British ISP Sky Broadband Cuts Off ACS:Law 121
An anonymous reader writes "British ISP Sky Broadband cut off ACS:Law and refuses to cooperate after at least 4,000 of their customers' information was carelessly leaked. According to Sky Broadband, 'We have suspended all co-operation with ACS:Law with immediate effect. This suspension will remain in place until ACS:Law demonstrates adequate measures to protect the security of personal information.' Sky Broadband had been providing customer information to ACS:Law as part of their anti-piracy operation."
Re:and the pornography they're accused of sharing (Score:5, Informative)
For those like me who don't know what ACS:Law is.. (Score:5, Informative)
Re:Hmm... (Score:5, Informative)
and for extra points, this horse happens to be named 'streisand'.
anyone who didn't know these guys were incompetants, knows it now.
Re:For those like me who don't know what ACS:Law i (Score:3, Informative)
They should not be confused with the American Constitution Society
And the Australian Computer Society [acs.org.au].
Re:For those like me who don't know what ACS:Law i (Score:5, Informative)
A small correction. Their homepage is http://www.acs-law.org.uk/ [acs-law.org.uk] . Anyway they seem to have been slashdotted (and 4channed probably), so it doesnt matter what their website is.
Re:and the pornography they're accused of sharing (Score:5, Informative)
I think the best part is them claiming that they were hacked, when in reality they made the site's backup available on their main page for all to download for a short period of time when they were trying to restore the site after the DDoS attack. A zip file that was not encrypted in any way that contained EVERYTHING.
Smart move guys! Especially considering the amount of page requests you were getting,
Re:What's the legality of the ISP sharing the info (Score:2, Informative)
You know... the UK has this thing called the Data Protection Act [wikipedia.org]
I'm very concerned about Sky Broadband's actions, and I wonder how they could possibly be legal under the act.
Re:For those like me who don't know what ACS:Law i (Score:4, Informative)
British ISP Sky Broadband Cuts Off ACS:Law
Mmm, I read it as British ISP Sky Broadband Cuts Off [Ties with/Cooperation with] ACS:Law. Now that I have RTFAed, it seems they actually did mean it both literally (cut access to the website) and figuratively (cooperation with ACS:Law).
Re:What's the legality of the ISP sharing the info (Score:4, Informative)
Had you read the Plusnet link in the summary, you'd see, at least for that ISP, ACS:Law requested and received court orders requiring the delivery of customer information. It's not likely that they took different action with Sky Broadband.
In other (U.S.) words, ACS:Law acquired sensitive information via John Doe discovery, then put that information, unencrypted, on their web site. The people who provided it to ACS:Law under the directive of a court order aren't likely culpable.
Re:Should of refused to cooperate from the start. (Score:0, Informative)
Fuck damn it, it's "Should have" not "Should of" you goddamn illiterate moron. The contraction is "Should've".
Re:Rudyard Kipling (Score:3, Informative)
Re:and the pornography they're accused of sharing (Score:4, Informative)
4chan was the cause of the breach, but not intentionally. Their DDoS successfully shut down the website. ACS:Law's IT staff attempted to disable that function of their server in order to minimise the impact of the DDoS on other aspects of the business, but in their haste they screwd up and revealed that the site backups were actually on the webserver, hidden only by not publishing the filename to retrieve them. ACS took down the files for their website, server started returning the index page by default, backup files revealed.
Re:Should of refused to cooperate from the start. (Score:3, Informative)
Not in British usage (or traditional computer geek usage for that matter(*)).
* A true geek puts punctuation that is part of the quotation inside the quote marks, that which is not outside. Your punctuation inside the quoutes in the first of your points is an offense to our eyes, you should have written:
Re:and the pornography they're accused of sharing (Score:5, Informative)
This is why they're in breach of the data protection act on a massive scale. The hack wasn't the result of the leak of customer data, their incompetence and poor data protection practices were.
