File-Share Law Firm Exposes Personal Data

ACS:Law, known for its email campaigns against file-sharers, has inadvertently published an archive of personal data

UK law firm ACS:Law, known for its letter-writing campaigns to individuals suspected of illegal file sharing, has been hit by a distributed denial-of-service (DDoS) attack that left an archive of the firm’s website, including a large number of private email communications, exposed to the public.

Last week the firm’s website was taken offline by a DDoS attack, which hacker group 4chan has admitted to carrying out. When the site came back online on Friday evening, a 350 MB backup version was found to be available on the site’s front page, according to reports. Over the weekend the archive was widely distributed via websites and torrent-download sites, reports said.

Personal emails

The archive included company emails, amongst which were personal and business emails sent by Andrew Crossley, the firm’s main partner, and its only registered solicitor, as well as financial information regarding the company, according to reports. One email contained the personal information of about 10,000 suspected file-sharers, including their names, addresses, postcodes and IP addresses, according to reports.

Privacy activist group Privacy International (PI) said on Monday it plans to file a lawsuit against ACS:Law for having exposed such personal details to the public.

“This firm collected this information by spying on Internet users, and now it has placed thousands of innocent people at risk,” said PI advisor Alexander Hanff in a statement.

PI said ACS:Law had breached the Data Protection Act by allowing an archive containing personal data to be stored on a public-facing web server. The organisation said it is preparing a complaint to be filed with the Information Commissioner’s Office (ICO).

Crossley has twice been found guilty of conduct unbefitting a solicitor by the Solicitors Regulation Authority (SRA). In August the SRA confirmed Crossley had been summoned to his third disciplinary tribunal, in response to a complaint filed by the consumer magazine Which? over the letter-writing campaigns.

New code of practice

DigiProtect, a German law firm that works with ACS:Law in the UK, in April defended the use of letter-writing campaigns.

In May the regulator Ofcom published a draft of its code of practice for tackling copyright infringement over the Internet, including a ‘three strikes’ rule, which could see persistent infringers being taken to court for illegal file-sharing. Ofcom said the code should come into force in early 2011.

Under the code, which puts into practice the terms of the Digital Economy Act, the IP address of anyone caught committing online copyright infringement three times will be added to a ‘blacklist’ held by their Internet service provider. Copyright holders, including music firms and film studios, will then be able to access the list and issue a court order to begin further legal action.

The European Comission has argued that, although it is illegal, file-sharing is the only way for some European users to download content, due to the lack of a unified European digital marketplace.