Hackers calling themselves ‘The Impact Team’ (TIT) have carried out their threat to release the hacked data from the adult dating site Ashley Madison (AM), which uses the slogan: "Life is short. Have an affair". AM is part of Canadian company Avid Life Media (ALM), which specialises in websites offering married users opportunities to hook up with similarly attached people. Other associated ALM sites include Cougar Life and Established Men.
The anxiety and awkward silences experienced by a number of married couples world-wide in mid-July have now translated into full on denial on one hand, and suspicion on the other. The press has reported on many high profile individuals who categorically state that their email addresses were used without their knowledge to create fake online profiles. Many addresses are associated with government, education or large corporations such as Amazon and Sony. Some will be fake.
In July TIT initially released a mere 40MB of data, including credit card details and some company information on ALM. Since ALM did not give in to TIT’s demands to take down both AM and Established Men, on 18th August 2015 TIT released personal data such as email addresses, usernames, limited credit card details, and embarrassing profile information for over 37.5 million AM users. They express no sympathy for the users of the site saying they deserved any discomfort.
In a recent statement which was initially only available to those people with access to dark web via the Tor browser, they said that ALM had failed to take down their sites and ‘we have explained the fraud, deceit, and stupidity…Now everyone gets to see their data.’ They go on, ‘Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you'll get over it’. Their continued stated motive is morality but it still seems like blackmail.
Though the data was originally only available on the dark web via Tor, after release, it was rapidly disseminated on sites such as 4chan. It quickly became available to anyone despite ALM’s efforts to limit access. There are a number of websites where you can check your email address(es) – or indeed anyone else’s – to see if it is amongst the hacked data. One private detective site has been capitalising on this and you can directly announce to Facebook or Twitter via their site whether you have been compromised or not.
Further information has been released over the last 24 hours, as of 21 August. TIT wanted to refute the claims that the data was fake, so they have released ALM source code and files containing emails from CEO Noel Biderman. No further user information has been leaked. Their statement simply says, ‘Hey Noel, you can admit it’s real now’. However there seems to be a problem with the email files so they may be corrupted. The release of every version of the company’s source code is more problematic. If this is freely available, there is the potential for AM system vulnerabilities to be exploited.
As a recap, what remedies are available to individuals?
Under normal circumstances, subscribers would have a straightforward claim for an injunction to protect their privacy. The release of this information is in clear breach of Article 8 of the European Convention on Human Rights, which provides that everyone has the right to respect for private and family life, home and correspondence.
A breach of privacy may have occurred if personal information has been discovered and published and the victim may decide to sue the perpetrator. However, searching the data on an individual basis and purely out of curiosity is not likely to be considered illegal. AM’s probable line of defence is found in their Terms and Conditions. Regarding privacy they say, ‘although we strive to maintain the necessary safeguards to protect your personal data, we cannot ensure the security or privacy of information you provide through the Internet and your email messages’.
In their disclaimer of warranties, they "do not warrant that any information you provide or we collect will not be disclosed to third parties". And if you are looking for ways in which to challenge them in response to the hacking, they say "you agree that we will not be liable for any damages whatsoever regarding disclosure of, unauthorized access to or alteration of your content".
It is difficult to imagine many jurisdictions finding that these attempts to limit liability could be upheld. And so far as data breaches are concerned, the ubiquitous Information Commissioners around the world are unlikely to let ALM go unpunished.
What about married couples?
If someone finds their married partner’s details on the ALM sites, it’s bound to confirm the suspicions they must have been harbouring already that he or she was up to no good. But being on the website is not in itself evidence of adultery. This still has to be proved to the court’s satisfaction by a confession statement or the traditional method of paying a private investigator to observe a couple going into a room and staying there all night. And if you’re gay, incidentally, you can’t commit adultery because the law says you can’t.
Finding your partner’s details on ALM can, however, help to establish that the relationship has broken down irretrievably and that they’ve exhibited ‘unreasonable behaviour’ which gives you grounds for divorce. Their behaviour will not make any difference to the court when hearing subsequent claims concerning money or children. The family court, unlike the public, has given up its role as moral arbiter.
The publication of users’ details is only likely to accelerate difficulties, and seriously shock some spouses who thought theirs was a happy, faithful marriage into reassessing the picture.
Where do employees and employers stand?
Certain employers will react negatively to the knowledge that their employees were using this site and people could lose their jobs as a result. For example government employees and public officials could become subject to blackmail threats and face professional consequences.
Most companies have stringent IT policies forbidding access to inappropriate websites at work and giving the employer the right to monitor internet usage and emails with the threat of disciplinary action if these rules are ignored. Others who have used their work email address on the site could bring their organisation into disrepute and face similar consequences. Worse still the results could follow employees to their next job if this data is used as a part of pre-employment background checks.