News Porn email leak

[Zenith.UK]

That was only for 500 or so PlusNet customers.
Sky have also gone on to say that they won't be "cooperating" with ACS any more since 8000 of it's customers had their information publicised.

At the end of the day, ISPs now have a legal reason to not obey a court order.

 

[Scouse]

The whole thing about ISPs not encrypting the data is such a non-story. Their failure to encrypt the files didn't lead to any loss of data

This I disagree very strongly with.

If the files were encrypted, as they should have been according to the DPA, then those particular customers would have been protected despite the hack.

BT is clearly in breach of the DPA there.


As for your faith that this is a one off and that the DPA will be adhered to in the future - it's a fools faith IMO. I've worked in organisations such as these for years and corporate governance is a joke.

 

[Ch3tan]

Turns out it was the ISP's fault after all

As Zenith already pointed out, that is jsut the 500 BT customers, the bulk were from SKy and that data was encrypted, as was previously reported. So report it correctly.

 

[Krazeh]

This I disagree very strongly with.

If the files were encrypted, as they should have been according to the DPA, then those particular customers would have been protected despite the hack.

BT is clearly in breach of the DPA there.

Yes, they're in breach of the DPA for not encrypting the data during transmission but that's as far as their responsibility goes. And seeing that the data was not leaked or lost during transmission then the result of their actions, in terms of their DPA responsibilities, is minor. Once the data is out of BT's controls, i.e. in ACS:Law's hands, then they no longer have any DPA responsibilities for it and can't be held liable for anything that may occur to that data. It was only ACS:Law's responsibility to ensure that the data, once recieved, was kept in a secure manner. The fact of the matter is that the manner in which BT, or any other ISP, transferred data to ACS:Law is a completely separate issue to that of the leak.

As for your faith that this is a one off and that the DPA will be adhered to in the future - it's a fools faith IMO. I've worked in organisations such as these for years and corporate governance is a joke.

Where did I say I had any such faith? I'm well aware of what corporate governence in organisations like BT is like but knowing and proving are too very different things. Which is why if the ICO look at it they'll get told that BT have robust procedures which they'll be able to provide documentary evidence of and that this was an unfortunate incident which they've used to review and enhance their procedures. The ICO will then do nothing but remind them of their obligations under the DPA and take no further action because they'll be nothing else they can do, especially as BT's failings didn't cause any data loss during their time as data controller.

 

[Scouse]

As Zenith already pointed out, that is jsut the 500 BT customers, the bulk were from SKy and that data was encrypted, as was previously reported. So report it correctly[b/].

Jeesus. I know that the written word ain't always the best medium for lighthearted banter, but don't winking smileys count for anything nowadays?

 

[old.Tohtori]

Jeesus. I know that the written word ain't always the best medium for lighthearted banter, but don't winking smileys count for anything nowadays?

Nope. As a matter of fact, was told by one of the more grumpy tennants that they quote "mean f*ck all 'cause you hide behind them"

Smiley = light hearted.
Non smiley or = not so.

Only way to convey it on the nets.

But it's mostly cause everyone on the internet knows what you think, how you act, how you should act, how you believe and what you mean by things, except you

Hell, you've told me the same

 

[Scouse]

Yes, they're in breach of the DPA for not encrypting the data during transmission but that's as far as their responsibility goes. ......result of their actions, in terms of their DPA responsibilities, is minor.......The fact of the matter is that the manner in which BT, or any other ISP, transferred data to ACS:Law is a completely separate issue to that of the leak.

No it isn't. You can't separate out causal actions and pigeonhole them as "nothing to do with each other" if one has a direct knock-on effect to the other.

If BT had lived up to their responsibilities the leak would be meaningless. The "result" of their [lack of] actions is that users have had their emails, addresses and some credit card details published online, in relation to allegations of sharing porn.

If I shoot someone in the leg, hand them over to a hospital who operates on them and they die because someone fucked up in surgery it's still my fault. -If I hadn't shot them in the first place they wouldn't have died in theatre.

If BT had encrypted its data the users details would be safe.

 

[Krazeh]

No it isn't. You can't separate out causal actions and pigeonhole them as "nothing to do with each other" if one has a direct knock-on effect to the other.

If BT had lived up to their responsibilities the leak would be meaningless. The "result" of their [lack of] actions is that users have had their emails, addresses and some credit card details published online, in relation to allegations of sharing porn.

The DPA simply doesn't work that way. An organisations responsibilitie's and liabilities only extend as far as personal data it is in control of. Once personal data is no longer in it's control it has no responsibility or liability for any leaks or breaches of the DPA that may occur in relation to that data.

BT's responsibility extends only until the personal data in question safely reached ACS:Law. After that point BT no longer holds any DPA responsibility or liability for anything that happens to that data. It was ACS:Law's responsibility to hold that data safely, it was their failure to do so that led to people having their details published online, not BT's.

If BT had encrypted its data the users details would be safe.

Had ACS:Law not massively screwed up and put personal data in a publicly accessible area of their website then user details would be safe; that is the issue at hand, not how BT may have transferred it to them.

