BT and Sky ISPs drawn into ACS:Law data breach

Leading internet service providers BT and Sky have been drawn into the storm surrounding a data breach at ACS:Law, a law firm that sent dunning letters to thousands of alleged illegal file-sharers.

Leading internet service providers BT and Sky have been drawn into the storm surrounding a data breach at ACS:Law, a law firm that sent dunning letters to thousands of alleged illegal file-sharers.

ACS:Law faces legal action and a potential £500,0000 fine after the personal details of people it accused of downloading files illegally appeared on the Pirate Bay file sharing site. But the details were supplied by Sky and BT, who asked the law firm to keep them confidential.

According to reports, at least 8,000 Sky ,500 BT customers and another 5,000 Britons were exposed by the Pirate Bay files.

According to Privacy International, the personal details were exposed when ACS:Law rebooted its website following a distributed denial of service attack by 4Chan, a file-sharing collective.

ACS:Law had sent dunning letters to thousands of people it identified after it found IP addresses linked to them were used to download files. Some of the files contained pornographic material, others music.

The letters threatened to take the recipient to court unless they paid ACS:Law £500 in settlement of their alleged copyright abuse. According to reports, ACS:Law received more than £600,000 from this activity.

Once it had the IP address, ACS:Law approached internet service providers such as Sky and BT. The ISPs then provided the personal details of the account holders associated with the IP address at the time of the alleged infringment.

BT said it sent the data only because it was required to do so by a court order. But it admitted in a blog post that the data was not encrypted, even though it was e-mailed. Sky did not respond.

Sky and BT were both signatories to the ISPs' memorandum of understanding (MoU) on fighting illegal file sharing. ACS:Law appears to have targeted clients of the MoU signatories.

The MoU emerged from the debate on ISPs' responsibilities prior to the passing of the Digital Economy Act in April. Others who signed up were Virgin Media, Orange, Tiscali, and Carphone Warehouse. Tiscali and Carphone Warehouse subsequently merged their ISP operations into TalkTalk. Together the signatories held more than 90% of the UK's internet accounts.

In a blog post Talk Talk strategy director Andrew Heaney said TalkTalk had never given any customer details to ACS:Law or any other law firm that took ACS:Law's line.

"It's a stark reminder of the dangers of giving out customer details to third parties in trying to combat file-sharing," he said. "We have consistently argued for better ways of combating copyright theft. Handing over customer details to law firms to seek 'compensation', based on accusations from rightsholders, is not the answer."

A Virgin Media spokesperson said the company scrutinised any legal demand for the disclosure of personal data very carefully.

"To protect our customers we can and do oppose applications for disclosure. As such, we have not and do not intend to support requests from ACS:Law," a VM spokesman said.

He said the company would comply with court orders, but it would supply personal data only in an encrypted form as part of the company's standard data handling policy.

He said Virgin Media was committed to tackling online illegal activity but believed consumer education and legitimate services were the best way to fight illegal file-sharing.

Privacy watchdog Information Commissioner's Office, which could levy a £500,000 fine, is beginning an investigation, while privacy activist Privacy International said it intends to sue the firm for the data breach, and invited anyone affected to contact it.

TalkTalk, which has four million customers, and BT have asked for a judicial review of the part of the Digital Economy Act that deals with online file sharing and copyright.

They believe the controversial act, passed in the wash-up before parliament closed for the general election in May, is deeply flawed with respect to fighting online piracy.

4Chan, an internet imageboard that is home to a number of internet activists, said it was acting in response to efforts to crack down on file-sharing. The attacks were aimed at the bodies and agents that represent mainstream music, film and video rights holders such as the MPAA, RIAA and BPI.

These are also the trade bodies that have lobbied strongly to criminalise copyright theft and cut off file sharers through international treaties such the Anti-counterfeiting Trade Agreement (Acta) and national legislation (the UK's Digital Economy bill and France's Hadopi law).

Some who received the letters complained to Which? the consumer rights group, which castigated ACS:Law's approach. The Solicitors Regulatory Authority referred ACS:Law director Andrew Crossley to the Solicitors Disciplinary Trust following a Which? complaint over his tactics.

Britons download 500m music files 
 The BPI, which represents British music rights holders, said the number of downloads bought in the UK passed 500 million in August.
 The landmark download was bought after steady growth of legitimate music downloading in early 2004, the Official Chart Company (OCC) said.
 Total legal downloads amounted to eight tracks per person, or two albums for every UK household, or 42,000 60Gb MP3 players, it said.
 The OCC said UK music lovers had already bought more than 100 million downloads this year. "If sales continue to grow at the current rate, the number of downloads for the full year should reach 170 million," it said.
 The downloads had pushed sales of singles to record highs. Before the digital download, the industry had never sold more than 90 million singles in 12 months, it said.


Read more on IT legislation and regulation