ACS:Law: When bad things happen to bad people

For some time now English law firm ACS:Law has been in the middle of controversy for its use of dubious tactics against copyright infringers. ACS:Law’s cause célèbre is that they became famous when they teamed-up with porn producers and then they started sending cease-and-desist letters to people claiming that they had been sharing adult content, including some German gay porn (why is Germany the home of gay porn by the way? Inquiring minds demand to know). The business model seemed to be to ask for off-court settlement, or the allegations would be taken to court. Most people paid off to have the accusations go away, possibly to avoid embarrassment. However, many of the targets got together and complained to consumer-rights magazine Which? who in turn filed a complaint to the Solicitors Regulatory Authority (SRA). The complaint was serious enough that it got referred to the Solicitors Disciplinary Tribunal (SDT), who are currently investigating ACS:Law for unethical practices.

Had the situation remained like this, chances are that ACS:Law might have just received a slap on the wrist or more, the range of sanctions of the SDT is rather broad. However, hackers tend to favour a more direct approach, and a posse of self-appointed cyber-vigilantes decided that ACS:Law deserved a little bit more than the administrative justice imparted by the SRA and SDT, a group of file-sharers organised by the infamous collective 4chan engaged in a relentless denial-of-service campaign against ACS:Law’s website, as well as posting the phone number and address of ACS’s owner and sole legal practitioner, Andrew Crossley. Still, such types of attacks are nothing to remark upon, and while illegal, they tend to be common. The end result tends to be some minor annoyance for the target, as their site is brought down, but eventually recovers; Crossley himself was defiant when he said that this was “typical rubbish from pirates”. However, this attack was remarkable because it prompted a monumental error by ACS’s web team. When the server came back up, it contained an open backup of the entire site, including emails and passwords. Yes, you read correctly, all of Crossley’s classified and personal emails and passwords were made available to the public in an unsecured folder. You really could not make this stuff up.

This being the Internet, the first thing some enterprising souls did was to copy the data and to start sharing it online immediately through torrent sites (as of writing, the file is still there, but I will not link to it for reasons that will become obvious). The emails contained some potentially embarrassing details about the practice at ACS:Law, particularly some indication that the firm targeted married men and pensioners with the gay porn allegations, hoping that it would prompt unquestioning payment from the accused. In other words, blackmail and extortion, using copyright as an excuse to obtain easy money from unsuspecting victims.

If this was the extent of the leaks, then it would have remained as an exercise in shadendreude. However, the story turned nasty last night, as reports started to emerge that the emails contained substantial personal data about the victims of the ACS:Law letters, including financial details and credit card numbers of those who decided to pay. In other words, this is a trove for cyber-criminals, fraudsters and ID thieves. The amount of personal details collected was astounding, but perhaps more worryingly, it also included the name of the adult film that the alleged infringer was apparently downloading. This can of course ruin people’s lives, which is why many of them paid up in the first place.

Legally, you could not make this stuff up, as Lilian Edwards commented last night on Twitter, you would not even be able to dream this up as an exam question. This has everything, cybercrime, hacking, copyright, data protection, professional misconduct, libel, security. You name it, this story has it.

Legally, I believe there are several important questions to ask, and I really have no answer until I have looked into this in more detail:

  • Was ACS:Law collecting this data lawfully?
  • Did they notify the Information Commissioner that they were collecting data in this way?
  • Was ACS:Law in compliance of the security principle in the Data Protection Act?
  • Could those named in the leaked emails sue ACS:Law for some form of negligence?
  • To me it is obvious that the hacking and DoS attacks are clearly criminally liable, will the seriousness of the offence prompt the police to go after the 4chan users located in the UK?
  • Will banks have to return money to the inevitable victims of fraud arising from the leaks?
  • Did the people who leaked the emails realise that they were placing so much personal data online? Do they care?

This is probably one of the biggest cybercrime stories that I can remember because it covers so many people. One good thing that may come out of this however is that other firms will be reluctant to take over where ACS:Law left off.

ETA: 4chan was just one of the communication channels used. The attack was coordinated by Anonymous, the Fuenteovejuna of the Internet.

18 thoughts on “ACS:Law: When bad things happen to bad people

  1. "To me it is obvious that the hacking and DoS attacks are clearly criminally liable"

    DoS attacks, yes.

    Hacking? There was no hacking. ACS posted the info up for all to access. No hacking involved.

    You should know better.

    • Hmmm… interesting question about cybercrime classification. I tend to class DoS as a form of hacking, as usually the DoS attack involves some form of zombie army or botnet, which are usually applied through hacking, but I take your point.

  2. There is also a question about BT's responsibility (and other ISPs involved).

    They appear to have sent files of acutely sensitive personal information across the web unencrypted.

    BT's Security Director, Bruce Schneier, wrote a book on email security. Apparently BT didn't read it.

  3. Your conclusions are incorrect.

    4Chan is not responsible for this. A group of activists known as 'Anonymous' are responsible for initiating and co-ordinating the DDoS attacks. 4Chan is one of several mediums and outlets by which information is exchanged in order for the participants to exchange information. many of the people involved at Anonymous have never seen 4Chan and given it's content, never visit.

    ACS:Law did inform the ICO of their actions in data collection and they have a registered data controller. However they exchanged this information freely with third parties ( who did their IP harvesting and data collection ) who were not registered under the DPA to process and keep data.

    Whilst DDoS is likely an offence under the revised computer misuse act 1990 it is not an act which is specifically named and who would you go after? Knowledge of how a DDoS attack via de-centralised botnets would suggest that this is difficult.

    Whether there is a criminal offence for the DDoS is moot. It was not responsible for the data leak.

