ACS:Law could face £500,000 fine for porn list leak
-
The UK's Information Commissioner (ICO) has told the BBC that the firm behind a leak of thousands of Sky broadband customers' personal data could face a fine of half a million pounds.
The list, produced by ACS:Law, contained the names and addresses of more than 5,300 people alleged to be illegally sharing adult films online.
It was posted on the net following an attack on the firm's website.
The ICO said that ACS:Law had a number of questions to answer.
"The question we will be asking is how secure was this information and how it was so easily accessed from outside," said Christopher Graham.
"We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing.
"The Information Commissioner has significant power to take action and I can levy fine of up to half a million pounds on companies that flout the [Data Protection Act]," he added.
Privacy expert Simon Davis called the leak "one of the worst breaches" of the Data Protection Act (DPA) he had ever seen.
The documents appeared online after users of the message-board 4chan attacked ACS:Law's site in retaliation for its anti-piracy efforts.
The firm has made a business out of sending thousands of letters to alleged net pirates, asking them to pay compensation of about £500 per infringement or face court.
It uses third-party firms to scour the net looking for possible infringements of music and film copyright.
Armed with IP (internet protocol) addresses - which can identify the internet connection used in any copyright infringement - its lawyers can then apply for a court order to get the physical address of the PC from the service provider whose network has allegedly been used for the file-sharing.
A BBC investigation in August found a number of people saying they were wrongly accused by ACS:Law of illegal file-sharing. UK consumer group Which? says it has also received a number of complaints. Many contest that IP addresses can be spoofed.
ACS:Law is under investigation by the Solicitors Regulation Authority over its role in sending letters to alleged pirates.
The leak contains around 1,000 confidential e-mails, along with the list, which was an attachment on one of the messages.
The collection was then uploaded to file sharing website, The Pirate Bay, where it is being shared by hundreds of users.
The confidential e-mails include personal correspondence between Andrew Crossley - who runs ACS:Law - and work colleagues, as well as lists of potential file-sharers and information on how much the firm has made through its anti-file-sharing activities.
While some of the e-mails, detailing the internal workings of the company, may prove embarrassing, the leaking of an unencrypted document - that lists the personal details of more than 5,300 BSkyB Broadband subscribers alongside a list of adult videos they may have downloaded and shared online - could be a breach of the Data Protection Act.
Speaking to BBC News, Mr Crossley said there were "legal issues" surrounding the leak.
"We were the subject of a criminal attack to our systems. The business has and remains intact and is continuing to trade," he added.
Mr Crossley said he would not comment directly on the contents of individual e-mails.
"All our evidence does is identify an internet connection that has been utilised to share copyright work," he told BBC News when pressed about the BSkyB database.
"In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files," he added.
Mr Crossley said he had no further comment when asked why the Excel document was unencrypted, but said he had notified the police, the ICO and was in communication with the SRA.
A spokesperson for Sky told BBC News that they were "very concerned at the apparent security breach involving data held by ACS:Law".
"At this stage of our investigation, we believe that the data included the names and addresses of around 4,000 Sky Broadband customers," they said.
"Like other broadband providers, Sky can be required by Court Order to disclose information about customers whose accounts are alleged to have been used for illegal downloading. We only ever provide such data in encrypted form."
Simon Davis, from the watchdog Privacy International, said the breach was a text book case.
"You rarely find an aspect where almost every aspect of the Data Protection Act (DPA) has been breached, but this is one of them," said Mr Davies.
"It fits perfectly for the term 'egregious misuse' of personal data," he added.
Mr Graham told BBC News that while he did not have the power to put ACS:Law "out of business" a large fine could have serious repercussions for the firm.
"I can't put ACS: Law out of business, but a company that is hit by a fine of up to half a million pounds suffers real reputation damage.
"Firms have to think about how this looks to our customers and to our citizens," he added.
A spokesperson for file sharing news website Torrent Freak told BBC News that the leak was "not only problematic for ACS:Law, but for the thousands of members of the public whose information has also been made widely available".
"It is a very sad day for all involved but we hope that through this unfortunate event the UK's internet service providers will think long and hard about who they give customer data to in future," he said.
The assault on ACS:Law is the latest in a number of high-profile attacks by piracy activists.
Last week, hackers temporarily knocked out the websites of the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA).
The attacks were declared on notorious message-board 4chan and were reportedly in retaliation for anti-piracy efforts against file-sharing websites.
Users of 4chan are renowned for online activism and direct action. "Operation Payback", as it was known, was reportedly revenge for the MPAA and RIAA's action against The Pirate Bay.
