News Porn email leak

[rynnor]

ACS law will be in such shit for apparently storing thousands of suspected filesharers details on Gmail...

ACS:Law facing legal action over data breach - Personal Computer World

Edit - the gmail account was hacked and the resulting data is on Piratebay.

Putting this stuff on gmail is clearly a breach of data protection - shame the watchdog is so crap.

 

[ECA]

How is it being on a gmail account a violation of data protection?

I quite like his emails to his ex-wife however.

You are fucking joke. Happy? You? With Kevin the drug addled hermit who has nothing to do with you or his family. You are the saddest person I have ever met.

Now get the fuck away from me forever you complete washed up drug addict loser.

Your email has been marked as blocked sender. No further emails from you will be received by me. Do not ever attempt any form of contact with me again as long as you live.


Fuck off and keep out of my life.

Andrew your ex husband of 14 years.

What a charming gentleman.

 

[old.user4556]

Thing is, women are always moaning about mixed signals and aloof men. I'd say you know where you are with this man.

 

[rynnor]

How is it being on a gmail account a violation of data protection?

Its meant to stay on their system and they are meant to ensure its secure - shoving it on your webmail is in the same league as taking it home on an unsecured usb drive.

 

[ECA]

So businesses can't use cloud services?

What's the difference between a pop3 account and gmail? Both can be accessed w/ very simple login details.

 

[rynnor]

So businesses can't use cloud services?

What's the difference between a pop3 account and gmail? Both can be accessed w/ very simple login details.

They can use em but in this case thousands of peoples details are on a gmail drive - will be interesting to see if any of the people who have their identities stolen etc. try to sue ACS law?

 

[inactionman]

The issue here is that gmails servers are in the US, and you aren't allowed to export personal data outside of the EEA (or to an area without equivilent legal protection), and you certainly can't do it without notifying the Information Commissioner!

So yeah, cloud services and personal data are a big no no under EU (and anywhere else with decent data protection standards) law.

What an idiot the guy is, he's an evil fucker basically practising barratry!

 

[DaGaffer]

The issue here is that gmails servers are in the US, and you aren't allowed to export personal data outside of the EEA (or to an area without equivilent legal protection), and you certainly can't do it without notifying the Information Commissioner!

So yeah, cloud services and personal data are a big no no under EU (and anywhere else with decent data protection standards) law.

What an idiot the guy is, he's an evil fucker basically practising barratry!

Not quite. If Google are signed up to the Safe Harbor agreement, you can move data there. You are supposed to inform users of this possibility in your Ts&Cs though, and I've no idea whether ACS have done that or not. Not, I'm thinking.

 

[MYstIC G]

I quite like his emails to his ex-wife however.

You got a link for that?

 

[Scouse]

Not quite. If Google are signed up to the Safe Harbor agreement, you can move data there. You are supposed to inform users of this possibility in your Ts&Cs though, and I've no idea whether ACS have done that or not. Not, I'm thinking.

Well, considering these "users" had no idea that they were users and that their personal data (which apparently includes credit card data - I'm downloading it now so I can *cough* buy loads of goods for myself *cough* check on this fact) then it'd be a pretty big ask for them to sign up to T's&C's

It's hard to sign up to the smallprint of a secretive stalker you've never met!


Anyway, the ICO's on about fining them half a million quid.

So that works out about a grand for each user, right? Pretty cheap if you ask me. Makes me want to steal credit cards if the punishments are that light...

 

[Scouse]

Another 8000 people, including the amounts they've paid up and case notes

 

[Shagrat]

I hope that they get dumped on from a great height over this. Sky provided this information to them in an encrypted format so why it wasnt kept that way is just.........


Everyone who's details were leaked should send ACS:Law a letter demanding £500 for data protection infringements...

 

[Jeros]

ACS:Law - Wikipedia, the free encyclopedia

Even some people in the music industry dislike them

 

[Scouse]

Sky provided this information to them

This is the real story IMO.

People should start bombarding their ISP's with angry letters demanding to know why Sky are providing information to sweatshops without so much as a legal fight.

The legal process is a rubber-stamping exercise in this instance. Sky have a duty to make sure any data they hand over for processing is going to be secure - and a duty to not hand over the data if they can't fulfill their first duty.

 

[Krazeh]

Frankly it's not Sky's, or any other ISP's, job to mount a legal challenge against a court order they've recieved. It was upto the Court to decide whether or not to grant the order, the ISPs are just complying with the order as required by law.

 

[Scouse]

That's what they hide behind - but companies have to comply with the "spirit" of the data protection act as well as the legal technicalities.

