As Finland moves to make open WiFi networks legal, France is moving—decisively—in the opposite direction. France's "three strikes and you're off the Internet" anti-P2P HADOPI law comes with a provision requiring people to install security software on their machines, and it makes users responsible for everything done through their Internet connections.

With fines and a government-run Internet blacklist as penalties, les Internautes have good reason to comply, but the requirement may prove to be a new cash cow for ISPs and security firms. If, that is, they can secure their own security tools.

Download control



French journalist Astrid Girardeau brought a strange story to our attention. French ISP Orange last week rolled out a new security tool for subscribers to accompany its firewall, anti-virus, and anti-spam offerings: "contrôle du téléchargement." This "download control" offering provides "protection against illegal downloading," mainly by interfering with any P2P apps running on the local machine. For €2, the (Windows-only) software can be installed on three machines.

What does it do? How does it work? The details aren't clear, but a French blogger who goes by "Bluetouff" used Wireshark to sniff the program's traffic. The Java-based control software turned out to be anything but self-contained; it routinely communicated with a server, sending data in the clear, and the server even hosted a publicly accessible webpage showing the IP addresses that had connected to it.

To make matters worse, this page provided a link to an administration portal; the username/password combo was set to "admin/admin." According to Bluetouff, a malicious user might have been able to modify the servlet to distribute malware.

Orange appears to have resolved the problem over the weekend, but it reminds us just how many problems HADOPI could create. With Internet access spreading to all corners of society, huge numbers of unsophisticated computer users will suddenly be responsible for securing their own Internet connections and liable for what happens over them. When even the security vendors have wide-open insecurities, is this a reasonable approach?

Certainly, it could become a good sideline for ISPs, who stand to make plenty of extra cash by offering anti-P2P security subscriptions to their users. But it leaves many questions unanswered—among them, how is one to secure a visitor's Internet use with this software-based approach? Will out-of-town guests and friends really have to install (and prove they have installed) security software before their hosts hand over the network password?

We suspect it won't be long before the solutions migrate upstream. ISPs who once found themselves in trouble for using deep packet inspection to mess with P2P traffic could soon charge users for exactly this "service" in the name of HADOPI-ordered security.