British ISP Sky Broadband Cuts Off ACS:Law

An anonymous reader writes "British ISP Sky Broadband cut off ACS:Law and refuses to cooperate after at least 4,000 of their customers' information was carelessly leaked. According to Sky Broadband, 'We have suspended all co-operation with ACS:Law with immediate effect. This suspension will remain in place until ACS:Law demonstrates adequate measures to protect the security of personal information.' Sky Broadband had been providing customer information to ACS:Law as part of their anti-piracy operation."

and the pornography they're accused of sharing

[MichaelSmith]

..we need more detail about this. Examples are required.

Re:and the pornography they're accused of sharing

[jack2000]

Why hello there.

Re:and the pornography they're accused of sharing

[MoonBuggy]

One of the more interesting aspects of this story is the attempt at damage control that ACS:Law are trying to pull. To quote their statement to the BBC: "All our evidence does is identify an internet connection that has been utilised to share copyright work," he told BBC News when pressed about the BSkyB database. "In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files," he added.

Seems a pretty sharp turnaround from threatening legal action against those people based on that same evidence, doesn't it?

Re:and the pornography they're accused of sharing

[matazar]

I think the best part is them claiming that they were hacked, when in reality they made the site's backup available on their main page for all to download for a short period of time when they were trying to restore the site after the DDoS attack. A zip file that was not encrypted in any way that contained EVERYTHING.
Smart move guys! Especially considering the amount of page requests you were getting,

Re:and the pornography they're accused of sharing

[Clandestine_Blaze]

According to this article, 4chan was thought to be behind the data breach. There's even a screen shot in the article taken from the forums, though there's nothing in there that says what they were planning on doing specifically. Regardless of how the data was exposed, they deserve the potential half a million pound fine for keeping so much personal data on people in unencrypted files.

Actually, they're pretty lucky if they get away with only a half a million pound fine.

Re:and the pornography they're accused of sharing

[SuricouRaven]

Unencrypted files on a webserver at that.

4chan was the cause of the breach, but not intentionally. Their DDoS successfully shut down the website. ACS:Law's IT staff attempted to disable that function of their server in order to minimise the impact of the DDoS on other aspects of the business, but in their haste they screwd up and revealed that the site backups were actually on the webserver, hidden only by not publishing the filename to retrieve them. ACS took down the files for their website, server started returning the index page by default, backup files revealed.

Re:and the pornography they're accused of sharing

[Xest]

This is why they're in breach of the data protection act on a massive scale. The hack wasn't the result of the leak of customer data, their incompetence and poor data protection practices were.

The information commissioner's comments were interesting on the news last night- he said something along the lines of "I don't have the power to shut a company down, but I can issue a fine of upto half a million pounds which can obviously have a devastating effect on a company of this size". His comment seems quite telling as to what he perhaps has in store for this company due to the fact they've breached the DPA on a massive scale.

What I'm not sure about, is whether private citizens have any legal recourse for compensation also- can the people whose details were leaked now sue the company for this? If they were not the ones who downloaded the materials can they sue under defamation laws or similar? I know if I was on those lists I'd certainly be exploring my options to give them a taste of their own tactics.

Hopefully this will be devastating for ACS:Law, and it might also be worth noting that under the DPA individual employees can be held criminally responsible for unauthorised release of data too such that for example, the IT guy there who put the personal data on the public web may face a personal fine or prosecution also.

It's nice that for once, a combination of incompetence and assholery may just be receiving the kind of response it deserves rather than simply being sweeped under the carpet. Partly because our information commissioner is more keen on punishing private sector breaches like this that fall under his remit than the police or government are over similar matters (e.g. Phorm) that fall under theirs. The only downside to the guy is he still seems to let public sector breaches go largely unpunished - i.e. the infamous HMRC 25 million record breach, although I suspect that's more a case of the government exerting influence on him (i.e. the threat of redundancy).

Re:and the pornography they're accused of sharing

[Kijori]

What I'm not sure about, is whether private citizens have any legal recourse for compensation also- can the people whose details were leaked now sue the company for this? If they were not the ones who downloaded the materials can they sue under defamation laws or similar? I know if I was on those lists I'd certainly be exploring my options to give them a taste of their own tactics.

Under the Data Protection Act, data subjects (as they are rather unappealingly known) can claim damages from a company that does not process their data in accordance with the act. The firm here would appear to be rather egregiously in violation of the act, so damages will almost certainly be available. Even if they weren't, I suspect that an action for negligence would also succeed, on the grounds that the company did not take the steps that would be reasonable to avoid this information being released.

