Pondlife: privacy obligations and privacy rights

Anonymous has threatened the EDL with a campaign of exposure and disruption. However, disclosure – and onward dissemination – of private information, such as lists of members of a group can be unlawful under data protection (and other) laws. Failure to take adequate steps to prevent such disclosure can also put such groups at risk of breaching the same laws.

In 2010 the law firm ACS:Law was victim of a concerted campaign to disrupt its activities through denial of service attacks (DDOS) and other means. The “Hacktivist” network Anonymous claimed responsibility for the attacks, stating that they were in response to the firm’s aggressive litigation tactics in claims against alleged file-sharers. For a short time after the firm’s website was restored after the DDOS attacks a file was exposed which contained large amounts of personal data of individuals who were suspected of file-sharing. This file was rapidly spread by Anonymous activists, and others.

As a result of this data security breach the Information Commissioner (IC) subsequently served a civil Monetary Penalty Notice of £1000 on Andrew Crossley, who operated the firm. At the time the IC said that

Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.

The IC found that the firm’s website security was utterly inadequate and constituted a serious breach of the seventh principle of the Data Protection Act 1998 (DPA).

The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details

This point has current relevance because “Anonymous” have announced a campaign to disrupt the activities of the English Defence League. The Guardian reports that

A list of what were said to be mobile phone numbers for senior named EDL figures were published online on Tuesday evening along with addresses of what were said to be donors to the far-right group

Twitter accounts also re-published leaked details of hundreds of names and addresses linked to the EDL which were circulated on the web in 2010 after hackers broke in to one of the organisation’s websites
I confess I wasn’t aware of the 2010 hack. One wonders if the IC investigated this at the time. Nonetheless, any further hacks which reveal personal data of members and donors raise potential issues of liability for the EDL under the DPA, for the same reason that ACS:Law attracted enforcement action.
 
I found it notable at the time of the ACS:Law case that there was a lack of action or censure for the many people who happily publicised and distributed the file in question, thus exacerbating the already serious breach. It seemed to me, and still does, that those who originally downloaded the file and made it freely available, and those who continued to publicise it and make it available, were arguably guilty of an offence under section 55 of DPA, which provides that disclosing personal data knowingly or recklessly, without the consent of the data controller can be an offence.
 
The chances of an offence being committed are even more pronounced when concerted efforts are made to hack into a website. The offence under s55 DPA remains (through lack of a ministerial Order implementing the custodial provisions) only punishable by a maximum £5000 fine. However, other potential offences are enaged, including those under the Computer Misuse Act 1990, which are punishable by a maximum of five years’ imprisonment.
 
Anonymous have their reasons for the campaign, and they are perhaps difficult to argue against. But concerted efforts to gather and disclose private information raise worrying issues, which should not be avoided simply because of who the intended victims are.
 
None of this is to be seen as defending, or sympathising with, the views of the EDL, who are scum. But even scum have rights. Furthermore, it might be worth bearing in mind that when a list of apparent members of the BNP was leaked in 2009 – an incident which led to the prosecution of an individual under the DPA (at the sentencing of whom the judge said that he was obliged to impose a “fine…so low as to be ridiculous”) – there were strong indications that a number of people were wrongly named as members. Lists can be dangerous things, and I can think of few things more unpleasant than being wrongly associated with groups like this.

2 Comments

Filed under Breach Notification, Confidentiality, Data Protection, human rights, Information Commissioner, Privacy

2 responses to “Pondlife: privacy obligations and privacy rights

  1. Good post. My concern is that we are seeing new forms of terrorism. If this continues, I would imagine such groups organising their own hackers to counter these attacks and propagate their own. I can see that anonymous et al. think they are doing “good” but they bypass due process and the rule of law. They are, in one sense, no better than those they appear to be attacking. They are not conducting civil disobedience to tell us about wrongs committed by the organisation.

    What would happen with other groups that may not be so “objectionable”? Are they not allowed political and civil rights to form a group and cooperate publicly and politically? Yes, they may have odious ends yet society, not an anonymous group, decides the parameters of civilized existence within and between states.

    By attacking such groups, they only reveal an attack on a democratic process and a democratic right, the freedom to associate. In many ways, their illegal activity, by hacking and publishing, serves to emphasis the relative democratic legitimacy of these groups because they are publicly exercising their right to participate publicly and politically.

    To put it differently, but directly, would anonymous have attacked the suffragette movement, which also used direct action tactics and techniques? We assume that “anonymous” are acting for benign, liberal democratic, ends, but we have no way of knowing except through their extrajudicial means and methods.

    Until the laws change, I foresee that many more of these attacks of this type will emerge. I can well imagine that ICT counter measures will develop, but that is only a technological solution to a political problem. The underlying issue is a dislike, disdain, or disregard for democratic due process and allowing the state, as representing the will of the people through their consent, to act appropriately according to the rule of law. The “anonymouse” wish to take law and justice into their own hands. I would have thought that the one thing the Ancient Greeks taught us, and the reason why we live in liberal democratic societies, is that an individual taking the law into their own hands is a recipe for tyranny and injustice.

  2. Andrew Walsh

    Good post Jon (and comment Lawrence).

    Anonymous do firmly come across as the bad guys in this because ultimately they are the (only) ones acting unlawfully. Their actions in the ACS Law case were similarly indefensible – it’s one thing to target ACS Law because you disagree with their methods, but what justification was there to then disseminate the names etc of those very individuals you’re supposed to be representing?

    Regarding the potential liability of the EDL to this apparent breach, I think it would be really interesting to see how the ICO would view the likelihood of the disclosure in terms of causing “substantial damage or distress”. I think they would be forced to make a very subjective decision because although it’s sensitive personal data, the EDL themselves don’t view it as an extremist group, so why the distress/damage by way of association? The ACS Law CMP specifically addressed the likely “damage to their personal reputations and relationships” – would an EDL member accept such a judgement? This would be even more difficult when assessing the impact on those who had previously placed their support for the EDL in the public domain.
    I certainly think the risk of damage and distress is far greater to those whose information is disclosed than it would be for a list of Green Party activists, but that assessment makes a number of subjective (if extremely likely) assumptions. It would certainly make for interesting reading when the ICO explained whether it is more, or less, distressing for people to know whether one prefers downloading “Busty Babes” as opposed to supporting some poorly disguised racists.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s