    The data leak was caused by incompetence. Whilst trying to bring the site back online after a second attack it would appear that whoever was doing the job exposed the root directory of the server to the public. These contained unencrypted backups of the mail server ( already a breach of DPA ) which contained attachments including xls data of alleged file-sharers supplied by various internet ISPs conforming to NPOs.

    The 'inevitability' of fraud is likely to be slight. There was no more information in the files that can be had from the phone book. It's the embarrassment caused by being publicly seen to be accused of downloading the very adult material in question when not one of these people has been asked to face a court proceeding to prove their innocence which causes the distress.

    There was one instance of a copy of a fax which had the payment details of one individual, containing his full credit card details ( including expiry date and security number) where fraud is likely to have occurred due to the nature of some people.

    If you take the time to read the internal mails which have been leaked then many of your questions will be answerwed. Including the fact that ACS:Law was in breach of various parts of the DPA throughout their whole process and what's more, they were aware of it and commented about it.

    Please amend your article to tell some truths rather than assumptions.

    • Thanks for the tip about 4chan.

      I'm sorry but I will not download the emails, I will not contribute to the swarm that is sharing sensitive personal details and financial data. I know this is a useless gesture, but I have decided to take an ethical stance here, I think that leaking these emails was wrong. As much as I hate what ACS does, I cannot condone the criminal act of leaking this emails.

      As for DoS, there is no question that it is a criminal offence. I agree that it is difficult to pursue, but I don't believe it's as impossible as it is usually assumed to be, it is all a matter of resources allocated to the task. This story is getting a lot of press, it is possible that political pressure will be exerted to "do something about this".

      • > it is all a matter of resources allocated to the task

        Ah yes, the mating call of the police dept around the world.

        Send us more money and it will all be better.

        I bought a 2nd hand laptop for under a 100$ this week from a guy at the bar i was sitting at. (dont think it was hot… who the hell steals Acer celeron based laptops from 2005?)

        I will then proceed to find a free wifi (not in cafe or library which might have security cam), if I cant, it would proabbly take me a few mins to hack into a router.

        From there I can either release a virus or use a DoS attack.

        Please tell me now how the hell you plan to find me once the laptop is

        then rolled over by an 18wheeler?

        (heck, even this post is sent from a public computer terminal about 50km from home)

        Sure, some idiots will get caught because theyre too cocky but you want to create havoc, its not hard to not get caught.

        I know dozen of script kiddies and hackers who have been doing nasty stuff online (not nasty like bombing a country and killing civilians) and most can give you a lesson on what to do. (its even funnier when you know that two of the hackers actually work for a company that is consulting our local police force on cybercrimes.

        >You could not make this stuff up.

        Work in IT long enough and you will see that human stupidiy is very common.

        Also, you used the same expression twice within a one paragraph span.

        Variety.

  4. You say 'criminal act of leaking mails'

    Are you suggesting that the IT admin responsible for exposing his clients website to the public has committed a criminal offence? Or are you suggesting that people visiting the site at the period when the root was exposed have committed a criminal act by copying data that was made freely available?

    Nothing was stolen. Somebody has been negligent and incompetent but nothing was hacked and nothing was stolen. Even the act of the DDoS can not directly cause data to be exposed. it just does not work that way.

    • I am being hyperbolic, must remember that people tend to be quite literal in these matters.

      Strictly speaking, ACS:Law is potentially civilly liable for the gross negligence exhibited.

      The emails were repackaged and published online by someone when the act was discovered, and as far as I can tell, they were not up for long. Here we enter an interesting legal (if not moral) question. Were I to find that a website has a vulnerability, I would not exploit it just because I could. This is the ethical bit, but I agree that I am in the minority on this.

      Now, here is the interesting legal question. We can agree that website operator was at fault by neglect, but this does not give people permission to copy and distribute the emails. In the act of copying, repackaging and distributing the torrent, I believe there could be a very strong case for civil liability, and maybe even criminal liability as well.

      The fact that the mails were freely accessible for a while is no defence, the same as leaving a car unlocked does not give any passer-by permission to steal the car.

      As for “nothing was stolen”, this is completely untrue. Criminal liability does not only cover physical property. Thousands of credit cards leaked in the interest of some vigilante justice is not a good trade-off in my book.

  5. There are too many law firms in this country abusing their qualifications and status to scare money out of people. Personally I hope ACS are sued out of existence for giving away peoples data knowingly. And then locked up for it too. Presumably these people only paid on the condition that the matter be kept confidential too so they might even have to pay refunds.

  6. This news continues to highlight how organisations are not protecting theirs and their customers' information effectively. Whilst Mr Crossley to a certain extent had it coming, the thousands of innocent users, some whom have already been forced to pay fines, are now further at risk. I have written a blog on the issue here: bit.ly/bzWweH

  7. Who cares if ACS:Law have committed an offence? They don't care before sending demands for payment.

    It would be wonderful for all those who have had their personal details released to take the ACS:Law letter they received, amend it, and send it back in reverse, demanding money or they will go to court.

    If a collective for the victims could only get together to allow that to happen – how ironic!

    Adonis

  8. "…other firms will be reluctant to take over where ACS:Law left off"????

    Unfortunately the BBC are saying London law firm Gallant Macmillan are going to the High Court on 4 October, and will presumably use a Norwich Pharmacal Order (the legal instrument used by ACS:Law to get BT and BSkyB to hand over their customer data) http://www.bbc.co.uk/news/technology-11443861

  9. Fuck ACS. Just heard today that the piece of shit that runs it has run for cover. This was all about making money off soft targets. ACS were scammers themselves and deserve all the shit they get.

    Fuck them. Pleased to see them squirm.

Leave a Reply