The group has declared it will continue to target other sites involved in anti online piracy activity.
-
If you live in the UK and want to see if they have you on the list, you can put your post code in and see if your name is listed.
hXXp://www.ueof.co.uk/acslaw/postcode.php?postcode=po10+7th
I'm not on their list.
-
They deserve more than a £500,000 fine, a class action lawsuit would go nicely with the fine.
-
There's gotta be a point where privacy comes into effect. This is where most governments are flawed.
-
Update : Law firm ACS: Law stops 'chasing illegal file-sharers'
A lawyer has dramatically withdrawn from pursuing alleged illegal file-sharers in the middle of a court case he brought. The patent court in London is currently scrutinising 26 cases brought by ACS: Law on behalf of its client MediaCAT. The law firm had sent thousands of letters to alleged file-sharers. Those who received such letters may pursue ACS: Law for harrassment, said law firm Ralli, which represents some of the defendants.
In a statement read to the court, solicitor Andrew Crossley said he had now ceased all such work. He cited criminal attacks and bomb threats as reasons.
"I have ceased my work…I have been subject to criminal attack. My e-mails have been hacked. I have had death threats and bomb threats," he said in the statement, read to the court by MediaCAT's barrister Tim Ludbrook.
"It has caused immense hassle to me and my family," he added.
In September, ACS: Law was the victim of a cyber attack and it accidentally exposed thousands of its e-mails online when its website went live again. These e-mails detailed all the people it was pursuing and the pornographic films they were accused of downloading for free. The data breach is the subject of an ongoing investigation by the Information Commissioner, and Mr Crossley could face a hefty fine.
ACS: Law hit the headlines when it began sending thousands of letters to alleged file-sharers, on behalf of client MediaCAT. Consumer group Which? has accused it of sending letters to innocent people, while some ISPs have refused to hand over details about their customers.
"It can be incredibly upsetting for people to receive these letters and they may well have a claim in harrassment," said Michael Forrester, a solicitor at law firm Ralli, which represents some of the defendants in the current case.
Groups such as the BPI, which represents music labels, have criticised its methods. Those methods hinge on a partnership between ACS: Law and MediaCAT, which in turn has signed deals with various copyright holders allowing it to pursue copyright infringement cases on their behalf. The court heard that copyright owners receive a 30% share of any recouped revenue while ACS: Law takes a 65% share.
Members of the public who received letters were given the choice of paying a fine of around £500 or going to court. Detractors have accused Mr Crossley of seeking to make money with no intention of taking any cases to court. In his statement, Mr Crossley denied this.
"It has always been my intention to litigate and, but for the fact that I have ceased this work, my intention was to litigate forcefully in these 26 cases," he said.
Mr Crossley is subject to an ongoing investigation by the Solicitors Regulation Authority. Even before Mr Crossley's statement, the court case had been highly unusual. ACS: Law's client MediaCAT wants to drop the cases, and letters have already been sent to the defendants informing them that action against them has been dropped. But Judge Birss said granting permission to discontinue the cases was not a simple matter, due largely to the fact that the actual copyright holders were not in court. This meant that, in theory, these copyright holders could continue to pursue cases against the 26 defendants.
"Why should they be vexed a second time?" he asked. Judge Birss also questioned why MediaCAT wanted to drop the cases.
"I want to tell you that I am not happy. I am getting the impression with every twist and turn since I started looking at these cases that there is a desire to avoid any judicial scrutiny," he said.The case was made more complicated by the fact that a new firm, GCB Ltd, had begun sending similar letters, including one to one of the defendants who had been told just the day before that no further action would be taken. Judge Birss said he was considering banning MediaCAT from sending any more such letters until the issues raised by the cases had been resolved. Doing so, he said, would be a highly unusual move but one made more likely by the fact that Mr Crossley had said in his statement that there were "no new letters pending" and that GCB Ltd had also halted its work.
The judge was keen to find out what the relationship was between GCB and ACS: Law, something Mr Crossley sought to clarify in his statement.
He said that he had no connection with GCB Ltd beyond the fact that the founders of the firm had previously been employed at ACS: Law.
The case has raised some serious questions about how copyright firms pursue file-sharers. Barristers acting on behalf of the accused questioned whether an IP address - a number assigned to every device connecting to the internet - could be used to identify the person who downloaded illegal content. Barrister Guy Tritton also questioned the nature of the letters sent by ACS: Law, asking why it described MediaCAT as a "copyright protection society" - a title that he said was "misleading".Judge Birss is expected to deliver his judgement on the case later in the week.