The information commissioner's comments were interesting on the news last night- he said something along the lines of "I don't have the power to shut a company down, but I can issue a fine of upto half a million pounds which can obviously have a devastating effect on a company of this size". His comment seems quite telling as to what he perhaps has in store for this company due to the fact they've breached the DPA on a massive scale.
What I'm not sure about, is whether private citizens have any legal recourse for compensation also- can the people whose details were leaked now sue the company for this? If they were not the ones who downloaded the materials can they sue under defamation laws or similar? I know if I was on those lists I'd certainly be exploring my options to give them a taste of their own tactics.
Hopefully this will be devastating for ACS:Law, and it might also be worth noting that under the DPA individual employees can be held criminally responsible for unauthorised release of data too such that for example, the IT guy there who put the personal data on the public web may face a personal fine or prosecution also.
It's nice that for once, a combination of incompetence and assholery may just be receiving the kind of response it deserves rather than simply being sweeped under the carpet. Partly because our information commissioner is more keen on punishing private sector breaches like this that fall under his remit than the police or government are over similar matters (e.g. Phorm) that fall under theirs. The only downside to the guy is he still seems to let public sector breaches go largely unpunished - i.e. the infamous HMRC 25 million record breach, although I suspect that's more a case of the government exerting influence on him (i.e. the threat of redundancy).
Re:What's the legality of the ISP sharing the info (Score:5, Informative)
ACS:Law were using Norwich Pharmacal civil orders against the ISPs; there basically demand information relevant to a future court case from a third party, in this case the ISP. Sky broadband chose not to contest these court orders, and just supinely handed over the data. Nor did they notify their subscribers that such an order was taking place, so they could fight it if they chose.
In fact, ACS:Law were combining these requests into huge tranches of data - one such recent one was 25,000 BT Broadband IP addresses, expected to ID 15,000 subscribers.
Virgin and Talk Talk refused to go along with these orders without a fight - potentially forcing ACS:Law to do a Norwich Pharmacal order per individual IP, which would be ruinously expensive - so the leaked emails reveal that ACS:Law specifically did not target them.
So yes, it's true that Sky Broadband were under court order - but it was one they supinely accepted, with the IP addresses in bulk. Uncontested, the judge has little choice but to rubber-stamp the request from ACS:Law. Sky may not be at fault for the data breach (they hand the data over securely), but they certainly are for co-operating with ACS:Law, a known dodgy legalised extortion outfit, without even bothering to attempt to protect their customers.
ACS:Law is under investigation by the Solicitors Regulation Authority for the way they go about their 'letters with menaces, demanding £495 or else' campaign; Crossley, their head solicitor, has been investigated twice before.
Re:Are Sky Liable? (Score:3, Informative)
Re:Are Sky Liable? (Score:1, Informative)
The basic DPA test is of whether you're a "data owner" or merely a "data processor" is whether or not you're acting under contract for the original owner, under their direction.
In this instance, ACS are the data owner, not Sky.
Re:Should of refused to cooperate from the start. (Score:2, Informative)
ORLY?
Your belief about what the statutes say does not alter what the statutes say. The court orders are being used to compel disclosure, but there's nothing in the DPA that would prevent disclosure without them, for this purpose.
Re:and the pornography they're accused of sharing (Score:4, Informative)
More embarrassingly that disclosed information also detailed ASC:Law main business tactic. File copyright claims againts people for P2P porn ie. blackmail them into paying off rather than be publicly disclosed for sharing same rather nasty porn basically a 500 pounds a go.
More coverage here http://arstechnica.com/tech-policy/news/2010/09/amounts-to-blackmail-inside-a-p2p-settlement-letter-factory.ars/ [arstechnica.com].
Apparently the normal route of extorting poor people to pay off rather than fight of the civil suits as done in the US doesn't really work in the UK as such the have gone down the blackmail route. It will be interesting to see what happens in France now that the right wing government has allowed open slather on basically baseless "WeSaySo" copyright claims (http://muppet.wikia.com/wiki/WESAYSO dinosaur claims from a dinosaur industry).