UK ISPs Profit From Coughing Up Customer Data

nk497 writes "ISPs in the UK are charging as much as £120 to hand customer data over to rightsholders looking for proof of piracy, according to the Federation Against Software Theft. While ISPs have to hand over log details for free in criminal cases, they are free to charge in civil cases — and can set the price. 'In 2006, we ran Operation Tracker in which we identified about 130 users who were sharing copies of a security program over the web,' said John Lovelock, chief executive of FAST. 'In the end we got about 100 names out of them, but that cost us £12,000, and that was on top of the investigative costs and the legal fees.'"

someone always profits

[Anonymous Coward]

someone always profits from coughing up data, especialy customer data

Re:

[Anonymous Coward]

I just hope it's not the copyright mafia!

Re:

[Anonymous Coward]

someone always profits from coughing up data, especialy customer data

The ISPs maybe doing the coughing but they placing numerous hands on the scrotum of their customer(s) in the process. Wonder if any of them can or will refuse to do so?

Re:

[pyrosine]

From the recent ACS-Law leak, ACS-Law wont contact virgin media or talktalk for customer data because they are ready to fight the claims in court.

Re:

[Anonymous Coward]

Wish Sky had taken the same approach rather than rolling over and handing out customer information at the drop of a hat. In the ACS leak there's a excel spreadsheet with the names and addresses (physical and IP) of over 8000 Sky subscribers, if Sky had a little more backbone then buzzards like ACS wouldn't have anything to feed on. I'm not condoning piracy, far from it, but it's usually the uneducated or totally innocent that end up taking it up the rear end. Fingers crossed that ACS crash and burn. Interes

Re:

[welsh git]

talktalks position on this: http://www.talktalkblog.co.uk/2010/09/28/talktalk-confirms-that-customers-not-affected-by-acslaw-data-protection-breach/ [talktalkblog.co.uk]

Re:

[mjwx]

someone always profits from coughing up data, especialy customer data

But this is a good thing, if anything it should be more expensive (and the customer should get a cut, if we lived in a fair world) as to discourage the activity.

Re:

[commodore64_love]

>>>But this is a good thing

On first-order thinking, it appears to be good to screw the RIAA/MPAA with expensive bills but on second-level thinking it's Bad. Rather than protect my data, now my ISP has a motive to sell it to these spying organizations. They'll be looking for opportunities to make profit (and screw me the customer).

The politicians in the UK have fallen victim to the law of unintended consequences - they've created a situation that encourage ISPs to NOT protect citizens' privacy.

GBP 85 / hr

[afaik_ianal]

GBP 85 / hr doesn't seem outlandishly expensive to me if you consider it a professional IT service. What would surprise me, is if there were ISPs valuing their time at less than GBP 50. What would concern me, is if ISPs were spending 10 minutes on these requests and just giving out data willie nillie.

Re:

[Anonymous Coward]

its a pitty they don't charge more, or claim it takes 8 hours per person.

Re:GBP 85 / hr

[Dr_Barnowl]

Flamebait or not, Time Warner ISP in the states does just this, claiming they can only process one of these requests PER DAY.

Re:GBP 85 / hr

[lattyware]

And this is Barry, our anti-piracy department.
Barry: Huurrrrrr Derp

Re:

[DarwinSurvivor]

flaimbait? I think the parent had a good point. Charge $10,000/query and IP trolls might be a little less willing to go identity fishing. If your identity (and privacy) is important and IPS's are required to hand over data in civil cases but given the ability to set their price, doesn't a *high* price make sense?

Re:

[b4dc0d3r]

No it isn't. Then the little guy can't afford protecting copyright. The easy way to protect GPL, for example, requires getting in contact with the infringer and educating them, and getting them to simply comply with the license. While some organizations will help with certain code, DIY types may not be able to get even that far.

Plus, this encourages providers to turn it into a revenue stream when other opportunities for growth dry up and they are simply maintaining obscene profits instead of growing them

Re:GBP 85 / hr

[Peeteriz]

In processing such requests, IT service is not the primary expense - the request validity and rights to publish data have to be vetted by lawyers, and 85/h sounds quite reasonable.