 

[Scouse]

I think you'd find a court of law would find them jointly culpable of breaches.

BT for failure to live up to its obligations to securely transmit the data (regardless of encryption email is NOT a secure medium).

ACS:Law for being a bunch of bleeding incompetent idiots.


In the case of the BT data, their failure in their legal duty to encrypt the information resulted in the exacerbating circumstances.

Would a dictionary quote be a bit pissy here?

exacerbate
tr.v. ex·ac·er·bat·ed, ex·ac·er·bat·ing, ex·ac·er·bates
To increase the severity, violence, or bitterness of; aggravate

Edit: I'm off to my sisters tonight and her hubby's a top-level corporate lawyer. I'll ask him his expert opinion given the facts as we have 'em

 

[Krazeh]

I think you'd find a court of law would find them jointly culpable of breaches.

BT for failure to live up to its obligations to securely transmit the data (regardless of encryption email is NOT a secure medium).

ACS:Law for being a bunch of bleeding incompetent idiots.

In the case of the BT data, their failure in their legal duty to encrypt the information resulted in the exacerbating circumstances.

You're really not grasping how the Data Protection Act works are you? Data controllers are only responsible for the personal data they actually control. Once you have passed that control to another data controller your responsibilities end. As such you can only be found in breach of the Act for any failures to comply in relation to data that is in your control. In this scenario the data was in control of BT up until it had been transmitted to ACS:Law. Now in that situation yes they should have encrypted it before transmission but no personal data was lost or leaked or anything else, it all safely arrived at ACS:Law. At that point BT's responsibilities end and ACS:Law's begin, it is now their duty to secure that data regardless of the fashion in which it was provided to them and any loss of data is their responsbility/liability alone. Simply put it was ACS:Law's responsibility to encrypt/password protect the information they recieved and delete any non-protected copies they had.

Edit: I'm off to my sisters tonight and her hubby's a top-level corporate lawyer. I'll ask him his expert opinion given the facts as we have 'em

To be honest unless he's actually worked in the realm of data protection I wouldn't hold out on his opinion being "expert".

 

[Scouse]

You're really not grasping how the Data Protection Act works are you? Data controllers are only responsible for the personal data they actually control. Once you have passed that control to another data controller your responsibilities end.

I understand the DPA, as you're putting it to me, perfectly.

I think you're really not grasping how law works. Remember - the act is just a guidline - it's up to the lawyers to make their arguments.

If the ICO's lawyers can argue succesfully that there is a measure of causality through negligence then it won't matter one jot what the DPA says.

It's why we go to trial, after all

 

[Krazeh]

I understand the DPA, as you're putting it to me, perfectly.

I think you're really not grasping how law works. Remember - the act is just a guidline - it's up to the lawyers to make their arguments.

If the ICO's lawyers can argue succesfully that there is a measure of causality through negligence then it won't matter one jot what the DPA says.

It's why we go to trial, after all

The ICO's lawyers won't argue that tho because it's not how the Act works or how the ICO views the Act working. In fact it would take a rewriting of the Act to even begin to put together a legal argument to support the sort of case you're trying to put forward, there's simply no basis in law to bring the actions of a previous data controller into account when looking at a breach of the Act. Aside from anything else a data controller should have rectified any mistakes made by the previous data controller simply in order for them to remain compliant with the Act.

 

[Scouse]

Meh. Disagree.

 

[Krazeh]

You can do but you'll still be wrong. One thing I did forget to add to my previous point tho was that talking about going to trial over a DPA breach means very little as it's not something that happens. Most breaches of the Act are civil matters which never go anywhere near a court. There's only a few criminal offences in the Act that actually do get dealt with through the courts but none of them apply in this case.

 

[ECA]

I think there is some responsibility from ACS:Law afterall - when their site went down they restored it from archives - which were publicly available during the restoration process - that means ACS:Law themselves publicly posted this information.

 

[Scouse]

I think there is some responsibility from ACS:Law afterall - when their site went down they restored it from archives - which were publicly available during the restoration process - that means ACS:Law themselves publicly posted this information.

I don't disagree with that one bit

However, if BT had encrypted the information as they were legally obliged to then it wouldn't have mattered what ACS published.

Thats why I think they're jointly culpable. Two failures to follow the DPA resulted in this group of user's shit getting published. If either had fulfilled their legal obligations it wouldn't have happend, but they both failed.

 

[Calaen]

I don't disagree with that one bit

However, if BT had encrypted the information as they were legally obliged to then it wouldn't have mattered what ACS published.

Thats why I think they're jointly culpable. Two failures to follow the DPA resulted in this group of user's shit getting published. If either had fulfilled their legal obligations it wouldn't have happend, but they both failed.

Sky encrypted their data when sending yet their information has also been leaked.

 

[Krazeh]

I don't disagree with that one bit

However, if BT had encrypted the information as they were legally obliged to then it wouldn't have mattered what ACS published.

Thats why I think they're jointly culpable. Two failures to follow the DPA resulted in this group of user's shit getting published. If either had fulfilled their legal obligations it wouldn't have happend, but they both failed.

