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.

Many questions have been raised on how HADOPI planned on enforcing a three strikes law. One particular question that really raises doubts on the possibility of enforcement is how to guard against false accusation. One idea being floated right now is forcing users to install spyware that can do real-time observations of what internet protocols are being used on a persona computer among other things.

* the real time observation of protocol traffic; * analysis of configuration files, including static analysis of the programmes installed and the router, and dynamic analysis of the use of the connection; * logs of all activity on the Internet access - including activation /deactivation, modification of any security profiles - to be kept for a year; * a system of alerts warning users if they are about to use a P2P connection: for example, "You are about to download a file using a P2P protocol - do you want to continue?".

For many, it’s viewed as a country going from bad to worse in terms of law proposals. First, there was the French three strikes laws and other similar pieces of legislation and now LOPPSI 2. Last month, we broke the news for English speakers about this legislation and now a French cybercrime expert was able to discuss various aspects of the law in French newspaper Le Monde (Google translation) and there were some interesting points being made throughout the numerous responses.

The first response noted that, traditionally, surveillance involved microphones and video cameras. Since it requires a lot of time and money to have them installed covertly on someone, it’s not scalable – that is to say, you can’t spy on tens of thousands of people because it requires too much time and money. The same cannot be said for installing key loggers and trojan horses on peoples computers for covert surveillance purposes since once one creates a trojan or a piece of spyware, theoretically, they can be installed on thousands of machines at no extra cost because the scalability is far greater. This leads to the fact that this legislations paves the way for unprecedented surveillance powers for police and the government.

Another point is the fact that people with malicious intent, or criminals for that matter, use precisely the same kind of technology that is suppose to be used by police. The reason that is important is because anti-virus and anti-spyware technology is specifically designed to block such technology. It then leads into a more disturbing question – are anti-virus companies going to be ordered by the French government to create white-lists for Trojans and spyware? Not mentioned in the response is if someone is going to create their own programs to detect and remove such technology should that happen.

In one part of the conversation, there was the question on who these viruses and spyware intended in terms of geography. The legislation is intended to be for traditional criminals on French soil. Not mentioned in the response is that given how networked todays society is on the internet, how malware can be confined to one country in particular is going to be an extremely difficult proposition in and of itself. Still, in another response, Lovet discussed the fact that the legislation is intended to stop child pornography and terrorists – yet, in practise, that turned out to not be the case in countries like Australia, England and Thailand where legitimate websites wound up being in the blocklist as well – both Australia and Thailand had sites on the blacklist for nothing more than political purposes.

Lovet touched on the fact that, while malware exists to covertly activate microphones and webcams, the legislation doesn’t cover such activity as the legislation talks about content that appears on the individuals computer screens.

While discussing the web censorship side of things, there was discussions about SSH and TOR that exists. Those who are familiar with such technology could easily bi-pass the web censors of France. Therefor, informed people can, indeed, escape the censors while uninformed people would be affected. When asked whether or not bi-passing web censors was legal or not, Lovet responded, saying that this is a very good question, but he didn’t have an answer.

There was a question about which operating system the malware would target. In response, Lovet suggested that it’s impossible to have malware programmed for all systems given how deep the malware would be embedded. This, of course, doesn’t rule out the possibility that different malware could be used for different operating systems.

The topic of how the blacklist would be compiled was brought up. Unfortunately, just like Australia and Thailand, the list would be compiled in secret and away from public scrutiny. While it’s a great idea for an independent entity to offer some checks and balances, this doesn’t seem to be a part of the legislation – thus opening the door for a similar incident that happened in England where Wikipedia was blocked, not just what happened in Australia and Thailand.

All in all, Lovet says that this new legislation gives a government a foot in the door toward government censorship on the internet. From what we can observe on an international level, when it comes to topics like censorship and surveillance, this follows a worldwide trend of legislate first, address accountability later – and it always has been this kind of thing that ends badly for the government. From the examples we’ve seen, the blacklist ended up being leaked, legitimate websites are discovered on the list and the government looks bad (this is putting it mildly) as a result.

Still, the awareness of such a law doesn’t necessarily present this law in a good light. When legislation requires a certain amount of effort to be portrayed in a positive light, should it be considered at all given the negative impacts on online rights? More importantly, what does this legislation open the door to when the copyright industry pressured the world to follow the French model of three strikes?

Have a tip? Want to contact the author? You can do so by sending a PM via the forums or via e-mail at drew@zeropaid.com.