Re:

[tehcyder]

the request validity and rights to publish data have to be vetted by lawyers, and 85/h sounds quite reasonable.

Any qualified UK solicitor working in corporate law who is only charging GBP 85/hour must either be utterly fucking useless/desperate for work, or have some sinister ulterior motive.

Re:

[Peeteriz]

Don't think solicitor, think paralegal corporate drone.

Re:

[Anonymous Coward]

I think you mean, "willy nilly". Or to be a total pedant, "will-he, nill-he".

I hope they follow the law

[wvmarle]

As long as those ISPs follow the law regarding the disclosure of this personal data, I have nothing against it. Actually I would be all for it: let those rights holders pay up! After all they are losing so many billions in sales lost to piracy, that paying a few quid to get those evil pirates' names (and the rest of the population to go back to buying all those songs they are now sharing top-dollar on CD) should be no problem for them. And after all as we know it the record companies are always right in their accusations, suing only actual evil pirates, right?

Of course ISPs should only disclose personal data when the law requires them to do so. Potential profiting from non-compliance poses a danger of course. Oh well as long as the penalty for improper disclosure is high enough (preferably including throwing out court cases against alleged pirates) then they will.

Re:

[arbiter1]

follow the? when it comes to making money companies will bend any law they can so wouldn't surprise me if they were bending that law a bit

Re:

[dcollins]

"As long as those ISPs follow the law regarding the disclosure of this personal data, I have nothing against it...
Of course ISPs should only disclose personal data when the law requires them to do so."

Those are likely two very different things. If the law is "do whatever you want with customer data" (or equivalently, simply silent on the issue), then you can be releasing data without any "requirement" and still following the law.

But then maybe I've got a U.S.-biased perspective.

Re:

[arivanov]

The law in question is the data protection act.

Frankly, I do not quite see how does the data protection act authorise you to give the data in question. With fee or without. If the customer has not signed consent to have their data transferred to a third party (this is usually an opt-out option at sign-up) the ISP is not allowed to do so without a court order or without asking the customer's consent. This means that any evidence obtained this way is likely to be tainted.

UK rules on tainted evidence are not a

Re:I hope they follow the law

[Spad]

On that subject, everyone's favourite UK-based law firm ACS:Law are being investigated by the ICO [bbc.co.uk] over the data that was leaked when 4chan carried out their DDOS.

Turns out that in addition to all the internal documents, letters and other crap on their webserver they also had a load of Sky broadband subscriber information in plaintext on there; I quote "You rarely find an aspect where almost every aspect of the Data Protection Act (DPA) has been breached, but this is one of them," said Mr Davies [of Privacy International]".

Re:

[Grumbleduke]

Frankly, I do not quite see how does the data protection act authorise you to give the data in question. With fee or without.

It is my understanding that this is where the Court order comes in. And from what we've seen; provided whoever is asking for the data is willing to pay, the person who has the data may not put up a fight. However, it seems that even the judges are beginning to question this [torrentfreak.com].

Plus the Data Protection Act (based on the EU data protection directives) is all about consent; if when you signed your ISP agreement there was a clause that said "we will not share the data with any third parties unless required to do s

Re:I hope they follow the law

[Rogerborg]

I do not quite see how does the data protection act authorise you to give the data in question.

What, you can't read the Act?

29 Crime and taxation

(1)Personal data processed for any of the following purposes--
(a)the prevention or detection of crime,
[...]

are exempt from the first data protection principle

Go on, argue that copyright infringement isn't a "crime". Then read the Copyrights Designs and Patents Act 1988, section 107 1, (e)

107 Criminal liability for making or dealing with infringing articles,
(1)A person commits an offence who, without the licence of the copyright owner--
[...]
(e)distributes otherwise than in the course of a business to such an extent as to affect prejudicially the owner of the copyright
an article which is, and which he knows or has reason to believe is, an infringing copy of a copyright work.

That's the controlling statute. The only argument to be made is whether sharing a file constitutes "distributes [...] to such an extent as to affect prejudicially the owner of the copyright".

