TMG have the contract to carry out the monitoring of file-sharers as part of the French government’s enforcement of its ‘Hadopi’ 3-strikes regime. Given the politically sensitive nature of the work, the subsequent leak of information and software tools from TMG was all the more embarrassing.

In order to maintain confidence in the system, Commission Nationale de l’informatique et des Libertés (CNIL), the French authority responsible for ensuring that data privacy law is applied to the collection, handling, and use of personal data, were sent in to investigate the breach.

While CNIL investigated, TMG was forced to sever its online connections with the Hadopi agency. Instead, information on infringements was sent through the postal system on DVD.

According to Numerama, CNIL had given TMG until September 16th to get their systems in order. That deadline having passed, today CNIL made an announcement.

“On July 29th and September 13th 2011, TMG detailed the procedures implemented to improve the security of its information system,” said CNIL in a statement.

CNIL noted that since the changes carried out by TMG were “satisfactory” and met legal requirements, their investigation into the anti-piracy company is now over. TMG and Hadopi will now link back up online in order to transfer infringement data between them.

Despite TMG’s obvious shortcomings, at this stage they appear to have avoided public admonishment. However, rightsholders may now have to share some of the responsibility for the embarrassment and failures at TMG.

“In France, before rights holders can collect IP addresses of infringing users, they have to ask and obtain an approval from the CNIL,” Numerama’s Guillaume Champeau told TorrentFreak.

Guillaume says that in order to obtain this approval, the four rights holder organizations – SCPP, SPPF, ALPA, SACEM/SDRM – submitted an application in which they described the security measures TMG was forced to abide by.

“But it appears TMG did not abide by all of these requirements, and even the rights holders organizations did not. For instance, they said they would audit TMG every quarter, which they didn’t,” he adds.

“As these rights organizations are the ones who where directly in touch with the CNIL, as they are legally speaking ‘in charge of the collection’ of the IP addresses, they are the ones who may be found in violation of their pre-approval promises.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Blogger and security researcher Olivier Laurelli, aka Bluetouff, told us that a TMG virtual machine had been leaking data, including security tools and, according to a later report by news resource Numerama, IP-addresses of French citizens.

Naturally the revelations generated controversy, with the Hadopi agency announcing that they had suspended electronic connections with TMG and had resorted to shifting file-sharing monitoring data around on DVD instead.

As the pressure mounted on TMG, in the middle of the week they called in Commission Nationale de l’informatique et des Libertés (CNIL) to investigate the security issue. CNIL is the French authority responsible for ensuring that data privacy law is applied to the collection, handling, and use of personal data,

Then yesterday, Telecom Paper reported that TMG would sue the person responsible for finding the security flaw, but adding that it would be unusual for the French courts to prosecute people who expose lax security as doing so is deemed to be in the public interest.

TMG’s position, however, is slightly more awkward than that.

After first trying to play the situation up, using language such as “we have been the victim of data theft”, TMG followed up with claims that the exposed information was in fact nothing to do with their main systems. Furthermore, the server from which it came allegedly carried no live end-user data and was in fact a mere test machine. According to a source quoted by PCInpact, this is why TMG left it unprotected.

So on what basis would TMG sue Bluetouff? TorrentFreak asked him.

“TMG first said to the press it was an unprotected test server with no confidential data, and that there was no hack. So I’m really wondering on what basis they could attack,” he explained.

“I guess they need to sue someone because of insurance stuff or just to avoid admitting their own fail. So just wait and see but I’m quite sure they won’t sue.”

Bluetouff then reminded us of the security flaw he discovered in software developed by ISP Orange, which inadvertently leaked users’ IP addresses as it tried to block file-sharing.

“Orange had the same reaction, to send me lawyers first over their splendid ‘hadopiware’. Then they tried to understand what happened and who is guilty of what afterwards,” he explained.

Then within minutes we had another message from Bluetouff. “Wow, that was fast,” he said.

As predicted, TMG had announced that they won’t sue after all, unless they find evidence of “a formal intrusion”, something which presumably won’t be possible on a server they left deliberately open.

Time will tell what conclusions the CNIL data inspectors will draw from the episode. Their report is forthcoming.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.