When I phoned Alexander Hanff of Privacy International yesterday to talk about the massive leak of sensitive personal data from ACS:Law I didn't expect him to literally write part one of this three-part series.
But he did, in one quote:
“This data loss is significant because of the human angle. Besides being the first time I can remember where leaked personal data from the UK has been made so readily available on the internet we must also consider the nature of the data leaked."It's probably the largest and most significant personal data leak in UK history. Whilst other leaks have potentially affected far more - on paper at least - most reported data losses are just that; the data has been lost and never found... Or lost, handed to a journalist and returned to the owner.
"Credit card details are one thing - and there are procedures for limiting financial loss - but some of the strongest human emotions are driven by sexuality and attitudes to porn."
"Marriages can be wrecked through – sometimes wrongful – suggestions that a partner may have viewed pornography. Beyond the potential for criminals to blackmail workers in sensitive posts is also the human anxiety over being accepted for their sexual orientation in what is still a very judgemental society”
When I started talking about the significance of this leak and its potential for becoming a watershed event a friend was sceptical:
"If the scandal of 25 million records leaking from HMRC failed to change people's attitudes to private information and data protection I doubt this will."Yet few (if any) leaks result in lists of thousands of names and addresses being readily available on the internet alongside sensitive information, financial details or embarrassing titles of explicit pornographic movies someone using their internet connection is alleged to have downloaded.
Andrew Sharpe, a solicitor highly-experienced in data protection issues at law firm Charles Russell told me:
Whilst we've advised clients in the past on dealing with the aftermath of a data loss I can't recall any loss which has actually resulted in personally identifiable information being published online or used in any way. Most loss events I'm aware of are in relation to improper disposal, loss or theft of laptops or similar and the data never actually surfaces”Beyond the nuts and bolts of data protection for firms handling sensitive data and the rights and wrongs of chasing those alleged to have infringed another's copyright with an "opportunity" to avoid a court case - whereby your name would be linked to the downloading of a pornographic movie whose title leaves little to the imagination - are two moral questions I'll be exploring in the next two parts of this series.
The Private Data Police
Should society accept a growing "private police force" tasked with policing content on the internet, especially when this force - a combination of ISPs, solicitors and internet firms specialising in "infringement detection" - compile lists and databases of those accused as an unavoidable aspect of their "police" role?
The opportunity for such roles is likely to increase, not decrease, when the provisions of the Digital Economy Act come into force. How will the private police be regulated to ensure there are strict controls over access to sensitive databases of personal information, and how can we ensure that justice ultimately is left to the court system and not a tariff of unofficial fines governed by market forces?
Do the darker - many would say criminal - elements of the internet assist or harm wider efforts to force private companies to respect sensitive personal data? I'm convinced that without a concerted distributed denial of service attack on ACS:Law's website the data leak would probably not have occurred*
However, the subsequent wide distribution of personal data, with several websites now offering easy-to-read versions of the data, clearly showing names and addresses alongside the often explicit title of the movie they're alleged to have downloaded - only adds to the distress of these individuals.
Yet some have suggested the wider distribution lifts the data out of the hands of the so-called "black hat" cyber criminals skilled in finding and manipulating such data and into the mainstream. Will this reduce or increase the prospect of some individuals being the subject of further crimes such as blackmail?
Would a strict data breach notification law whereby companies are legally obliged to notify all those affected by a data breach prevent those posting personal data in the belief that in increasing publicity they're doing good?
[part two] [part three]
* It's my opinion that the email leak was possibly the direct result of an attempt to re-start limited communication services during a DDoS attack on ACS:Law's website by their systems administrator(s) or web host. Since it's now apparent that email services were provided on the same server as that used for ACS:Law's public website one can understand that the company may have been in a hurry to re-establish some services.
As part of the process it appears as though a backup containing user's internal email storage was exposed for a brief window.
This view is personal opinion only based on the information available in the public domain.