Now, we can have an informed debate. Go ahead.

Re:

[jrumney]

The personal data is being requested for civil cases, not criminal ones.

Re:

[tehcyder]

Now, we can have an informed debate. Go ahead.

*tumbleweed drifts across this thread*

Re:

[wvmarle]

From a previous /. story [slashdot.org] you may recall that the UK has pretty stringent laws on the disclosure of personal data. Basically no disclosure to third parties without court order.

Re:

[ais523]

Interestingly, this is one of only two laws I was taught in school (the other being the Race Relations Act). I think it's on the official school curricula here in the UK.

Re:

[ObsessiveMathsFreak]

As long as those ISPs follow the law regarding the disclosure of this personal data, I have nothing against it.

You know, legality and morality are two different things. Ethicality is a third. Just because something is legal, that doesn't make it the right, correct or civic thing to do.

So, even if the ISPs are following the law to the letter in this, I think selling customer data this way is wrong--massively wrong. This is a huge breach of customer trust, and for nothing but greed besides. The corporate mode

Re:

[wvmarle]

So, even if the ISPs are following the law to the letter in this, I think selling customer data this way is wrong--massively wrong. This is a huge breach of customer trust, and for nothing but greed besides. The corporate model fails society yet again.

When the law requires the ISP to give those details they should do it. That's nothing to do with failure of the corporate model: the businesses are only doing what the government thinks they should do. So it's a governance issue that's at stake here.

Re:

[account_deleted]

Comment removed based on user account deletion

GOOD!

[sjames]

The more they charge the better. If it actually costs some real money, the rights holders will naturally be driven to avoid the frivolous requests they've become notorious for. Alas, 120 isn't likely enough. After all, the biggest repeat customers can and do afford a noticeable percentage of Bolivia's "agricultural exports" all by themselves. Perhaps if they spend 10K to find the name and address of someone offering a recording of Dr. Usher's lecture for download they'll finally start bothering to check the content first.

Good for them

[MrDoh!]

FAST has very dubious practices to get people to cough up to join their little group 'we offer a reward for copied software your employees may report to us, if you pay us, we'll let you know that we've had a report and let you get legit before we set the attack lawyers onto you". Anything to gouge them of some of their dubiously gained monies is great by me.
That advice about never talk to a cop because they'll twist it around somehow to ensnare you, even (probably) if you're innocent? They've got nothing on these jokers.

Re:

[tehcyder]

That advice about never talk to a cop because they'll twist it around somehow to ensnare you, even (probably) if you're innocent?

Don't forget the UK police caution is: "You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in court."

There is no right to silence in the UK.

Boohoohoowawa

[xtracto]

'In 2006, we ran Operation Tracker in which we identified about 130 users who were sharing copies of a security program over the web,' said John Lovelock, chief executive of FAST. 'In the end we got about 100 names out of them, but that cost us £12,000, and that was on top of the investigative costs and the legal fees.'"

Cry ME a fucking river crybaby. Boohoo... we want to screw people, and want to make ISPs screw their customers with laws that we have made by buying legislators... and ISPs are charging us to screw their customers... the nerve of them I say! how can they!

I wonder if this opens the ISP's up to liability..

[grelmar]

Not exactly sure about the UK, but I know here in Canada that FOIP (Freedom of Information and Privacy Act) has provisions that mean that ISPs aren't allowed to give out that info without a court order, and would be subject to Federal criminal prosecution if they did hand out the info to private 3rd parties. I had thought the laws were similar in the UK. It would be interesting if one of these users sued their ISP for unlawful disclosure of personal information. The privacy act in the UK can be nasty to

Re:

[Grumbleduke]

If you read the summary it mentions that "they are free to charge in civil cases". In fact, the article itself states: "Under UK law, rights holders can only obtain details of who was using an IP address when copyright material was downloaded by obtaining a court order."

Basically, they still need to get the Court order, but that just forces the ISP to hand over the data - the ISP can still charge an "administrative fee" for doing so. In these cases, the disclosure is done as the result of a court order (so

Charge more!