The issue is however that BT's legal obligations end at the point they stop being a data controller. They're not responsible for anything ACS:Law get upto with it, nor are they accountable for failings by ACS:Law to keep the data they provided to them secure. It really is as simple as the leak by ACS:Law and the transmission of the data by ISPs being two completely separate matters. The fact you think they should be linked doesn't make it so or alter the law to allow it to be so.

 

[Scouse]

Sky encrypted their data when sending yet their information has also been leaked.

So, in that case, the whole blame is on ACS:Law.

Easy eh?

 

[Scouse]

The issue is however that BT's legal obligations end at the point they stop being a data controller.

Maybe we're at crossed purposes?

BT's legal obligations with regards the storage and handling of data ended when it got to ACS:Law. Yep.

However, it can be shown that BT failed to fulfil its statutory duties and therefore should be liable to prosecution because of this.


Again. I'm softening my position slightly, I think.

In the real world if BT had encrypted the data originally then it would still be safe. If ACS:Law hadn't leaked it, it'd still be safe. It took two to tango in this case.

Meh. Maybe there'd be separate prosecutions. But BT definately deserves a good twatting just like ACS. (Would you accept that?)

I'd like to think that, if it does get all legal, the lawyers would argue both sides of this equation. :|

 

[Krazeh]

Maybe we're at crossed purposes?

BT's legal obligations with regards the storage and handling of data ended when it got to ACS:Law. Yep.

However, it can be shown that BT failed to fulfil its statutory duties and therefore should be liable to prosecution because of this.


Again. I'm softening my position slightly, I think.

In the real world if BT had encrypted the data originally then it would still be safe. If ACS:Law hadn't leaked it, it'd still be safe. It took two to tango in this case.

Meh. Maybe there'd be separate prosecutions. But BT definately deserves a good twatting just like ACS. (Would you accept that?)

I'd like to think that, if it does get all legal, the lawyers would argue both sides of this equation. :|

What exactly would you like to prosecute them with? You're certainly not going to be able to find a criminal offence in the DPA that fits.

 

[Scouse]

Really? I'd say that failure to ensure that the data was handled securely at all times is a prima facie violation of the DPA...

 

[Krazeh]

Really? I'd say that failure to ensure that the data was handled securely at all times is a prima facie violation of the DPA...

Not a criminal offence. Breaching the principles of the Act, i.e. failure to comply with section 4(4), is a entirely civil matter and dealt with through the Information Commissioner's own procedures. Doesn't go anywhere near a court room.

 

[old.Tohtori]

Why is there no porn on this thread?

Just thought i'd contribute a bit.

 

[Ch3tan]

So, in that case, the whole blame is on ACS:Law.

Easy eh?

I've already said this, but in your blind agenda to make this thread about what you want, you've missed it several times.

 

[MYstIC G]

The point against BT is mute tbh. The data would have stayed safe if they hadn't been ordered to release it, so if you're going to go up the chain like you are Scouse, why not then blame the court?

I bet the order don't specify the security requirements to the letter and that the person who did the job at BT was probably a grunt who specialises in something other than computer data.

Bottom line is BT should make improvements going forward to safeguard against a future repeat occurrence(s) and ACS:Law should be fined into oblivion since they essentially bully and extort people.

 

[StRaNgEdAyS]

Why is there no porn on this thread?

Just thought i'd contribute a bit.

I was wondering the same thing

 

[DaGaffer]

Maybe we're at crossed purposes?

BT's legal obligations with regards the storage and handling of data ended when it got to ACS:Law. Yep.

However, it can be shown that BT failed to fulfil its statutory duties and therefore should be liable to prosecution because of this.


Again. I'm softening my position slightly, I think.

In the real world if BT had encrypted the data originally then it would still be safe. If ACS:Law hadn't leaked it, it'd still be safe. It took two to tango in this case.

Meh. Maybe there'd be separate prosecutions. But BT definately deserves a good twatting just like ACS. (Would you accept that?)

I'd like to think that, if it does get all legal, the lawyers would argue both sides of this equation. :|

Not really. ACS Law should have encrypted it as soon as it arrived from BT. BT were in the wrong to send it unencrypted, but its a separate issue. And yes, BT could be hauled up for a separate transgression of the DPA, but as Krazeh says, its a technicality, not a breach in itself.

The point against BT is mute tbh. The data would have stayed safe if they hadn't been ordered to release it, so if you're going to go up the chain like you are Scouse, why not then blame the court?

I bet the order don't specify the security requirements to the letter and that the person who did the job at BT was probably a grunt who specialises in something other than computer data.

Bottom line is BT should make improvements going forward to safeguard against a future repeat occurrence(s) and ACS:Law should be fined into oblivion since they essentially bully and extort people.

Moot. (Sorry. /spelling Nazi). Agree entirely with the rest of your post.

 

[Chilly]

Scouse, you're a retard.

 

[Scouse]

BT could be hauled up for a separate transgression of the DPA, but as Krazeh says, its a technicality, not a breach in itself.

This is what I fail to understand. Why is the failure to secure data and handle data correctly before sending it on not a breach in itself?

And cheers for the contructive criticism Chilly