British ISP Sky Broadband Cuts Off ACS:Law

An anonymous reader writes "British ISP Sky Broadband cut off ACS:Law and refuses to cooperate after at least 4,000 of their customers' information was carelessly leaked. According to Sky Broadband, 'We have suspended all co-operation with ACS:Law with immediate effect. This suspension will remain in place until ACS:Law demonstrates adequate measures to protect the security of personal information.' Sky Broadband had been providing customer information to ACS:Law as part of their anti-piracy operation."

and the pornography they're accused of sharing

[MichaelSmith]

..we need more detail about this. Examples are required.

Re:and the pornography they're accused of sharing

[jack2000]

Why hello there.

Re:and the pornography they're accused of sharing

[MoonBuggy]

One of the more interesting aspects of this story is the attempt at damage control that ACS:Law are trying to pull. To quote their statement to the BBC: "All our evidence does is identify an internet connection that has been utilised to share copyright work," he told BBC News when pressed about the BSkyB database. "In relation to the individual names, these are just the names and addresses of the account owner and we make no claims that they themselves were sharing the files," he added.

Seems a pretty sharp turnaround from threatening legal action against those people based on that same evidence, doesn't it?

Re:and the pornography they're accused of sharing

[matazar]

I think the best part is them claiming that they were hacked, when in reality they made the site's backup available on their main page for all to download for a short period of time when they were trying to restore the site after the DDoS attack. A zip file that was not encrypted in any way that contained EVERYTHING.
Smart move guys! Especially considering the amount of page requests you were getting,

Re:and the pornography they're accused of sharing

[SuricouRaven]

Unencrypted files on a webserver at that.

4chan was the cause of the breach, but not intentionally. Their DDoS successfully shut down the website. ACS:Law's IT staff attempted to disable that function of their server in order to minimise the impact of the DDoS on other aspects of the business, but in their haste they screwd up and revealed that the site backups were actually on the webserver, hidden only by not publishing the filename to retrieve them. ACS took down the files for their website, server started returning the index page by default, backup files revealed.

Re:and the pornography they're accused of sharing

[Xest]

This is why they're in breach of the data protection act on a massive scale. The hack wasn't the result of the leak of customer data, their incompetence and poor data protection practices were.

The information commissioner's comments were interesting on the news last night- he said something along the lines of "I don't have the power to shut a company down, but I can issue a fine of upto half a million pounds which can obviously have a devastating effect on a company of this size". His comment seems quite telling as to what he perhaps has in store for this company due to the fact they've breached the DPA on a massive scale.

What I'm not sure about, is whether private citizens have any legal recourse for compensation also- can the people whose details were leaked now sue the company for this? If they were not the ones who downloaded the materials can they sue under defamation laws or similar? I know if I was on those lists I'd certainly be exploring my options to give them a taste of their own tactics.

Hopefully this will be devastating for ACS:Law, and it might also be worth noting that under the DPA individual employees can be held criminally responsible for unauthorised release of data too such that for example, the IT guy there who put the personal data on the public web may face a personal fine or prosecution also.

It's nice that for once, a combination of incompetence and assholery may just be receiving the kind of response it deserves rather than simply being sweeped under the carpet. Partly because our information commissioner is more keen on punishing private sector breaches like this that fall under his remit than the police or government are over similar matters (e.g. Phorm) that fall under theirs. The only downside to the guy is he still seems to let public sector breaches go largely unpunished - i.e. the infamous HMRC 25 million record breach, although I suspect that's more a case of the government exerting influence on him (i.e. the threat of redundancy).

blackmail

[MadUndergrad]

So the blackmailer accidentally exposes the blackmail, and Sky is upset not because they've been working with a blackmailer but because the blackmail got out early. Classy.

Re:blackmail

[Moryath]

Of course Sky is upset because the blackmail got out - they were KNOWINGLY WORKING WITH THE BLACKMAILERS.

Whoever greenlit "working with" ACS:Law or anyone else of the sort at Sky ought to immediately be canned, stripped to their underwear, and unceremoniously thrown into the street never to find a job working at any telecommunications or technology firm again. And the people who hired those idiots should get the same treatment.

Should of refused to cooperate from the start.

[spikestabber]

Do UK ISP's not have a set of balls to stand up for their customers? They were so against the Digital Economy Act, but when it comes to giving up their customer details to a shady law outfit that wants to extort them, thats apparently just fine.

For those like me who don't know what ACS:Law is..