There’s an article posted on Le Monde recently that, if the translation is accurate enough, seems to suggest that the government wants to propose a law, known as Loppsi 2, that would allow a government official or a police officer, to upload “cookies” for the pupose of, among other things, data retrieval, without the need to clarify that what they did was legal or not for a period of 4 months. Here’s the Google translation of what we are reading:

Dadvsi and Hadopi supposed fight against illegal downloading with technical measures, should be completed in autumn 2009 by a far more ambitious, focusing on all the crime. Loppsi 2 (law and planning for the performance of Homeland Security, 2nd named after Lops, 2002), commissioned by Nicolas Sarkozy, would have a budget of one billion euros over five years (2010-2015).

The key to Loppsi 2, the cookies. The Hadopi law already provides for the simplification of procedures by the state services software incorporating technical measures remote control functionality or access to personal data. ” Also refers to the Dadvsi cookies: Article 10bis Additional C to Article 15 enables the central management of security of information systems (DCSSI) to escape the control of software bugs that could be installed by government departments, local authorities and public or private operators.

In other words, the state will no longer be obliged to verify the “legality” of the cookies used by its services on the network. Therefore, the door is open to all “broadcasts” information and sound of any kind. Bill Loppsi 2 incorporates this principle in the development, since it would “without consent, to access data, to observe, collect, record, store and transmit such that they appear to the user or as he introduces by entering characters. This is the legalization of “Trojans” (spyware) in the Internet, for a period of four months, renewable once by agreement of the judge.

Technically, the device may be implemented at any time, either by slipping in any physical location (with the establishment of a key connection in the computer monitor) or by transmission over a network electronic communications in remote infiltrating into the machine to monitor.

In other words, if this is really what the article is saying, a government official or police official, can upload a trojan horse or other forms of spyware onto a users computer without their knowledge, consent or a court order for a period of 4 months. After that four month period, a judge has to give an OK to allow continued use. The purpose is supposedly to investigate all kinds of crimes which, judging by this article, would include file-sharers (though it is unclear if the article is saying that the previous HADOPI law and the Dadsvi law already covers that).

It’s unclear where the checks and balances are from the article but one wonders, does Loppsi 2 make HADOPI/the Three Strikes law seem tame in comparison? Besides, at what point during a civil investigation makes the use of installing a trojan horse necessary? Still, not much is known through a more direct translation. If anyone in France is reading this and knows about French law, feel free to contact us if you want to offer any verifications on this new law proposal.

Update, May 19th: Special thanks goes out to all our French readers who were able to verify the story, though yes, we should emphasize that the law is suppose to cover all forms of “crime” and is under the guise of stopping paedophilia (as we’ve noticed in countries like Australia, that sort of talk isn’t known to be entirely truthful over things like this)

Arstechnica, today, also picked up the story and seemed to make this early report seem optimistic in the viewpoint of a privacy advocate. The report suggests that Loppsi 2 covers things like web censorship as well as introducing “Pericles” that would create a “super-dossier” on people – in other words, a database on targeted peoples activities. The article additionally points to a critics point of view which discusses the end of a free and open internet. (For those, like me, that don’t speak French, here’s a Google translation of the posting)

Have a tip? Want to contact the author? You can do so by sending a PM via the forums or via e-mail at drew@zeropaid.com.

The bill (.doc) says that everyone who signs up with an “interactive service” must demand users full name, address and valid electronic mail address.

The bill also states that any “interactive service provider” that runs afoul of this faces a $500 fine on the first offense and a $1000 fine for each subsequent offense.

An early report suggests that the lawmaker intends to cut down on cyber-bullying and online harassment with these new laws. He concedes that enforcement of the bill would be difficult.

Of course, the proposed laws might be ill-conceived given the recently dropped case against Wikileaks which touched on anonymous postings regarding shady dealings with a bank.

At this time, it is unclear whether or not this bill has a snowballs chance in blank at passing and changing the first amendment rights of the US Constitution.

Hat tip: Privacy Digest.

digg_url = ‘http://digg.com/tech_news/Lawmaker_Wants_to_Ban_Anonymous_Online_Postings_Verified’;

“The society that separates its scholars from its warriors will have its thinking done by cowards and its fighting by fools.” – Thucydides

Some of you know by now that I run a blog with my best friend where we investigate various malware outbreaks. The blog (www.webdefenders.net) is in essence a research arm of Jay Loden’s AIMFix project. We try our best to publicly shame the people responsible for damage-inflicting scourges on the Interweb.