The more difficult question will be the damages. There are no grounds for exemplary or punitive damages here, so the only damages available will be compensatory, meaning that the claimant must show a loss that would be reasonably forseeable by someone releasing this information - damage to reputation would seem the obvious possibility. Given that there has been no widespread publication of the list (it has not, for example, been republished in newspapers), that, given its length, individuals are unlikely to come to any particular personal attention as a result of it, and that most people on the list will not trade based on a reputation that would be damaged by this list I don't think the damages will be particularly high. In an effort to restrain the figures that will be thrown around by Slashdotters I would point out that Elton John, a figure much more famous than most people on this list and whose reputation is important to his success, was awarded £25,000 for damage to his reputation following a much more damaging article. Unless people begin to be singled out and suffer harassment because of the list I cannot see how they could suffer damage beyond perhaps distress from the possibility of future harassment.

Of course I should add the standard disclaimer that you should never take legal advice from people on the internet. If you figure on the list the person best able to advise you is your solicitor.

Re:and the pornography they're accused of sharing

[Ash+Vince]

One of the more interesting aspects of this story is the attempt at damage control that ACS:Law are trying to pull. To quote their statement to the BBC: "All our evidence does is identify an internet connection that has been utilised to share copyright work," he told BBC News when pressed about the BSkyB database. "In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files," he added.

Seems a pretty sharp turnaround from threatening legal action against those people based on that same evidence, doesn't it?

British liable law is a bitch. Threatening legal action is protected but any other form of accusation in a public forum can get your arse sued into last week unless you can 100% prove that every word you say is true.

ACS Law know that and know that if a competing law firm started going round down list and offering people a no win, no fee deal then ACS Law could be defending itself from liable cases on a permanent basis. If the director of ACS Law stood up on TV and said that every person on this list had downloaded porn or even implied it he could suddenly find himself on the receiving end of one legal summons for every person on that list and they would be demanding a shit load more than £500. Liable cases for defamation in England have the damages set by home much the person who was defamed lost, and this can be a shit load if they lost some sort of contract or job as a result of appearing on this list.

This would not just bankrupt his company, this would be a bye bye house type scenario as he could be sued into personal bankruptcy. This would also shit all over him ever being the director of a company ever again and may well prevent him from being a solicitor.

So yes, what a surprise, he engages in a massive damage limitation exercise that desperately tries to keep him and his worthless little company just above water rather than so far underwater he was actually turning into oil.

Re:and the pornography they're accused of sharing

[rtb61]

More embarrassingly that disclosed information also detailed ASC:Law main business tactic. File copyright claims againts people for P2P porn ie. blackmail them into paying off rather than be publicly disclosed for sharing same rather nasty porn basically a 500 pounds a go.

More coverage here http://arstechnica.com/tech-policy/news/2010/09/amounts-to-blackmail-inside-a-p2p-settlement-letter-factory.ars/.

Apparently the normal route of extorting poor people to pay off rather than fight of the civil suits as done in the US doesn't really work in the UK as such the have gone down the blackmail route. It will be interesting to see what happens in France now that the right wing government has allowed open slather on basically baseless "WeSaySo" copyright claims (http://muppet.wikia.com/wiki/WESAYSO dinosaur claims from a dinosaur industry).

Re:and the pornography they're accused of sharing

[Ash+Vince]

Unfortunately this comment is an example of one of the problems with Slashdot, and the one to which, I think, you allude in your signature: people confidently making statements about matters of which they have either no or next-to-no knowledge. It is also, I believe, an illustration of the danger when making such statements: others may assume them to be accurate and authoritative and repeat them to a wider audience, inevitably with the effect that eventually the comments begin, as here, to resemble the confused results of a game of Chinese whispers.

I should begin by pointing out that the law to which you refer is "libel". Liable is an adjective.

Secondly, it is not in any way correct to say that "any other form of accusation in a public forum can get your arse sued into last week unless you can 100% prove that every word you say is true". This implies a level of rigidity of the law that quite simply is not correct. Moreover it ignores the provisions of the Defamation Act 1996 which can act to shield the defendant who has accidentally defamed a third party.

Thirdly it is not correct to imply as you do that a "damage limitation exercise" is necessitated to avoid legal action for defaming the people on the list. Defamation being a matter of fact for a jury it is not possible to say with certainty that they will not be held liable, but I would suggest that a reasonable person would not consider the list, accidentally published, to imply guilt. The case of Lewis v Daily Telegraph (1964) AC 234 might be a useful starting point to understand the courts' view in similar cases.

