UK Anti-Piracy Firm E-mails Reveal Cavalier Attitude Toward Legal Threats

Khyber writes "A recent DDoS attack against a UK-based anti-pirating firm, ACS:Law, has resulted in a large backup archive of the server contents being made available for download, [and this archive] is now being hosted by the Pirate Bay. Within this archive are e-mails from Andrew Crossley basically admitting that he is running a scam job, sending out thousands of frivolous legal threats on the premise that a percentage pay up immediately to avoid legal hassles."

The DOS did cause leak.

[Anonymous Coward]

It was a chain of events, which was triggered by the DOS. According to what I read, in the process of countering the DOS, the default home page was briefly moved. This exposed a listing of the root directory, which happened to contain a backup image, which was rapidly grabbed by the DOSers.

Re:has resulted?

[Anonymous Coward]

The DDoS brought their servers down. They went down in flames so ACS:Law had to reinstall everything and their idiot admin exposed their entire website (mostly tons of confidential information) to the public. I downloaded it myself, the file is called backup-8.24.2010_12-58-28_acslawor and the shit I found in it was very scarry. If it wasn't for the DDoS, we wouldn't have gotten our hands on this file. Go die somewhere and stop posting shit you don't know anything about.

Re:Wow.

[timeOday]

Is what surprising? After reading the linked articles, they don't support the blurb, particularly the claim Crossley is "admitting that he is running a scam job, sending out thousands of frivolous legal threats on the premise that a percentage pay up immediately to avoid legal hassles." He does come across as something of a jerk, but then, a lot of people probably say things about ex-wives.

Re:Wow.

[tomhudson]

No, actually, making false accusations in the hope of obtaining money is extortion. While the threat of legal action is specifically exempt, the threat of public embarrassment (accusing old people of downloading a gay porn video called "Army Fuckers") is not.

Also, given that they claim to have "forensic computer evidence" when they do not (sorry, a date and time from a server log, without the hard disk in the server being removed to preserve the "evidence", and a proper chain of custody, is not "forensic evidence").

This is why BritGov is investigating them.

Re:As many suspected.

[Any Web Loco]

http://www.cps.gov.uk/legal/a_to_c/abuse_of_process/ [cps.gov.uk]

Re:Wow. - Extortion vs Coercion

[DevConcepts]

There is a difference!

http://en.wikipedia.org/wiki/Extortion [wikipedia.org]
Extortion, outwresting, and/or exaction is a criminal offense which occurs when a person unlawfully obtains either money, property or services from a person(s), entity, or institution, through coercion.

http://en.wikipedia.org/wiki/Coercion [wikipedia.org]
Coercion (pronounced /korn/) is the practice of forcing another party to behave in an involuntary manner (whether through action or inaction) by use of threats, intimidation, trickery, or some other form of pressure or force. Such actions are used as leverage, to force the victim to act in the desired way.

Re:...deliberately does not target TalkTalk or Vir

[drunkenoafoffofb3ta]

No, you're being confused by the Virgin name. Virgin Media (the broadband provider) was sold to NTL. Although Branson owns shares in the company, it's not the same company as the record label -- indeed Virgin Media pay Branson a yearly fee just to use the Virgin brand. Further, the Virgin record label was sold off to EMI years ago.

Re:Not just piracy...

[MichaelSmith]

Its been a scam for longer than the internet has been around.

Re:Wow. - Extortion vs Coercion

[commodore64_love]

Perhaps there's a difference legally, but I don't see any difference for the common man.

"Pay us $5000 or else be prosecuted," is extortion in my mind, especially since it involves money. The law firms are acting like members of The Family. "Pay us money or else we'll rough you up."

Re:Wow. - Extortion vs Coercion

[tomhudson]

Legally, any attempt to get someone to do something by means of threats, etc except the threat of legal action is extortion. That's why you can threaten to sue someone, and it's not extortion. However, the way these were done crossed over the line, in that they also included false claims of having "forensic evidence", as well as the implied threat of public humiliation for being accused of downloading gay porn, and for asking for an arbitrary amount, rather than saying "these are the damages we've suffered." That last one is a killer - you cannot just ask for money - it has to be in relation to damages.

Stores had a policy of catching teen-age shoplifters, then sending their parents a demand letter saying they wanted $300 for some nebulous "costs". The judges rightfully threw it out. When someone does you harm, you're entitled to be compensated. You may even be entitled to exemplary damages. However, unless there's an amount that is set by statute (which is why they're known as "statutory damages"), you can't just "pull a number out of the air."

Trying to get what you, as a lawyer, should know the law does not allow, is extortion because your threat of legal action is being used to commit a crime. You no longer enjoy the "except threat of legal action" exemption.

Re:Pointless.