[JoshuaZ]

ACS:Law is a British lawfirm that has done a lot of IP related stuff although apparently was not all prominent until their recent forays into dealing with piracy issues. http://en.wikipedia.org/wiki/ACS:Law . They should not be confused with the American Constitution Society, although that organization has the website acslaw.org. ACS:Law's homepage is http://www.acs-law.co.uk/ although amusingly enough it doesn't turn up on the first page of Google hits at all when you Google for "ACS Law."

Re:Hmm...

[TheGratefulNet]

and for extra points, this horse happens to be named 'streisand'.

anyone who didn't know these guys were incompetants, knows it now.

Rudyard Kipling

[Bob9113]

It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --

"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that plays it is lost!"

- Kipling

ISPs, I know you see dollar signs in your eyes when you think of ways to be the gatekeeper, and find colluding with the usurpers profitable. But when you feed them, they grow. Be it government, lobby, or privileged corporation seeking more privilege, they will never stop. If you think you can make them your ally, you are fools. Their hunger cannot be sated. They will eat everyone you feed them, then finding their bellies fat but their plates empty, they will devour you.

Serve the user. Fight for the right to provide an honest service. There you will find a rare thing these days: A business model which is stable in the long run. The road you are on leads to fleeting riches followed by Herculean efforts just to restore the tenth part of what you are pissing away today.

Re:For those like me who don't know what ACS:Law i

[iammani]

A small correction. Their homepage is http://www.acs-law.org.uk/ . Anyway they seem to have been slashdotted (and 4channed probably), so it doesnt matter what their website is.

Great PR

[Psychor]

It seems Sky are very quick to trumpet in a press release how wonderful they are now that they've decided not to continue handing over thousands of customer details to a company with woefully inadequate security procedures (for now). However personally I'd be more impressed if they'd verified that the details would be handled securely before handing them over and getting them leaked in the first place.

I guess the main lesson for us Brits here is to make sure all your pornography is hardcore enough that it's illegal in the UK, then you can't be held in breach of copyright for sharing it. You will of course break some other laws, but there isn't much that's legal here these days anyway!

What's the legality of the ISP sharing the info?

[fluffy99]

Just wondering if the customers have any grounds for suing the ISP. Did their contract have terms that even allowed them to share the info with this legal firm? Would inspection of the traffic flows to generate the data provided to the law firm constitute invasion of privacy or illegal wiretapping?

Re:Good tactic

[fluffy99]

This does suggest a way those willing to take direct action could hurt the xxAAs efforts. DDoS attacks are just a nuisance, but theft of sensitive data drives a wedge between the xxAAs and the ISPs they need to co-operate with them.

It's a fine line though. Some politician could easily spin this so that it appears that evil pirates are hacking into systems and exposing the personal data of innocent folks. Of course more legislation would be needed to go after these evil-doers.

Kipling was indeed a prophet

[Kupfernigk]

Given our current financial crisis, I can't help adding a bit more Kipling:

As I pass through my incarnations in every age and race,
I make my proper prostrations to the Gods of the Market Place.
Peering through reverent fingers I watch them flourish and fall,
And the Gods of the Copybook Headings, I notice, outlast them all.

The "Gods of the Copybook Headings" are exactly what you are describing.

Kipling was widely regarded as an Imperialist, but in fact he believed in the fundamental equality of all human beings - the heroes of Kim are, respectively, Irish, Afghan, East Indian and Tibetan Buddhist - the importance of blue-collar workers, and the importance of a stable economy based on mutual trust. It's a pity he has no modern equivalent.

Re:What's the legality of the ISP sharing the info

[arkhan_jg]

ACS:Law were using Norwich Pharmacal civil orders against the ISPs; there basically demand information relevant to a future court case from a third party, in this case the ISP. Sky broadband chose not to contest these court orders, and just supinely handed over the data. Nor did they notify their subscribers that such an order was taking place, so they could fight it if they chose.

In fact, ACS:Law were combining these requests into huge tranches of data - one such recent one was 25,000 BT Broadband IP addresses, expected to ID 15,000 subscribers.

Virgin and Talk Talk refused to go along with these orders without a fight - potentially forcing ACS:Law to do a Norwich Pharmacal order per individual IP, which would be ruinously expensive - so the leaked emails reveal that ACS:Law specifically did not target them.

So yes, it's true that Sky Broadband were under court order - but it was one they supinely accepted, with the IP addresses in bulk. Uncontested, the judge has little choice but to rubber-stamp the request from ACS:Law. Sky may not be at fault for the data breach (they hand the data over securely), but they certainly are for co-operating with ACS:Law, a known dodgy legalised extortion outfit, without even bothering to attempt to protect their customers.

ACS:Law is under investigation by the Solicitors Regulation Authority for the way they go about their 'letters with menaces, demanding £495 or else' campaign; Crossley, their head solicitor, has been investigated twice before.