I don't propose here to set out the actual state of British defamation law, nor to explain the situation of the law firm here involved. My point was simply to point out that repeating Slashdot "wisdom" results in the perpetuation of ideas that are incorrect, sometimes dramatically.

Replying as an AC replied to my post with some damn useful and interesting info.

Firstly, a little aside: Many people on Slashdot will simply never see posts like this as they apply a -5 modifier to all posts from an AC and browse at a score of 1 or above only.

Secondly, thanks for the correction and the references to case law. I did actually study law many years ago but not libel (Law of Contract and Legal History).

I was trying to say in post that if the director of the company in question were to stand up and say "the people on the list all illegally downloaded porn" on national TV he would have certainly libelled the people contained on this list. This would open him up to a libel case from every person contained on this list which they stood every chance of winning. I do know enough about English libel law to state this with some degree of certainty. He could simply say he had no comment regarding this list but this would have made for a very short interview that would unlikely have been published.

I also know that damages in libel cases can run into large amounts of money very quickly if the plaintiff can prove they suffered measurable losses to that amount as a result of statement in question. Being the large number of people on the list this could drive a single defendant into personal bankruptcy very quickly. People who have been declared bankrupt and not discharged their debts are banned from acting as company directors and may even be sent to prison for doing so.

Now it is true under the Defamation Act 1996 that he may avoid being sued for libel if he chooses to make amends, but this is simply ridiculous as to use in this contact as it would still involve paying the aggrieved party any damages they felt they suffered.

I do concede though that my original post was pure junk, filled with misused words and piss poor grammatical errors. It was also very poorly written in terms of getting across my main point. Hopefully this one corrects that.

blackmail

[MadUndergrad]

So the blackmailer accidentally exposes the blackmail, and Sky is upset not because they've been working with a blackmailer but because the blackmail got out early. Classy.

Re:blackmail

[Moryath]

Of course Sky is upset because the blackmail got out - they were KNOWINGLY WORKING WITH THE BLACKMAILERS.

Whoever greenlit "working with" ACS:Law or anyone else of the sort at Sky ought to immediately be canned, stripped to their underwear, and unceremoniously thrown into the street never to find a job working at any telecommunications or technology firm again. And the people who hired those idiots should get the same treatment.

Re:blackmail

[mpe]

So the blackmailer accidentally exposes the blackmail, and Sky is upset not because they've been working with a blackmailer but because the blackmail got out early.

Hopefully the Information Commisioner's Office will next turn their attention to Sky and any other ISPs who have worked with this bunch of shysters.

Re:blackmail

[interkin3tic]

ought to immediately be canned, stripped to their underwear, and unceremoniously thrown into the street

You're doing it wrong! If you fire them first, you don't get to coerce them to strip THEMSELVES down to their underwear and throw THEMSELVES into the street in vain attempts to save their jobs, then laugh at them when you tell them they're still fired.

Re:blackmail

[naich]

Everybody who gives even the smallest shit about the way Sky treat their customers should immediately unsubscribe to all Sky services.

But that would mean that they couldn't watch football. Oh well. It was a nice idea. Carry on screwing everyone with impunity Sky.

Should of refused to cooperate from the start.

[spikestabber]

Do UK ISP's not have a set of balls to stand up for their customers? They were so against the Digital Economy Act, but when it comes to giving up their customer details to a shady law outfit that wants to extort them, thats apparently just fine.

Re:Should of refused to cooperate from the start.

[Eunuchswear]

Punctuation goes on the inside of quotation marks, not the outside.

Not in British usage (or traditional computer geek usage for that matter(*)).

* A true geek puts punctuation that is part of the quotation inside the quote marks, that which is not outside. Your punctuation inside the quoutes in the first of your points is an offense to our eyes, you should have written:

1. Who is "Fuck", and why should he damn it? Perhaps you were looking for "God damn it" or "fucking damn it"?

Re:Should of refused to cooperate from the start.

[LainTouko]

They're not a single cohesive group. Some do stand up for their customers, and oppose things like the Digital Economy Act, some just want to sell them out. It's not surprising to find one owned by Rupert Murdoch being of the latter persuasion.

Re:Should of refused to cooperate from the start.

