ACS:Law

ACS:Law was a website encouraging a strict standard regarding the proper usage of Action Code Script a law firm in the United Kingdom that specialised in copyright infringement cases against peer-to-peer (P2P) network users, using spurious, threatening tactics, in order to extort money from them.

Prior to 2009, its most notable case was the defence of a British national accused of public indecency in Dubai.

Methodology
ACS:Law employed third parties to monitor P2P networks, who logged the IP addresses and time of users who are seen to be downloading copyrighted material such as music, software, and video (most importantly pornography, discussed later). Once the target filename, IP address, and time of download have been ascertained, ACS use a (NPO) through the courts to demand the user's details from the associated IP's Internet Service Provider (ISP). Most ISPs in the UK are quick to roll over to such requests, fearing costly court battles if they do not comply. Once ACS receives the user's personal details (usually in bulk, unencrypted format via email) they send threatening letters demanding high sums (between £500 and £800 per user) warning of court cases should the demand not be settled immediately.

Blackmail
The majority of the letters list obscene video names, such as "18 LEGAL & LATIN", "50 GUY CREAM PIE", and "6 NURSES TAKE IT UP THE ASS" to name a few. Even if the target user did not download the files in question, it is unlikely that it will be contested in court, as no-one wants to have a public court case against their name which points to such filenames. It is likely the majority of people receiving such threats will settle immediately out of fear of damage to their reputation.

Misuse of NPO
It is clearly stated that any NPO request made through the courts should only be made if there is a genuine intention of commencing court proceedings. To date, ACS:Law have taken precisely zero people to court (note: default judgements were applied for in December 2010, see below), despite a high rate of contention/non-response. It is clear they are working as a "hit-and-run" operation, whereby a law firm "shotgun" out as many legal threats as possible, and only bother to take cash from those willing to immediately provide it, rather than proceed with expensive legal costs dragging ordinary people through the courts.

Inaccuracy of proof
Attempting to take legal action against a user based simply on IP address and time of recorded download should not be admissible in court for a multitude of reasons:

Actual user
Ignoring that a lot of users will willingly share their network with third parties, unless the user is proficient with wireless security protocols, it is entirely possible that an unauthorised third party has illicitly gained access to a user's wireless (or indeed wired, as is the case with powerline networking) network. A lot of users are still using old wireless routers which by default are set to open authentication, allowing anyone within range to freely use it. More importantly, even users who secure their wireless network may still be at risk. Using WEP encryption (still widely used) with a key of any permitted length leaves a network vulnerable to penetration from a third party armed with freely available and simple to use tools such as Aircrack which can passively (without detection) crack the key in under 5 minutes.

The accepted wireless security standard for home use these days is WPA-PSK, using TKIP. However, despite the fact that the encryption process is not vulnerable to the same initialisation vector gathering attack as WEP, it can still be cracked by capturing the initial 4-way handshake between a client and the router and then running the handshake through a dictionary / brute force attack library. Most users prefer a simple, easy to remember password and will quickly change the predefined (more secure) key on their router, leaving them vulnerable.

It is tempting to suggest that a hacker would not go through the effort of cracking a third-party's router in order to download files, but considering that companies such as ACS are demanding upwards of £500 per infringement, as well as the police swiftly prosecuting child pornography downloaders, the motivation becomes clear. Coupled with the fact that the majority of wireless routers either provide no logging at all, or have an easy to guess default password (which the user very rarely changes) allowing the hacker to wipe any such logs and cover their tracks makes a quick crack-download-escape route very attractive.

Malware
Even if a user has firmly locked down their wireless network, making unauthorised access near impossible, should they accidentally download a piece of malware (malicious software, such as a virus, trojan, or worm), they may unwittingly be turning their computer into a zombie PC, silently being controlled by a huge network of other zombie PCs. This "botnet" can force the user's PC to download, store and distribute copyrighted or illegal material without the user's knowledge — that is, until they receive a letter from ACS or a knock on the door from the police.

Timing issues
The other, if minimal risk (but high impact), problem with the above method of determining guilt, is in time differences between servers. Even if ACS's servers are only a minute out from an ISPs servers, a user who disconnects their broadband, releases their IP, which is then allocated to an illegal file sharer, may find themselves accused of downloading content when they were not even connected. In order to ensure this does not happen, not only would ACS's logging machines have to be synchronised with a reputable timeserver, but so would the ISP's server of the user being targeted, and they would have to be using the same timeserver. This is highly improbable.

Misuse of data
Towards the end of September 2010, a 4chan user decided to rally the troops against ACS by organising a DDoS (distributed denial of service) attack against ACS's website. The attack was successful, and the site went down for "a few hours". However, the IT manager (presumably now sacked) managed to bring the site back online, forgetting three very important points:
 * 1) They had forgotten to upload the index file for the document root (index.php) which is the document served by default when a user does not request a specific page name.
 * 2) They had left "smart indexing" on, meaning that requesting the site's root would return a list of all documents in the current directory. Not a problem unless:
 * 3) They had left a zipped server backup, including all emails sent in and out of the company in the root HTML files directory

Consequently, people immediately started downloading the backup, and made the files public, which included emails from customers providing their credit card details, Paypal account details, and spreadsheets from ISPs detailing user's identities. The breach is now being investigated by the Information Commissioners Office (ICO) and Privacy International are intending to take legal action against the firm.

Court fail
In December 2010 eight cases were thrown out of court:

In January 2011, ACS:Law stated that they were dropping all the cases against file sharers, claiming that death threats, cyberterrorism, and even bomb threats against them were to blame.

The firm represented by ACS:Law has ceased trading:

In January 2012 Andrew Crossley was disbarred for two years by The Solicitors' Regulation Authority.

External link

 * ACS:Law — archives of their website