ACS:Law: This is what regulatory failure looks like

So, the ACS:Law email leak is the gift that keeps on giving as reports have come out of more unsecured sensible data included in Andrew Crossley’s emails. While I have expressed that I generally disagree with vigilante justice, for some reason the words chickens, home, and roost keep coming up in my mind. I am both excited and horrified by the amount of information that is now available to the public as a result of ACS:Law’s mind-blowing negligence and incompetence. Obviously I am horrified because thousands of people are having their financial and personal details compromised, particularly by tying their names to porn films and other objectionable content and practices. But at the same time I am quite simply giggling with delight at the irony of it all.

I cannot help but feel sorry for the victims. Besides having drawn the short straw of being targeted by ACS:Law extortion racket, and some of them having paid settlement fees out of fear and/or guilt, they now have their financial details available for everyone to download, and not only that, they also have their names tainted in this manner. However, I am also angry. Yes, dear readers, I do have the capacity for anger from time to time, and this case has put me in a state of righteous regulatory rage. You see, this was not supposed to happen, we have legislation that deals specifically with the type of sensitive data held by the Internet service providers, data that they willingly provided to ACS:Law in an unsecured manner. Let us simply go back to the good old Data Protection Act, which states in Principle 7:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Further that, the Act specifies that the level of security must be proportional to the potential damage if the data is lost. The DPA states:

“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b)the nature of the data to be protected.”

So, the more harm would come from the unlawful processing, the more security there should be. ACS:Law and the ISPs are therefore in blatant breach of the Seventh Principle. This is unforgivable, and the Information Commissioner should make a stand and send a clear message to other data processors. Otherwise the DPA is just reduced to a bunch of fancy words on paper.

Perhaps this might be something positive to come out from the whole fiasco, maybe Data Protection law will finally be taken seriously. Furthermore, there is another potential silver lining in this very dark cloud, an this is that hopefully the bad publicity that ACS:Law is getting will help to reinforce just how unreliable IP address evidence can be. While the operational details of the Digital Economy Act are still under consideration by OFCOM, this would be a perfect time to continue to stress the point that all forms of digital evidence about infringement should meet the highest standards of security and reliability.

Imagine how ironic it would be if in the future we had to thank ACS:Law for better Internet regulation.