[Spad]

Virgin & Talk Talk did; almost all the others agreed in advance not to contest applications by ACS:Law for court orders compelling them to divulge user information, which made it trivial for them to operate their little extortion scam.

Technically, it's a DPA breach for ISPs to provide user information to a 3rd party *without* a court order (or the explicit permission of the user in question).

Re:Should of refused to cooperate from the start.

[SuricouRaven]

This is correct - it's in the jargon file. The techie convention, which grow from programming, is to treat quotation marks as perfectly literal. What goes in them is an exact quote, character-for-character, byte-for-byte. That means you don't mess around with the punctuation inside just to make it easier to read.

This is also helpful when telling someone their password is "password." Is that period included or not? It's ambiguous in common english usage.

Re:Should of refused to cooperate from the start.

[Aceticon]

Do UK ISP's not have a set of balls to stand up for their customers? They were so against the Digital Economy Act, but when it comes to giving up their customer details to a shady law outfit that wants to extort them, thats apparently just fine.

This is Sky we're talking about here: they're a media-company/broadcaster with an ISP-to-make-the-packages-more-attractive on the side. Their main business is pay-TV. What do you expect from them?

In fact, given their main business line, they're glad that bottom-dweller-scum-feeding companies like ACS:Law exist and do what they do and probably even sent over a complimentary bottle of Champagne with their first list of customer names and addresses.

Same thing with other media businesses with ISPs on the side such as Virgin (a conglomerate that specializes in looking cool and self-benifiting billing mistakes).

Beyond that you have the big, mass-market, cheap-but-its-a-tenth-of-the-advertised-speed ISPs who don't really see the point in fighting for a couple (of thousands) of customers.

In the UK, if you want ISPs with a spine you need to go for the small ones, preferably those with fewer customers than the threshold of the Digital Economy Act (400,000). They're also the same that don't do fishy things like filtering your Internet, blocking ports, gathering and selling information on customer habits or throtling down connections. The big ones are either a joke or have interests in media and are thus likelly to make more money from their share of copyright infringement "fines" than from the actual customer fees.

This not being the US, laws where long ago passed to force the incumbent Telcos to open up their networks to any ISP, so there are a lot of smaller ISPs around.

Hmm...

[s0litaire]

...something about locks, a stable door and a horse comes to mind...

Re:Hmm...

[TheGratefulNet]

and for extra points, this horse happens to be named 'streisand'.

anyone who didn't know these guys were incompetants, knows it now.

For those like me who don't know what ACS:Law is..

[JoshuaZ]

ACS:Law is a British lawfirm that has done a lot of IP related stuff although apparently was not all prominent until their recent forays into dealing with piracy issues. http://en.wikipedia.org/wiki/ACS:Law . They should not be confused with the American Constitution Society, although that organization has the website acslaw.org. ACS:Law's homepage is http://www.acs-law.co.uk/ although amusingly enough it doesn't turn up on the first page of Google hits at all when you Google for "ACS Law."

Re:For those like me who don't know what ACS:Law i

[MichaelSmith]

They should not be confused with the American Constitution Society

And the Australian Computer Society.

Rudyard Kipling

[Bob9113]

It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --

"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that plays it is lost!"

- Kipling

ISPs, I know you see dollar signs in your eyes when you think of ways to be the gatekeeper, and find colluding with the usurpers profitable. But when you feed them, they grow. Be it government, lobby, or privileged corporation seeking more privilege, they will never stop. If you think you can make them your ally, you are fools. Their hunger cannot be sated. They will eat everyone you feed them, then finding their bellies fat but their plates empty, they will devour you.

Serve the user. Fight for the right to provide an honest service. There you will find a rare thing these days: A business model which is stable in the long run. The road you are on leads to fleeting riches followed by Herculean efforts just to restore the tenth part of what you are pissing away today.

Re:Rudyard Kipling

[AJWM]

Exactly so.

"...we've proved it again and again,
That if once you have paid him the Dane-geld
    You never get rid of the Dane."

Re:Rudyard Kipling

[rsborg]

Dane-geld today is what're called Monopoly Rents. Corporations that seek this kind of payment are rent-seeking (as opposed to profit-seeking, meaning to gain profits by value-add).

Good tactic

[russotto]

This does suggest a way those willing to take direct action could hurt the xxAAs efforts. DDoS attacks are just a nuisance, but theft of sensitive data drives a wedge between the xxAAs and the ISPs they need to co-operate with them.