A few days ago we recieved a cease and desist order from a lawfirm retained by Dan Yomtobian, the man responsible for Xupiter. I wont get into a lengthy diatribe about what Xupiter is here. It’s been written about at length by the press since 2003. In simplest terms, Xupiter was a piece of software alleged by thousands of people to arrive on a PC without consent and unleash torrents of unwanted advertising. At one time, Xupiter was responsible for a then record-breaking help thread on SpywareInfo.com. It was even bundled with Grokster during Wayne Rosso’s tenure there, until the distribution suddenly came to a halt. Suprise?

After the fall of Xupiter, nobody heard much from Yomtobian until he published a series of business oriented websites promiting his services. None of these sites addressed his past endeavors, so my partner and I published a tell-all article about the depth of our findings over the past few years. The article draws its support from corporate documents, WHOIS records, even direct quotes from Microsoft’s Help Center and Wired.com articles.

Evidently, the fact that a Google query for “Dan Yomtobian” returns our article as the second result on the first page is damaging to its subject’s reputation. So on 09JUN06, we recieved a cease and desist order alleging that we’d made “false and defamatory statements” and demanding that we take it down immediately. No evidence was given that anything we said was provably false. Just a threat that Yomtobian had authorized the firm to pursue all legal remedies if we failed to compy with the order.

So why hasn’t Yomtobian targeted Wired or Microsoft? The answer is obvious. They have (besides the truth) enough money to deflect things like this. Organizations of their stature would laugh at a lawsuit alleging that Xupiter was innocuous. By contrast, Chris and I are full-time college students. It’s easier to make an example of us than Microsoft. So, after much thought I have decided to comply with the order.

Simply put, it is to my selfish benefit to comply right now. I’m working extremely hard in school to hopefully attend Quinnipiac’s law program once I graduate. I’m training to play a college sport. In our spare time, Chris and I are putting together a new Internet startup. So unlike the kid who abandons his ambition, stops cutting his hair, and goes on to live in his parents’ basement once he realizes that justice is evasive, I will pursue the absolute height of my productive capacity and mount a proper legal defense once I have the resources to do so.

I’m 19 years old. Like so many my age, I don’t have my life all mapped out yet. But if nothing else, I’m confident that at no point in my life will I need to send cease and desist letters to bloggers writing about how I spent my 20′s. That’s more than I can say for some people.

EULAs became important to P2P users when it became known that Kazaa buried a clause in its agreement giving it the right to enable a distributed computing network among all its users. From there, most popular P2P programs began to install spyware and other forms of advertising alongside their own wares. Notice of these extras is typically buried in legal-speak somewhere in the EULA.

Now, a group called Clearware.org thinks they have the answer. Building from the Creative Commons licensing platform, Clearware.org provides a way for software vendors to state the important aspects of their EULAs in supple, human terms. The “About” section on the group’s homepage says “Clearware.org guides software vendors and service providers on how to describe and represent the terms and conditions of license agreements in a friendlier way to improve consumer awareness on issues that impact control over the user’s experience, privacy and system security.”

Specifically, it breaks down something like this. Let’s enter a hypothetical world and say that you install Kazaa, and along with it, Claria PersonalWeb. Upon install, you would see a simple document with big, bold text calling your attention to the most substantial aspects of the EULA. Rather than having to thumb through 40+ pages of jargon, you will see simply “You agree to the following: Display advertising, collect usage information, installs other software, etc.” If you want to read the full language pertinent to any of the “big stuff”, you will be guided to the relevant text in the EULA itself.

I’ve wanted to see something like this for a long time. When anti-spyware was my specialty back in 2004, my Mother contracted me out to her friends at work to have me pluck the most insidious malware from their computers. I worked on 50-60 systems over the course of a few months. Invariably, her co-worker’s kids had installed one or more P2P wares that opened the floodgates. Neither they nor their parents had bothered to read the EULA. In many cases, the EULAs provided for not only the ad support, but the right of the ad support technology to install more partner software after the fact.

Clearware.org also bridges a profound legal gap. Tedious and dry though they may be, EULAs are legally binding contracts on the web. Absent a very egrigious provision, a judge doesn’t want to hear that the contract was “too long” and it becomes childish to absolve grown adults of responsibility for knowing what they’re agreeing to. With a framework like this, there’ll be no excuse for installing shady software.