-
Database is currently down for searching, go figure!
-
Update: 'Chaotic' ACS:Law facing costs over file-sharing cases
A controversial law firm that tried to get money from computer users by accusing them of illegal file sharing could be hit with massive legal fees.
ACS:Law and its one solicitor, Andrew Crossley, sent thousands of letters threatening recipients with court action if they did not pay out.
Now a judge has ruled that the company may be responsible for wasted costs in the case and ordered a full hearing.Mr Crossley's lawyers declined to comment.
The proceedings represent something of a role reversal. Originally the Patents County Court had been asked to hear the cases brought by Mr Crossley's firm. After those collapsed, it was decided that he might be liable for costs. Those could run into thousands of pounds, although that money is likely to be covered by solicitors' insurance.
ACS:Law had originally teamed-up with a company called MediaCAT, which purported to represent copyright owners, such as film and music producers.
Together they sent letters to around 10,000 people in the UK, alleging that the IP addresses of their computers had been linked to illegal file sharing.
Individuals were given the option of paying £500 or facing court action. Many of those contacted said they had never engaged in such activity and accused ACS:Law of carrying out a speculative "fishing" exercise.Mr Crossley eventually brought 26 cases to court, but soon after hearings began he tried to have them dismissed, claiming he had been attacked and received death threats. Judge Colin Birss QC refused to allow proceedings to stop and accused Mr Crossley of trying to "to avoid judicial scrutiny".
Soon after, both ACS:Law and MediaCAT were wound-up. It emerged in court that the two companies had agreed on a profit-sharing model, with ACS:Law receiving 65% of any money recovered.
In his most recent ruling, Mr Birss said that arrangement had "brought the legal profession into disrepute".
He also branded the now-defunct firm "amateurish and slipshod".
The court's decision to press ahead with a hearing on wasted costs was welcomed by lawyers representing those people who received ACS:Law letters.
Michael Forrester, from Ralli Solicitors, said his firm was also planning to pursue claims for harassment against Mr Crossley and urged anyone who was affected to join the action."It can be incredibly upsetting for people to receive these letters and they may well have a claim in harassment, so I am urging them to come forward."
Mr Crossley's application for permission to appeal was refused. He is also being investigated by the Solicitors Regulation Authority.
-
talk about getting caught with your hand in the cookie jar and having it come back to kick you in the ass :lolp:
-
Final twist in this sorry saga:-
"Andrew Crossley, the controversial solicitor who made money by accusing computer users of illegal file sharing, has been fined £1,000. The penalty has been imposed for a data breach which saw the personal details of 6,000 computer users, targeted by his firm, exposed online. Information Commissioner Christopher Graham said that the severity of the breach warranted a heavier fine. But he added that Mr Crossley was not in a position to pay.
"Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach."
A spokeswoman for the ICO told the BBC that it did not have the power to audit people's accounts but said that Andrew Crossley had provided a sworn statement on the state of his finances.
The security breach occurred following a denial-of-service attack by members of the hacktivist group Anonymous, who were unhappy at the tactics being used by Mr Crossley and his law firm.
"Sensitive personal details relating to thousands of people were made available for download to a worldwide audience and will have caused them embarrassment and considerable distress," said Mr Graham.
As well as exposed peoples' names and addresses, a list of pornographic films they were accused of illegally downloading was also made available.
"The security measures ACS:Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details," Mr Graham said.
ACS:Law was conducting a widespread speculative invoicing campaign, which saw Mr Crossley send letters to thousands of people accusing them of downloading content without paying for it and asking them to pay a fine of around £500 per infringement. The scheme came unstuck when a handful of the cases went to court and the judge ruled that the Mr Crossley had mishandled them and abused the court system. He faces a disciplinary hearing at the Solicitors Regulation Authority next month. The data breach was one of the most high profile and worst seen in the UK to date.
The relatively small fine imposed on Mr Crossley will anger opponents who argue that the ICO lacks any real teeth when it comes to data breaches. It was recently criticised for not being tougher on Google after the firm accidentally collected personal information from millions of unsecured wi-fi connections when it collected pictures for its StreetView service. The ICO has called for greater powers to investigate data breaches and to probe deeper into peoples' finances.
"We would welcome the power to refer cases like this to the court who can order people to be questioned about their financial affairs with appropriate sanctions if they do not cooperate," an ICO spokeswoman told the BBC.
But critics think more is needed.
