Anonymous has threatened the EDL with a campaign of exposure and disruption. However, disclosure – and onward dissemination – of private information, such as lists of members of a group can be unlawful under data protection (and other) laws. Failure to take adequate steps to prevent such disclosure can also put such groups at risk of breaching the same laws.
In 2010 the law firm ACS:Law was victim of a concerted campaign to disrupt its activities through denial of service attacks (DDOS) and other means. The “Hacktivist” network Anonymous claimed responsibility for the attacks, stating that they were in response to the firm’s aggressive litigation tactics in claims against alleged file-sharers. For a short time after the firm’s website was restored after the DDOS attacks a file was exposed which contained large amounts of personal data of individuals who were suspected of file-sharing. This file was rapidly spread by Anonymous activists, and others.
As a result of this data security breach the Information Commissioner (IC) subsequently served a civil Monetary Penalty Notice of £1000 on Andrew Crossley, who operated the firm. At the time the IC said that
Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.
The IC found that the firm’s website security was utterly inadequate and constituted a serious breach of the seventh principle of the Data Protection Act 1998 (DPA).
The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details
This point has current relevance because “Anonymous” have announced a campaign to disrupt the activities of the English Defence League. The Guardian reports that
A list of what were said to be mobile phone numbers for senior named EDL figures were published online on Tuesday evening along with addresses of what were said to be donors to the far-right group
Twitter accounts also re-published leaked details of hundreds of names and addresses linked to the EDL which were circulated on the web in 2010 after hackers broke in to one of the organisation’s websites
I confess I wasn’t aware of the 2010 hack. One wonders if the IC investigated this at the time. Nonetheless, any further hacks which reveal personal data of members and donors raise potential issues of liability for the EDL under the DPA, for the same reason that ACS:Law attracted enforcement action.
I found it notable at the time of the ACS:Law case that there was a lack of action or censure for the many people who happily publicised and distributed the file in question, thus exacerbating the already serious breach. It seemed to me, and still does, that those who originally downloaded the file and made it freely available, and those who continued to publicise it and make it available, were arguably guilty of an offence under section 55 of DPA, which provides that disclosing personal data knowingly or recklessly, without the consent of the data controller can be an offence.
The chances of an offence being committed are even more pronounced when concerted efforts are made to hack into a website. The offence under s55 DPA remains (through lack of a ministerial Order implementing the custodial provisions) only punishable by a maximum £5000 fine. However, other potential offences are enaged, including those under the Computer Misuse Act 1990, which are punishable by a maximum of five years’ imprisonment.
Anonymous have their reasons for the campaign, and they are perhaps difficult to argue against. But concerted efforts to gather and disclose private information raise worrying issues, which should not be avoided simply because of who the intended victims are.
None of this is to be seen as defending, or sympathising with, the views of the EDL, who are scum. But even scum have rights. Furthermore, it might be worth bearing in mind that when a list of apparent members of the BNP was leaked in 2009 – an incident which led to the prosecution of an individual under the DPA (at the sentencing of whom the judge said that he was obliged to impose a “fine…so low as to be ridiculous”) – there were strong indications
that a number of people were wrongly named as members. Lists can be dangerous things
, and I can think of few things more unpleasant than being wrongly associated with groups like this.