BT, the UK's largest broadband provider, sent details about its customers to ACS:Law, the firm of London solicitors at the centre of a huge data
privacy row, in a form that could be read by anyone – and which have now spilt onto the web.
BT can confirm that it did send unencrypted data to ACS:Law, a BT spokeswoman told the Guardian: However, this was not the cause of the leak. At a later date, due to a cyber-attack on the systems of the law firm, data that it held was leaked.
At this time we do not believe any of BT's customers details have been compromised, although we are continuing to pressure ACS Law for confirmation of this. We were obliged to comply with court orders to provide information to ACS Law, as was any
other ISP, where they were served with such orders.
Due to serious concerns about the integrity of the process that is being used by rights holders, we will resist efforts to share more customer details with rights holders and those acting on their behalf until we can be sure that alleged copyright
infringements have some basis and customers are treated fairly.
The case has brought rows over the standards of evidence required under the Digital Economy Act – under which persistent file-sharers could face restrictions on their internet connection – into sharp focus.
ACS:Law's evidence would be sufficient under the new regime being brought in by the act to count as a first strike – which would involve a warning letter from the customer's ISP. But pressure groups opposed to the DEA say that the quality of
evidence acceptable under the act for such measures falls far below that which would be needed to prove a case in court.
Privacy International is seeking legal advice about the possibility of bringing charges against BT for contempt of court. Hanff said the breach by BT appeared to contravene the Norwich Pharmeceutical Order which requires data to be sent as encrypted
Microsoft Excel files.
ACS:Law already faces the prospect of a fine of up to £500,000 if the Information Commissioner determines that it was responsible for the data leak. The Information Commissioner has said he will include BT's handling of data – which may leave the
company in breach of the Data Protection Act and a high court order – in its investigation into how the information was made publicly available.
The personal details of more than 8,000 Sky broadband customers, 400 Plusnet customers and 5,000 other Britons accused of illicit filesharing were exposed on the website of ACS:Law, a legal firm which has been targeted by online attacks from a number of
online forums due to its involvement in moves against people alleged to have shared copyrighted content.
ACS:Law would typically write to customers whose details it had obtained and demand payments of between £500 and £700 for the alleged breaches of copyright. Although some people did pay the demands, many others ignored them. Few of the cases
are understood to have reached court.
Andrew Heaney, executive director of strategy and regulation at Talk Talk, said: It's a stark reminder of the dangers of giving out customer details to third parties in trying to combat file sharing. While we do not condone illegal file sharing, we
have consistently argued for better ways of combating copyright theft. Handing over customer details to law firms to seek 'compensation', based on accusations from rights holders, is not the answer.
The Guardian understands that ISPs charge ACS:Law around £65 for an individual customer's information. Some broadband providers charge by the hour to supply customer data – some thought to be charging up to £500 per hour – while others fix
prices to a per-customer basis.
So What do ACS:Law get out of the deal?
The anti-piracy law firm ACS:Law accidentally published its entire email archive online, effectively revealing how the company managed to extract over a million dollars (£636,758.22) from alleged file-sharers since its operation started. On
average, 30% of the victims who were targeted paid up, and this money was divided between the law firm, the copyright holder and the monitoring company.
Right before the weekend the notorious ACS:Law managed to expose backups of its entire website and email database to the outside world. Hundreds of people have meanwhile started to dissect the contents of the mails, and are sharing their findings in
forums and in comments posted online.
The emails also shed a whole new light on the effectiveness of the letters of claim that are being sent out to thousands of BitTorrent users and how the recouped money was divided.
Over the last two years 11,367 letters have been sent out. In 40% of the cases the respondents never replied, and another 30% disputed their claim. This means that on average 30% of the accused file-sharers chose to settle by paying between £350
and £700 per infringement allegation.
The recouped money is generally divided between three parties. The law firm, the copyright holder and the monitoring company that provided IP addresses of alleged infringers.
Documents in the leak also show ACS:Law admitting that they asked for a settlement of £495 in order to break the psychological £500 barrier to maximize revenues.