Re:Good tactic

[fluffy99]

This does suggest a way those willing to take direct action could hurt the xxAAs efforts. DDoS attacks are just a nuisance, but theft of sensitive data drives a wedge between the xxAAs and the ISPs they need to co-operate with them.

It's a fine line though. Some politician could easily spin this so that it appears that evil pirates are hacking into systems and exposing the personal data of innocent folks. Of course more legislation would be needed to go after these evil-doers.

Re:Good tactic

[Pax681]

without the DDOS attack the info would never have been accessible to those who took it thus , it could be said the DDOS was successful

Re:For those like me who don't know what ACS:Law i

[iammani]

A small correction. Their homepage is http://www.acs-law.org.uk/ . Anyway they seem to have been slashdotted (and 4channed probably), so it doesnt matter what their website is.

Great PR

[Psychor]

It seems Sky are very quick to trumpet in a press release how wonderful they are now that they've decided not to continue handing over thousands of customer details to a company with woefully inadequate security procedures (for now). However personally I'd be more impressed if they'd verified that the details would be handled securely before handing them over and getting them leaked in the first place.

I guess the main lesson for us Brits here is to make sure all your pornography is hardcore enough that it's illegal in the UK, then you can't be held in breach of copyright for sharing it. You will of course break some other laws, but there isn't much that's legal here these days anyway!

Re:Great PR

[mpe]

It seems Sky are very quick to trumpet in a press release how wonderful they are now that they've decided not to continue handing over thousands of customer details to a company with woefully inadequate security procedures (for now).

Were they actually complying with the law in handing over the data in the first place? This is the kind of question the ICO needs to be asking of Sky (and other ISPs).

However personally I'd be more impressed if they'd verified that the details would be handled securely before handing them over and getting them leaked in the first place.

If they were to do this they should be charging that company a suitable fee. Probably also requiring a suitable court order.

Re:Great PR

[MrNemesis]

I think the parent is referring to the so-called laws banning "obscene" pornography in the UK (mostly S&M IIRC). The same hilarious laws that say "You can legally DO that thing to that person... but if you film it, take a photo of it or write about it you're going to prison!". Forget the name of the law itself and google isn't proving helpful.

Of course, what with "obscenity" being the best Aunt Sally in the world - especially when you aren't allowed to describe what it is - no-one wants to back the victims of an idiotic law. Because, y'know, if you support free speech and/or logical laws you must be one of those obscene people and the stuff I see in my head when I think of "obscenity" makes me disgust you!

What's the legality of the ISP sharing the info?

[fluffy99]

Just wondering if the customers have any grounds for suing the ISP. Did their contract have terms that even allowed them to share the info with this legal firm? Would inspection of the traffic flows to generate the data provided to the law firm constitute invasion of privacy or illegal wiretapping?

Re:What's the legality of the ISP sharing the info

[mysidia]

You know... the UK has this thing called the Data Protection Act

I'm very concerned about Sky Broadband's actions, and I wonder how they could possibly be legal under the act.

The Internet is for Porn

"...the ultimate exposure of thousands of individual's personal information - their IP addresses, their names, addresses, and the pornography they're accused of sharing."

Oh. Um, well, DAMMIT!

Re:For those like me who don't know what ACS:Law i

[PatPending]

A small correction. Their homepage is http://www.acs-law.org.uk/ . Anyway they seem to have been slashdotted (and 4channed probably), so it doesnt matter what their website is.

Slashdotted my arse; did you read the title of the post? British ISP Sky Broadband Cuts Off ACS:Law (emphasis added).

Perhaps Mr. Praline can explain it better:

'E's passed on! This website is no more! It has ceased to be! 'E's expired and gone to meet 'is maker! 'E's a stiff! Bereft of life, 'e rests in peace! If you hadn't nailed 'im to the server rack 'e'd be pushing up the daisies! 'Is metabolic processes are now 'istory! 'E's off the twig! 'E's kicked the bucket, 'e's shuffled off 'is mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-WEBSITE!!

Re:For those like me who don't know what ACS:Law i

[iammani]

British ISP Sky Broadband Cuts Off ACS:Law

Mmm, I read it as British ISP Sky Broadband Cuts Off [Ties with/Cooperation with] ACS:Law. Now that I have RTFAed, it seems they actually did mean it both literally (cut access to the website) and figuratively (cooperation with ACS:Law).

Re:What's the legality of the ISP sharing the info

[SydShamino]

Had you read the Plusnet link in the summary, you'd see, at least for that ISP, ACS:Law requested and received court orders requiring the delivery of customer information. It's not likely that they took different action with Sky Broadband.

