The ACS Law leak shows that the Digital Economy Act carries huge privacy risks

Unwarranted private surveillance, plus incompetence, have led to a huge leak of sensitive personal data from ACS:Law.

Information about individual alleged infringers appears to have been contained within the emails leaked at the weekend.

While reports have concentrated on the “attack” by 4Chan users that brought their webserver down, the more important questions are:

(a) Why did ACS:Law host email files and sensitive information in a place that could easily be exposed to the public?

(b) Is it legal and permissible to collect and process such information from torrents without permission or knowledge? As we have reported, the EU Data protection authorities think the answer is probably ‘no’. Now the world can see why.

At the end of the day, there is only one organisation to blame for this leak: which is ACS:Law, who have clearly treated people’s data with far less care than they should have done.

As a controversial company, there was every chance their servers might be attacked, but absolutely no reason why their web server should also be hosting email data from within their web space.

Worse to come: ACS:Law is ready to use the Digital Economy Act

Just as worrying is the revelation that ACS:Law are considering using the Digital Economy Act’s processes in the future. There would be little to stop them: they would self-certify that their processes are correct, and simply submit their data to ISPs. Their lawyer says that new collection processes:

I have made sure that the requirements satisfy the requirements set out in OFCOM’s draft code of conduct

What is more, assurances from the BPI that their collection methods are substantially different from ACS:Law may not be correct. The emails show that ACS:Law collecting information from “active sharers”, which is the same approach as the BPI say they take.

Which leaves the question, what is the difference between ACS:Law and the BPI’s collection methods? And will Ofcom let us see, or will they allow calls of “commercial confidentiality” to keep parts of the processes closed from view?