It's their duty to check that the people they're handing data to are actually set up to correctly handle that data. If they're not then they have to fight the incorrect legal decision.

If the courts told them to stick their faces in the fire, should they?

 

[Krazeh]

That's what they hide behind - but companies have to comply with the "spirit" of the data protection act as well as the legal technicalities.

It's their duty to check that the people they're handing data to are actually set up to correctly handle that data. If they're not then they have to fight the incorrect legal decision.

If the courts told them to stick their faces in the fire, should they?

It isn't their duty to do anything of the sort. They have to ensure that while the data is in their control they keep it secure but they're under no responsibility to vet any organisation they're legally required to hand the data to. As soon as that transfer is made the responsibility lies with, in this case, ACS:Law and they then hold the duty to keep the data secure, not the ISP.

 

[Ch3tan]

You seem to be inventing new obligations for companies scouse.

Sky are hardly the bad guy here, the ISP's don't like this (well except for Virgin, who bend over backwards for the movie and music industries), and the appeals against the digital economy bill show this.

 

[Chilly]

I dont think a court can force you to break the law, unless in the same breath it also rules that law broken/illegal/whatever.

EG - just because a court tells you to send your data to lolbanana@gmail.com doesnt mean you are legally allowed to do so. you might be, but you need to check.

 

[Scouse]

EG - just because a court tells you to send your data to lolbanana@gmail.com doesnt mean you are legally allowed to do so. you might be, but you need to check.

 

[Krazeh]

I dont think a court can force you to break the law, unless in the same breath it also rules that law broken/illegal/whatever.

EG - just because a court tells you to send your data to lolbanana@gmail.com doesnt mean you are legally allowed to do so. you might be, but you need to check.

Except that's not the situation here. The court has told ISPs to transfer details about certain customers to ACS:Law. The ISPs are responsible for ensuring that the data is kept secure while it is with them and during the transfer to ACS:Law; after that point however they have no responsibility for it's security which now rests entirely with ACS:Law. It's simply not down to the ISPs to 'check' or 'verify' the security at ACS:Law, they're under a legal obligation to provide them with data. What ACS:Law does with it afterwards is none of their business.

 

[Scouse]

:idisagree:

 

[Krazeh]

:idisagree:

Well that's your choice, but it's not gonna change the fact that you're making up obligations which don't exist.

Altho i'd be curious to know what part(s) of the DPA you think place an obligation upon the ISPs to audit ACS:Law, or any other organisation, before transferring data to them as required by a court order.

 

[Scouse]

I'm not an expert on the DPA, but you're still not addressing the question of lolbanana@gmail.com.

If there's no requirement to check that you're not handing reams of personal info into the hands of credit card theives/paedo rapists etc, then it's a pretty big fucking hole in the act, eh?

 

[Krazeh]

I'm not an expert on the DPA, but you're still not addressing the question of lolbanana@gmail.com.

If there's no requirement to check that you're not handing reams of personal info into the hands of credit card theives/paedo rapists etc, then it's a pretty big fucking hole in the act, eh?

Not really, it's the court's job to decide whether or not an order should be made. If the court's satisfied that whoever has made the application should be given the data they've asked for then why should you, as an organisation, question that? It's not the responsibility of organisations to second guess the courts in these situations. Perhaps you could show me where a court has ordered disclosure of information to credit card theives/paedo rapists tho?

If, on the other hand, someone had come to you directly asking for data then of course it'd be prudent to undertake some checks to satisfy yourself of the identity of the requester and the basis on which they were asking you to disclose the data. That isn't however to say that you'd have to verify how they intend to hold the data after you've given it to them, you would only need to be able to defend your justifications for the disclosure. What happened to the data afterwards is the responsibility of the organisation you passed the data to.

 

[Scouse]

Fair enough. My position is reversed.

 

[Rulke]

Fair enough. My position is reversed.

I don't think i've ever seen a post like this on an internet forum before

 

[Scouse]

It's not often I'm wrong

 

[Scouse]

Turns out it was the ISP's fault after all



To be fair, it just goes to show what a joke the DPA really is.

 

[Krazeh]

Turns out it was the ISP's fault after all



To be fair, it just goes to show what a joke the DPA really is.

The whole thing about ISPs not encrypting the data is such a non-story. Their failure to encrypt the files didn't lead to any loss of data while they were in control of it so at worst they'll get told to make sure in future they ensure data is encrypted/password protected before it's emailed. They hold absolutely no responsibility/liability for what ACS:Law got up to with it or for the subsequent leak by ACS:Law.