[equex]

Anyone could have gotten the file by going there at the right moment, regardless of whether he was part of the DDoS or not. If you put a bunch of files in the web server root while its still online, you can't argue that it wasn't meant to be published, because that is where you put files when you want to publish something. It would have been different if the files where obtained from another computer. (let's say you got into a command line on the web server and found out about samba shares and whatnot, to another office machine). It is a security blunder, but you can't blame anyone else for the results. IANAL.

Correct legal terminology

[Roger W Moore]

I'd probably send a "fuck off" reply

Please, if you are replying to a legal letter the correct response is "I refer you to the reply given in the case of Arkell v. Pressdram [wikipedia.org]".

Re:Pointless.

[kurokame]

And probably all rendered inadmissible in court because they were obtained illegally.

Bullpocky. They posted it to a public server, even if it was through incompetence. They're being presented in courts as technical experts, so that little detail should be absolutely no defense.

Re:...deliberately does not target TalkTalk or Vir

[MattBD]

TalkTalk definitely haven't - they were quite vocally opposed to the Digital Economy Act, and have publicly stated that they will never surrender customer's details unless presented with a court order.

Re:Privacy, there must be a law?

[MattBD]

Sued - probably not. But they might well be at risk of prosecution. This is covered by the Data Protection Act 1998, one of the principles of which states that appropriate technical and training measures need to be taken against granting unauthorised access to data. If they are in breach of this they could well be prosecuted by the Information Commissioner's Office. DPA also requires that the data subject has consented to the processing, which makes me wonder whether by passing user data on to ACS:Law without a court order, ISP's are breaching the Data Protection Act.

Re:Wow.

[tomhudson]

Why don't you look it up yourself instead of demonstrating to the world that you're a moron?

http://www.businessdictionary.com/definition/forensic-evidence.html [businessdictionary.com]

Evidence usable in a court, specially the one obtained by scientific methods such as ballistics, blood test, and DNA test.

A letter from BT is NOT "forensic evidence". http://legal-dictionary.thefreedictionary.com/Forensic+analysis [thefreedictionary.com]

The application of scientific knowledge and methodology to legal problems and criminal investigations.

Sometimes called simply forensics, forensic science encompasses many different fields of science, including anthropology, biology, chemistry, engineering, genetics, medicine, pathology, phonetics, psychiatry, and toxicology.

The related term criminalistics refers more specifically to the scientific collection and analysis of physical evidence in criminal cases. This includes the analysis of many kinds of materials, including blood, fibers, bullets, and fingerprints. Many law enforcement agencies operate crime labs that perform scientific studies of evidence. The largest of these labs is run by the Federal Bureau of Investigation.

Forensic scientists often present Expert Testimony to courts, as in the case of pathologists who testify on causes of death and engineers who testify on causes of damage from equipment failure, fires, or explosions.

Modern forensic science originated in the late nineteenth century, when European criminal investigators began to use fingerprinting and other identification techniques to solve crimes. As the field of science expanded in scope throughout the twentieth century, its application to legal issues became more and more common. Because nearly every area of science has a potential bearing on the law, the list of areas within forensic science is long.

Again, a letter from BT is not "forensic evidence", any more than a letter from YOU would be. By itself, it proves nothing, and can't even be used as evidence.

Re:Wow. - Extortion vs Coercion

[tomhudson]

You don't get it, do you? Whether they follow through with the threat is irrelevant, same as whether you walk out of a bank with the money is irrelevant after you say "This is a hold-up" and stick a gun in the teller's face and keep it there, or then put the gun away and say "Please fill up this sack with money."

Heck, you don't even need to have a real gun.

You don't even have to have a fake gun.

Just the act of saying "I have a gun" is sufficient to be charged with armed robbery once they give you the money.

Re:Wow. - Extortion vs Coercion

[tomhudson]

Threats of legal action ae an exemption to extortion. (Nice little racket, isn't it?)

However, when they step beyond the bounds of the law - for example, threatening to sue for monetary damages without actually being able to show any monetary damages OR statutory damages, and falsely claim to have forensic evidence, when the server logs in question were not yet properly analysed (sorry, but saying that a log shows that ip 11.22.33.44 was used at such-and-such a date, without any analysis having been performed to see if the date and time are correct, that the traffic transmitted was actually the content in question, and that the ip matched that person's computer (not their account), and falsely claiming that it is illegal to have an open wifi connection, they are now into extortion.

It's why they're being investigated.

Re:Wow. - Extortion vs Coercion

[Mashiki]

Well let me point this out from Canada. In Canada coercion is illegal(unless it falls under a very limited set of exclusionary rules), and extortion is illegal. Don't do it, don't do it at all here. We will come down on you hard.

Re:has resulted?

[Khyber]

The fact they left it wholly unencrypted is one of the purest violations of the UK DPA.

Disbarment, plus jail time, is likely.