, , , , , , , , , , , , , , , , , , , ,

While the Digital Economy Bill was being ‘debated’ some months ago, many of us were pointing out it could create a new market for dodgy lawyers and solicitors extorting money, and hat many innocent people would be affected. We were right.

A solicitors’ firm called ACS:Law has been sending out at least 25,000 letters accusing the recipients of illegally downloading and sharing copyrighted material, and demanding payments of between £500 and £700. Except many of those accused by ACS:Law turned out to be innocent and hadn’t even downloaded the files. It gets worse, as ACS:Law have been targetting pensioners, and also blackmailing many others into paying by accusing them of sharing pornography. Many pensioners were accused of this very thing last year.
This has been going on since early 2007, and it’s only after hackers organised a DDoS attack on the company’s web site that this, and other crimes, have been exposed.

So far the scheme is a money-making one – ACS Law and the data monitoring companies get 90% of the profit between them, and in most cases the only costs involved was posting the letters. People have been prosecuted, fined and even jailed for running schemes like this, and I don’t see why ACS:Law should be an exception just because it describes itself as a law firm.

Two data monitoring companies are used by ACS:Law to gather IP addresses from the known P2P networks. One of these is Logistep, a company banned from operating in Germany, Switzerland and Italy because of privacy issues. For Logistep to know what users are sharing on the networks, it would have to use deep packet inspection, which is basically the same as tapping a random phone line to see whether someone’s breaking the law.
With the IP addresses obtained from the P2P networks, ACS:Law gets a court order to demand the subscriber information from the ISPs. The problem with this is that IP addresses only reveal the network routers, which could be for a home or a larger network with many users. This is nowhere near enough evidence to incriminate an indivdual in court. ISPs themselves also admit the evidence is unreliable and often identify the wrong subscribers. This is how so many innocent people were being threatened by ACS:Law.

Eventually a large number of hackers decided on their own form of justice with a bit of collective action. The same group behind the DDoS attacks on RIAA and AiPlex Software the other week took down ACS:Law’s site as part of the ongoing Operation Payback. Andrew Crossley, who owns ACS:Law, was subjected to a bit of harassment over 24 hours. Just over a week ago, the email archive and web site database of the firm was leaked and distributed, and ACS:Law could be facing a £500,000 fine for violating the Data Protection Act.
A bit of analysis by hackers posting at TorrentFreak seems to confirm the sysadmin was unbelievably incompetent, and attempted to get the site back online by replacing all the files on the web server (don’t ask), inadvertantly placing the email archive and database in the /httpd directory so the whole archive was displayed as ACS:Law’s home page. It’s now being distributed on quite a few P2P networks.

The leaked information includes the majority of the firm’s correspondence, credit card and billing details of its victims, and arrangements between ACS:Law and its clients, as well as details of 8,000 Sky broadband, 400 Plusnet and 5,000 other customers of various ISPs.
Later it was revealed BT had emailed an unencrypted spreadsheet with details of 500 of its customers to ACS:Law following a court order. The good news is this may have put a dent in the Digital Economy Act, as all the main ISPs are now refusing to share customer information unless copyright infringement claims are backed up with solid evidence.

As I post this, Privacy International and the Open Rights Group are preparng legal action against ACS:Law, as are a number of people who were accused by the firm. Those accused of downloading and sharing porn, and subsequently had their details circulated because of the leaked emails, should also be suing for defamation.