Government certified security software: the French government's Hadopi wants to spy on everything on your computer, every time you log on, otherwise you cannot defend yourself against breach of copyright allegations. How far does this breach our right to privacy or freedom of expression?

Confidential details of a French government consultation on how to secure Internet access for 3-strikes/graduated response measures, have leaked. The consultation is run by the Hadopi, the new public authority set up to oversee the French government's graduated response / 3-strikes law for copyright enforcement. The measures target peer-to-peer file-sharing in particular.

Although the consultation is supposed to be public, the details of the specification that Hadopi is requiring were kept secret. The leak - first reported by the French online technology magazine Numerama.com - is significant because it reveals a proposal for surveillance on Internet users' own computers. The Hadopi is consulting on

security software so that Internet subscribers can secure their Internet access and defend themselves against an allegation of copyright infringement. The leaked document describes a functional specification for security software to meet that requirement. The measures appear to be 'belt-and-braces' in that the software will be required to monitor all traffic through the Internet access as well as all files on the user's computer and the router configuration.

The Hadopi has asked for the software to contain 4 key elements. They are

• the real time observation of protocol traffic;

• analysis of configuration files, including static analysis of the programmes installed and the router, and dynamic analysis of the use of the connection;

• logs of all activity on the Internet access - including activation /deactivation, modification of any security profiles - to be kept for a year;

• a system of alerts warning users if they are about to use a P2P connection: for example, "You are about to download a file using a P2P protocol - do you want to continue?".

The Hadopi specification actually suggests that the software may block users' acess 'depending on the chosen security policy'. A rough translation is: "Depending on the traffic observed and the chosen security policy, one or more technical actions may be applied: allow or block ( according to the criterial defined in the present document, and which include the type of traffic or protocls, the applicable lists, the characteristics of the formats, volumes, user profiles, usage...) "

The document also reveals a Hadopi proposal to set up white, grey and blacklists which this certified software will use to filter data.

The software will be developed by private companies and receive certification from the Hadopi. Thus it is effectively government certified security software, and questions must be asked how much this differs from State censorship. Alternatively, how does it differ from a 'general obligation to monitor' which is not permitted under EU law?

Users in the UK should be warned. The issue of how they can defend themselves against allegations under the Digital Economy Act will arise in the autumn.

Read the report in Numerama.com

The confidential Hadopi Projet de spécifications fonctionnelles des moyens de sécurisation can be found here.

A report from Liberation is here.

This article is licensed under a Creative Commons Attribution Non-commercial-Share Alike 2.5 UK:England and Wales License. http://creativecommons.org/licenses/by-nc-sa/2.0/uk/ It may be used for non-commercial purposes only, and the author's name should be attributed. The correct attribution for this article is: Monica Horten (2010) Hadopi's secret 3-strikes security spec leaked http://www.iptegrity.com 3 August 2010