"There should be a complete review of privacy policy in the UK. The ICO has been given half-baked powers that haven't been thought through and that they aren't able to exercise fully," said Jim Killock, director of the Open Rights Group.
"This fine is shockingly low. Many people have been aggrieved and wrongly accused. They are entitled to some form of compensation," he added.
Consumer watchdog Which? was among the first to expose that people had been wrongly accused. It described the fine as "paltry".
"ACS Law demanded around £400 from each of the people it accused of illegal file sharing, yet for a serious breach of data protection law, it gets a paltry fine of £1,000. This is utterly inadequate - the ICO should have imposed an appropriate sanction," said Deborah Prince, head of legal affairs.
"The ICO said that if ACS Law was still trading it would have imposed a penalty of £200,000. This beggars belief. It sends the message that businesses that commit a data breach can expect appropriate punishment, unless they dissolve their business, in which case they'll get off lightly," she added
-
Absolutely shocking and pathetic. He was basically blackmailing people at £500 a time and he gets fined £1000
"it did not have the power to audit people's accounts but said that Andrew Crossley had provided a sworn statement on the state of his finances" ..of course he did, wonder if they bothered to check if his fingers were crossed.
-
He should still be required to pay the £200,000, no doubt he has the money.
-
It's funny/ironic that the same thing happened to him when he was at Davenport Lyon and got busted.
He bragged about how rich he was to being a pauper overnight and he got virtually no fines.
-
pathetic… simply pathetic.
-
Bizarre new twist, from the bbc site:-
A lawyer whose firm demanded money from alleged illegal downloaders in the United Kingdom has denied re-starting the scheme in Greece. Andrew Crossley told the BBC that e-mails sent out in the name of ACS:Law were a scam and nothing to do with him. The messages accuse their recipients of file sharing and demand payments of £1,665.
Mr Crossley's firm was wound-up and he is the subject of disciplinary action for sending similar letters in the UK. The Greek letters were brought to light by Ralli Solicitors, which represented some of those accused by ACS:Law. It is now advising a client based in Greece.
"They have received e-mails purporting to be from the law firm," said Ralli solicitor Michael Forrester. The letters have been sent to overseas addresses.
"The IP addresses quoted do not appear conventional, making reference to country codes outside of the UK," said Mr Forrester. "Despite this, the letters of claim refer to UK law under the Copyrights, Design and Patents Act," he added.
One of the letters seen by the BBC read: "We act as solicitors for DigiProtect Ltd, the owners of copyright of various films and music rights.
"Our client has retained forensic computer analysts to search for and identify internet addresses from which their copyright works are being made available on so-called peer-to-peer programs."
The letter asks that cheques are made payable to ACS:Law and supplies a central London address, which is in an adjacent building to where the law firm used to trade from. However, Andrew Crossley contacted the BBC to say he was not involved.
"It is not my email, not my address - the address is old and post code is misstated, there is no client or company of that name, it is not a demand made by me and it is quite clear from the way it was written that it was not," he wrote in an e-mail.
Mr Crossley said he plans to contact the police in relation to the messages.
Prior to its closure, ACS:Law was accused of taking advantage of new UK laws on piracy in order to make money. Its sole proprietor, Mr Crossley teamed up with companies DigiProtect and MediaCAT, which purported to represent copyright owners. Together they sent letters to around 10,000 people in the UK, alleging that the IP addresses of their computers had been linked to illegal file sharing. Individuals were given the option of paying £500 or facing court action. Many of those contacted said they had never engaged in such activity. Consumer watchdog Which accused the firm of speculative invoicing and claimed that none of the evidence would stand up in court.
Mr Crossley eventually brought 26 cases to court, but soon after hearings began he tried to have them dismissed. Judge Colin Birss QC refused to allow proceedings to stop and accused Mr Crossley of trying to "to avoid judicial scrutiny". He, in turn, left the court mid-way through the case and had his barrister read out a statement in which he said that he no longer wanted to pursue net pirates because he had received death threats. The case was dismissed and Mr Crossley faced a large bill for wasted costs. The accused have since settled out of court. Soon after, ACS:Law was wound up and declared bankrupt. Mr Crossley is currently the subject of an investigation by the Solicitors' Regulation Authority.
-
That is a rather interesting twist. It would be interesting to take a careful examination of the full email headers to see where they may have originated from and if there could possibly be any connection to the now debunked law-firm, or if the emails are genuinely a forgery. Something tells me though that the emails are no forgery and that further sleazy business practice is still being conducted under an alter-ego. It certainly wouldn't be the first time that a scammer has pulled such a stunt.
