This post is co-authored by CDT’s own Alex Bradshaw and Jake Laperruque of Open Technology Institute (OTI).
It’s been a little over a week since massive amounts of data from the popular cheating website, Ashley Madison, were published online. Impact Team, the group behind the breach, released everything from email and home addresses of Ashley Madison’s users to their credit card and bank account information. Not surprisingly, the consequences were brutal. Although public reaction has been a mix of jokes about happy divorce attorneys and betrayal-karma for users, the hack’s effects will likely spread far beyond the site, to affect anonymity and online security throughout the Internet.
Many are likely reacting to the Ashley Madison hack with humor and righteous glee because they see this data dump as something that will only affect “bad people,” but this sentiment is fundamentally misplaced. Just as the “I’ve got nothing to hide” critique of government surveillance misses the point that many others have legitimate things to keep secret, laughing at the Ashley Madison hack ignores the fact that there are many online services that require privacy, and this breach threatens their use.
Consider the huge range of websites that offer community forums and live chats for dealing with issues such as substance addiction, suicide prevention, mistreatment of LGBT youth, domestic abuse, and sexual assault. Individuals will often turn to these anonymous online services because these topics carry social stigma or the potential for discrimination if revealed. By outing millions of Ashley Madison users, hackers have shown that online safe havens for anonymous activities may not be safe at all. In the process they may chill use of services that provide an important support system to those in need.
This is not to say Ashley Madison is free from blame. There are a number of ways it could have mitigated injury. For one, requiring users to pay $19 to have their data deleted is ridiculous and borders on blackmail. There’s no reason to keep that much information about someone who no longer uses a site – not only does this require more storage and security (which adds to operating costs), but it also increases the chances of a hack. The FTC has repeatedly said that larger data sets attract more data thieves, and the Office of the Privacy Commissioner of Canada, Center for Democracy & Technology, and a host of other organizations agree that setting data retention limits is not only good for consumers, it’s good for businesses. Ashley Madison should have employed an automatic data purge policy for individuals no longer using the site or, at the very least, offered customers the option to delete their data for free upon service cancellation. And it goes without saying that if a company insists on charging a user for data deletion it should actually delete all of that users’ data (something Ashley Madison failed to do).
Furthermore, the fact that Ashley Madison’s homepage continues to boast having “over 39,645,000 anonymous members” and being “the world’s leading married dating service for discreet encounters” is baffling; the majority of its members are no longer (if they ever were) anonymous, and their communications are anything but discreet. Ashley Madison is making the same mistake Secret, Snapchat and Whisper made: overpromising. No matter how sincerely a company desires to keeps their users’ secrets confidential, complete anonymity is almost impossible to achieve. This doesn’t mean services shouldn’t strive to provide anonymous messaging platforms. Rather, companies should be transparent with customers about exactly how they define “anonymity,” as well as the technical limitations of these services. Achieving anonymity requires completely separating a users’ identity from their activity on a site. Even if this is done perfectly, there’s always a chance that metadata can be linked to track activity back to a particular individual. This is occurring with Ashley Madison users that created fake email addresses, but are being tracked down via location data included in the leak.
Additionally, the technical limitations of anonymous messaging do not excuse a company of its obligation to provide strong data security. Encryption, security audits, compliance officers, and employee training are just a sampling of security policies that companies should implement. This is especially important for services that promise “secret” interactions (because users are signing up for the very purpose of maintaining their online privacy). Adopting these practices could also help businesses avoid FTC actions based on poor data security (we’re looking at you, Wyndham Hotels).
This also raises the question of how we should view Impact Team, who justified their data dump as an attempt to damage a company engaged in “fraud, deceit, and stupidity.” Exposing Ashley Madison’s deceptive data retention policies and poor security did not require publicly posting sensitive, personally identifiable information about its users – all that accomplished was grabbing attention and subjecting users to malicious hacking, identity theft, spam, and extortion. There are even reports of suicides in response to the hack and the Saudi Arabian government is using the leaked data to hunt down adulterers and individuals engaged in gay relationships (punishable by death in the country).
When releasing their data, Impact Team advised exposed users to “Move on with your life …. Embarrassing now, but you’ll get over it.” The true impact of their actions shows how outrageous this suggestion is to those affected, and how disingenuous the label “hacktivist” is for such a group. There are enormous personal, social, and professional repercussions that will result from the en masse public branding of a digital Scarlet Letter on Ashley Madison’s users. This breach reflects a severe disregard for privacy, safety, human rights, and the digital dignity that all individuals are entitled to. There is no excuse for it. The Ashley Madison hack does not deserve praise or applause, it should not be greeted with jokes and amusement. It deserves nothing less than disdain.