[muzicman]

My belief is that they ISP's should charge more. £10000 per person. At least then they would be able to sort out the shambles that is "up to 20 MEG DOWNLOAD!!!" and you never get more than 200mbits per sec. YOU KNOW WHO YOU ARE!

Re:

[jimicus]

200 Mbits/sec is 20 meg download.

Security warez?

[Anonymous Coward]

I find it incredible that there are

130 users who were sharing copies of a security program over the web

That's a lot of people who are concerned about security enough to get special software for it, but never stopping to think that the copies they're illegally downloading might be compromised?
We're all doomed.

Re:

[tehcyder]

In other news, not all of the people downloading warez copies of Photoshop Cs5 and NFL Madden 2011 are 1337 H4x0rz.

Illegal...?

[RichiH]

I dunno, maybe I am missing something, but either you _have_ to give out the data by law in which you can't charge anything. Or you do not _have_ to give out the data in which handing it out seems questionable at best. Charging for it smells illegal, to me.

Re:

[account_deleted]

Comment removed based on user account deletion

This is BAD not good

[rcb1974]

This is bad because ISPs now have an incentive reveal your identity to the mega corporations who will sue you. If all ISPs in the UK are required to do this, then ISP won't need to worry about losing customers by revealing their customer names. Here's how it will work:

1) MPAA pays ISP $120 to get your name from your IP address. I don't know why people still think that the ISP account holder is necessarily the person who is sharing copyrighted material.
2) ISP profits!
3) MPAA sues you for $150000, but settles for $3000.
4) MPAA profits! ($3000 - $120 - $0.5 (stamp)) = $2879.50

YOU LOSE $3000, lot of sleep, and get stressed because you feel so powerless to stop those parasites.

Re:

[mlk]

ISP gains $120 (£75) - or about 4 months of interwebs.

So in exchange for a previously loyal customer that would happily be paying $300+ a year the ISP gains $120 plus any contractual obligations (i.e length of the contract) then the user moves ISPs looking for one that does not give data away so easily.

I'm not sure the ISP really profits in this.

Re:

[rcb1974]

If all ISPs are required to obey the same law, then no single ISP has to worry about losing customers. This is because customers won't have any other ISP they could run to that wouldn't also have a financial incentive to report them to the MPAA/RIAA. So basically UK people are screwed unless they setup their own wireless or laser link that transmits stuff directly to France/Ireland/other country within range (Sealand?) that isn't bound by UK law.

Re:

[mlk]

Except not every UK company does simply hand the data over. The law companies involved avoid some ISPs (Virgin and O2 I think) as they will fight the court orders requesting the information.

I've got an idea...

[jesseck]

How about pass savings to a customer? If you are getting paid 120 per inquiry, then those subscribers are becoming a revenue stream for your ISP. Knock off some percentage of their bill for a while, to encourage their staying with your service. Hell, next time they are accused of infringing, you get 120! Since people don't like change, even if they wanted to change ISPs after you shared their data, they will be getting a discount, so they are less likely to move.

ISPs can recover costs, even in criminal cases

[malx]

OP said

While ISPs have to hand over log details for free in criminal cases, they are free to charge in civil cases

Actually, ISPs routinely charge the cost of obtaining, processing and handing over log details when asked for it by law enforcement authorities under the Regulation of Investigatory Powers Act 2000, including when the data is needed for criminal investigations.

ISPs aren't allowed to make a profit from providing this data, whether for civil litigation or criminal investigations, just recover their costs. However ISPs' costs can be substantial: ISPs don't just spend time fishing out the records and handing them over, there are also significant overheads in training and systems to ensure this data is only handed over when it should be, to make sure the requesting authority is genuine and the ISP isn't being subjected to an imposter trying a social engineering attack, and so forth. Larger ISPs/telcos run dedicated units to cope with the high volumes of request from public authorities (in total, hundreds of thousands of RIPA requests are made each year, although most of these are for telephony data rather than Internet accounts).

For confirmation see Chapter Four of the relevant Code of Practice [homeoffice.gov.uk].