In May 2011, French security researcher Olivier Laurelli, who is better known by his alias Bluetouff, told TorrentFreak that he had discovered vulnerabilities in the website of anti-piracy company Trident Media Guard.
TMG have the contract to carry out the monitoring of file-sharers as part of the French government’s enforcement of its ‘Hadopi’ 3-strikes regime. Given the politically sensitive nature of the work, the subsequent leak of information and software tools from TMG was all the more embarrassing.
In order to maintain confidence in the system, Commission Nationale de l’informatique et des Libertés (CNIL), the French authority responsible for ensuring that data privacy law is applied to the collection, handling, and use of personal data, were sent in to investigate the breach.
While CNIL investigated, TMG was forced to sever its online connections with the Hadopi agency. Instead, information on infringements was sent through the postal system on DVD.
According to Numerama, CNIL had given TMG until September 16th to get their systems in order. That deadline having passed, today CNIL made an announcement.
“On July 29th and September 13th 2011, TMG detailed the procedures implemented to improve the security of its information system,” said CNIL in a statement.
CNIL noted that since the changes carried out by TMG were “satisfactory” and met legal requirements, their investigation into the anti-piracy company is now over. TMG and Hadopi will now link back up online in order to transfer infringement data between them.
Despite TMG’s obvious shortcomings, at this stage they appear to have avoided public admonishment. However, rightsholders may now have to share some of the responsibility for the embarrassment and failures at TMG.
“In France, before rights holders can collect IP addresses of infringing users, they have to ask and obtain an approval from the CNIL,” Numerama’s Guillaume Champeau told TorrentFreak.
Guillaume says that in order to obtain this approval, the four rights holder organizations – SCPP, SPPF, ALPA, SACEM/SDRM – submitted an application in which they described the security measures TMG was forced to abide by.
“But it appears TMG did not abide by all of these requirements, and even the rights holders organizations did not. For instance, they said they would audit TMG every quarter, which they didn’t,” he adds.
“As these rights organizations are the ones who where directly in touch with the CNIL, as they are legally speaking ‘in charge of the collection’ of the IP addresses, they are the ones who may be found in violation of their pre-approval promises.”