Anonymous has threatened the EDL with a campaign of exposure and disruption. However, disclosure – and onward dissemination – of private information, such as lists of members of a group can be unlawful under data protection (and other) laws. Failure to take adequate steps to prevent such disclosure can also put such groups at risk of breaching the same laws.
In 2010 the law firm ACS:Law was victim of a concerted campaign to disrupt its activities through denial of service attacks (DDOS) and other means. The “Hacktivist” network Anonymous claimed responsibility for the attacks, stating that they were in response to the firm’s aggressive litigation tactics in claims against alleged file-sharers. For a short time after the firm’s website was restored after the DDOS attacks a file was exposed which contained large amounts of personal data of individuals who were suspected of file-sharing. This file was rapidly spread by Anonymous activists, and others.
As a result of this data security breach the Information Commissioner (IC) subsequently served a civil Monetary Penalty Notice of £1000 on Andrew Crossley, who operated the firm. At the time the IC said that
Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.
The IC found that the firm’s website security was utterly inadequate and constituted a serious breach of the seventh principle of the Data Protection Act 1998 (DPA).
The security measures ACS:Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details
This point has current relevance because “Anonymous” have announced a campaign to disrupt the activities of the English Defence League. The Guardian reports that
A list of what were said to be mobile phone numbers for senior named EDL figures were published online on Tuesday evening along with addresses of what were said to be donors to the far-right groupTwitter accounts also re-published leaked details of hundreds of names and addresses linked to the EDL which were circulated on the web in 2010 after hackers broke in to one of the organisation’s websites
2 responses to “Pondlife: privacy obligations and privacy rights”
Good post. My concern is that we are seeing new forms of terrorism. If this continues, I would imagine such groups organising their own hackers to counter these attacks and propagate their own. I can see that anonymous et al. think they are doing “good” but they bypass due process and the rule of law. They are, in one sense, no better than those they appear to be attacking. They are not conducting civil disobedience to tell us about wrongs committed by the organisation.
What would happen with other groups that may not be so “objectionable”? Are they not allowed political and civil rights to form a group and cooperate publicly and politically? Yes, they may have odious ends yet society, not an anonymous group, decides the parameters of civilized existence within and between states.
By attacking such groups, they only reveal an attack on a democratic process and a democratic right, the freedom to associate. In many ways, their illegal activity, by hacking and publishing, serves to emphasis the relative democratic legitimacy of these groups because they are publicly exercising their right to participate publicly and politically.
To put it differently, but directly, would anonymous have attacked the suffragette movement, which also used direct action tactics and techniques? We assume that “anonymous” are acting for benign, liberal democratic, ends, but we have no way of knowing except through their extrajudicial means and methods.
Until the laws change, I foresee that many more of these attacks of this type will emerge. I can well imagine that ICT counter measures will develop, but that is only a technological solution to a political problem. The underlying issue is a dislike, disdain, or disregard for democratic due process and allowing the state, as representing the will of the people through their consent, to act appropriately according to the rule of law. The “anonymouse” wish to take law and justice into their own hands. I would have thought that the one thing the Ancient Greeks taught us, and the reason why we live in liberal democratic societies, is that an individual taking the law into their own hands is a recipe for tyranny and injustice.
Good post Jon (and comment Lawrence).
Anonymous do firmly come across as the bad guys in this because ultimately they are the (only) ones acting unlawfully. Their actions in the ACS Law case were similarly indefensible – it’s one thing to target ACS Law because you disagree with their methods, but what justification was there to then disseminate the names etc of those very individuals you’re supposed to be representing?
Regarding the potential liability of the EDL to this apparent breach, I think it would be really interesting to see how the ICO would view the likelihood of the disclosure in terms of causing “substantial damage or distress”. I think they would be forced to make a very subjective decision because although it’s sensitive personal data, the EDL themselves don’t view it as an extremist group, so why the distress/damage by way of association? The ACS Law CMP specifically addressed the likely “damage to their personal reputations and relationships” – would an EDL member accept such a judgement? This would be even more difficult when assessing the impact on those who had previously placed their support for the EDL in the public domain.
I certainly think the risk of damage and distress is far greater to those whose information is disclosed than it would be for a list of Green Party activists, but that assessment makes a number of subjective (if extremely likely) assumptions. It would certainly make for interesting reading when the ICO explained whether it is more, or less, distressing for people to know whether one prefers downloading “Busty Babes” as opposed to supporting some poorly disguised racists.