In other (U.S.) words, ACS:Law acquired sensitive information via John Doe discovery, then put that information, unencrypted, on their web site. The people who provided it to ACS:Law under the directive of a court order aren't likely culpable.

Of course; this is the Murdochs

[Kupfernigk]

Whose newspapers are now behind a paywall? Whose online readers are widely believed to have nosedived? Who wants to prop up their business model by slowly working to outlaw all free content on the Web?

Anybody who thought it was a good idea to buy their internet connection from a media company obviously doesn't understand how capitalism works.

Slightly OT, the failure to understand the need to separate content from channel was one of the major failings of the last British Government, along with Mandelson's "Digital Economy Act", which basically gave citizens no redress against these coercive lawyers. I'm waiting to see if Ed Miliband will get this, and consign Mandelson to the dustbin. But I'm not hopeful.

Re:For those like me who don't know what ACS:Law i

[mpe]

I thought it was some weird perl module.

No doubt someone will now write a perl module which accuses random ISP customers of copyright infringement.

Re:What's the legality of the ISP sharing the info

[SuricouRaven]

Under the DPA, the customer must be informed. Just what 'informed' means is open to interpretation. It is usually sufficient to include a single line on page 37 of the 98-page contract. Such contracts also have a standard clause allowing the ISP to change the terms at will.

Kipling was indeed a prophet

[Kupfernigk]

Given our current financial crisis, I can't help adding a bit more Kipling:

As I pass through my incarnations in every age and race,
I make my proper prostrations to the Gods of the Market Place.
Peering through reverent fingers I watch them flourish and fall,
And the Gods of the Copybook Headings, I notice, outlast them all.

The "Gods of the Copybook Headings" are exactly what you are describing.

Kipling was widely regarded as an Imperialist, but in fact he believed in the fundamental equality of all human beings - the heroes of Kim are, respectively, Irish, Afghan, East Indian and Tibetan Buddhist - the importance of blue-collar workers, and the importance of a stable economy based on mutual trust. It's a pity he has no modern equivalent.

I'll say it.

[Revvy]

Nice work, anonymous. Thanks.

Are Sky Liable?

[symes]

IANAL - but my understanding of British Data Protection Law is that the person who owns the data is ultimately responsible for how that data is used. So by giving their customers' personal information to ACS, which was in turn leaked, might mean Sky customers can take action against Sky. Maybe there's someone here who can advise?

Re:Are Sky Liable?

[jonnyj]

Under the DPA, there's an arcane difference between data controllers and data processors. ACS:Law would almost certainly have beome a controller of this data, so Sky's responsibility would have ended once it was securely transferred. A particular problem for ACS:Law is that the DPA places additional safeguards around sensitive data, which includes sexual orientation and practice. Data that allegedly describes individuals' pornography viewing habits almost certainly falls within that definition, and deserves particular security measures. The ICO is right to be incandescent with rage.

acs law probably broke the law

[Colin+Smith]

the data protection act requires you to take reasonable steps to protect information . Putting it on a web site does not seem reasonable .

Re:What's the legality of the ISP sharing the info

[arkhan_jg]

ACS:Law were using Norwich Pharmacal civil orders against the ISPs; there basically demand information relevant to a future court case from a third party, in this case the ISP. Sky broadband chose not to contest these court orders, and just supinely handed over the data. Nor did they notify their subscribers that such an order was taking place, so they could fight it if they chose.

In fact, ACS:Law were combining these requests into huge tranches of data - one such recent one was 25,000 BT Broadband IP addresses, expected to ID 15,000 subscribers.

Virgin and Talk Talk refused to go along with these orders without a fight - potentially forcing ACS:Law to do a Norwich Pharmacal order per individual IP, which would be ruinously expensive - so the leaked emails reveal that ACS:Law specifically did not target them.

So yes, it's true that Sky Broadband were under court order - but it was one they supinely accepted, with the IP addresses in bulk. Uncontested, the judge has little choice but to rubber-stamp the request from ACS:Law. Sky may not be at fault for the data breach (they hand the data over securely), but they certainly are for co-operating with ACS:Law, a known dodgy legalised extortion outfit, without even bothering to attempt to protect their customers.

ACS:Law is under investigation by the Solicitors Regulation Authority for the way they go about their 'letters with menaces, demanding £495 or else' campaign; Crossley, their head solicitor, has been investigated twice before.