ACS:Law: When bad things happen to bad people

For some time now English law firm ACS:Law has been in the middle of controversy for its use of dubious tactics against copyright infringers. ACS:Law’s cause célèbre is that they became famous when they teamed-up with porn producers and then they started sending cease-and-desist letters to people claiming that they had been sharing adult content, including some German gay porn (why is Germany the home of gay porn by the way? Inquiring minds demand to know). The business model seemed to be to ask for off-court settlement, or the allegations would be taken to court. Most people paid off to have the accusations go away, possibly to avoid embarrassment. However, many of the targets got together and complained to consumer-rights magazine Which? who in turn filed a complaint to the Solicitors Regulatory Authority (SRA). The complaint was serious enough that it got referred to the Solicitors Disciplinary Tribunal (SDT), who are currently investigating ACS:Law for unethical practices.

Had the situation remained like this, chances are that ACS:Law might have just received a slap on the wrist or more, the range of sanctions of the SDT is rather broad. However, hackers tend to favour a more direct approach, and a posse of self-appointed cyber-vigilantes decided that ACS:Law deserved a little bit more than the administrative justice imparted by the SRA and SDT, a group of file-sharers organised by the infamous collective 4chan engaged in a relentless denial-of-service campaign against ACS:Law’s website, as well as posting the phone number and address of ACS’s owner and sole legal practitioner, Andrew Crossley. Still, such types of attacks are nothing to remark upon, and while illegal, they tend to be common. The end result tends to be some minor annoyance for the target, as their site is brought down, but eventually recovers; Crossley himself was defiant when he said that this was “typical rubbish from pirates”. However, this attack was remarkable because it prompted a monumental error by ACS’s web team. When the server came back up, it contained an open backup of the entire site, including emails and passwords. Yes, you read correctly, all of Crossley’s classified and personal emails and passwords were made available to the public in an unsecured folder. You really could not make this stuff up.

This being the Internet, the first thing some enterprising souls did was to copy the data and to start sharing it online immediately through torrent sites (as of writing, the file is still there, but I will not link to it for reasons that will become obvious). The emails contained some potentially embarrassing details about the practice at ACS:Law, particularly some indication that the firm targeted married men and pensioners with the gay porn allegations, hoping that it would prompt unquestioning payment from the accused. In other words, blackmail and extortion, using copyright as an excuse to obtain easy money from unsuspecting victims.

If this was the extent of the leaks, then it would have remained as an exercise in shadendreude. However, the story turned nasty last night, as reports started to emerge that the emails contained substantial personal data about the victims of the ACS:Law letters, including financial details and credit card numbers of those who decided to pay. In other words, this is a trove for cyber-criminals, fraudsters and ID thieves. The amount of personal details collected was astounding, but perhaps more worryingly, it also included the name of the adult film that the alleged infringer was apparently downloading. This can of course ruin people’s lives, which is why many of them paid up in the first place.

Legally, you could not make this stuff up, as Lilian Edwards commented last night on Twitter, you would not even be able to dream this up as an exam question. This has everything, cybercrime, hacking, copyright, data protection, professional misconduct, libel, security. You name it, this story has it.

Legally, I believe there are several important questions to ask, and I really have no answer until I have looked into this in more detail:

  • Was ACS:Law collecting this data lawfully?
  • Did they notify the Information Commissioner that they were collecting data in this way?
  • Was ACS:Law in compliance of the security principle in the Data Protection Act?
  • Could those named in the leaked emails sue ACS:Law for some form of negligence?
  • To me it is obvious that the hacking and DoS attacks are clearly criminally liable, will the seriousness of the offence prompt the police to go after the 4chan users located in the UK?
  • Will banks have to return money to the inevitable victims of fraud arising from the leaks?
  • Did the people who leaked the emails realise that they were placing so much personal data online? Do they care?

This is probably one of the biggest cybercrime stories that I can remember because it covers so many people. One good thing that may come out of this however is that other firms will be reluctant to take over where ACS:Law left off.

ETA: 4chan was just one of the communication channels used. The attack was coordinated by Anonymous, the Fuenteovejuna of the Internet.