What Ashley Madison Teaches Us About Data Hygiene
The real moral of the Ashley Madison hack? Our data is fundamentally insecure.
Last week, a hacktivist group called the Impact Team made good on earlier threats to expose the personal data of millions of users of the online adultery service Ashley Madison. Much of the public discussion so far has revolved around the ethics of "doxing," the harm dealt to blameless children or guilty adults living in authoritarian regimes, and the worryingly high number of blackmail-susceptible .gov and .mil email addresses used to register accounts. But to frame the Ashley Madison hack as primarily a run-of-the-mill morality tale is to miss the urgent message about our own online lives: Our data is fundamentally insecure, and it is only a matter of time until our own digital habits—innocent though we believe them—catch up to us. If they haven't already.
It is clear that the Impact Team was not a big fan of the "cheating dirtbags" that used Ashley Madison, which has been around since 2001. But for these reactionary hackers, deceptive and inadequate data security was the website's ultimate sin.
We first learned that hackers may have breached Ashley Madison's parent company, Avid Life Media (ALM), in July. The Impact Team leaked snippets of user data and internal communications to prove they had the goods before demanding that ALM permanently shut down Ashley Madison and related "sugar daddy" website EstablishedMen.com.
ALM's reaction was lackluster, to say the least. An initial ALM statement from July claims that the company identified and patched the security holes hackers had exploited and was working with law enforcement to catch the baddies before they posted the data. Former ALM Chief Technology Officer (CTO) Raja Bhatia told security journalist Brian Krebs that its analysis team in Israel was poring through dozens of fake dumps to identify the criminals. And, initially, ALM erroneously categorized the real data set as another false positive.
While it is true that ALM did not verify email addresses, and the presence of someone's email address in the database does not prove that person actually created the Ashley Madison account associated with it, the data was quickly confirmed as authentic by the many spouses who suddenly became very interested in the elusive art of hacking back. Unfortunately for the millions of people who chose to entrust their most scandalous secrets to a faceless Canadian tech bureaucracy, their email addresses, home addresses, credit card information, and extramarital sexual proclivities are now free to browse for anyone with enough morbid curiosity and patience to download a 10 gigabyte data set that will never be entirely deleted.
But if Impact Team had only wanted to expose adulterers, it could have dumped the data right away. Instead, its initial July communication quite clearly calls out ALM executives for promising security standards that they were not, in truth, delivering. If you're going to run a "honeypot for people who have something to hide," as writer Violet Blue described the website, you'd better be damn sure to invest in beefy security. ALM did not—and in fact was highly misleading about the security it did offer Ashley Madison users.
For a $19 fee, users could purchase a "full delete" service that was advertised to remove "site usage history and personally identifiable information" from the ALM servers. But as the leaked data shows, the full delete was a lie. The Impact Team chided ALM for raking in almost $2 million on full delete fees in 2014 despite maintaining the data that users paid them to remove—a straightforward case of deceptive advertising in which the FTC may soon take interest.
While Ashley Madison skimped on security, it went big on boasting. ALM CEO and self-styled "King of Infidelity" Noel Biderman famously touted Ashley Madison's near military-grade security, claiming that his website immediately anonymized all user data and could delete all personal information from its systems like "you're a ghost." A 20 gigabyte dataset of internal communications that the hackers later dumped revealed that Biderman prioritized public relations over robust security; former CTO Bhatia frankly admits, "security was an obvious afterthought."
People who publicly brag about their "unhackable" systems make themselves a prime target for hackers. They also tend to be easier to hack, and Ashley Madison was no exception. "For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never pissed anyone off," the Impact Team scolded ALM. One Impact Team member told Motherboard that ALM's security was a joke: "Nobody was watching. No security." A common password was "Pass1234."
For now, Ashley Madison customers are paying the price for ALM's irresponsible data maintenance. But ALM will soon feel the heat in court. Already, the company that once toasted itself as the "last truly secure space on the Internet" is facing a $578 million class-action lawsuit in Canada. Of course, no amount of remuneration can make up for the serious harms dealt to millions of personal relationships and reputations.
It's hard to imagine a scenario where Ashley Madison survives this devastating security failure and continues "cashing in on the economics of infidelity." But Ashley Madison is far from alone in being poor stewards of customer data. Unless we draw the right lessons from this tragic hack, we will continue to leave ourselves vulnerable to those cashing in on the economics of software vulnerabilities.
Spectators may take comfort that they were not so thoughtless to share their professional email accounts and personal credit-card information with an insecure digital adultery broker, but in all likelihood their data practices are not so different. The vast majority of us have no business sharing even a fraction of the information and devices that we unthinkingly authorize countless third-party service providers to access or even control each day (I include myself in this, although I am trying to do better). In terms of destructive behaviors that make our data less secure, our personal failings are no less than those of the most philandering online skirt-chaser.
If you are like most Americans, you regularly share information about your life, opinions, and relationships with at least one major social media network each day. You probably use the same email account from Google or Yahoo or even your place of work to register for these websites as you did for your bank accounts, Amazon.com, and health-care services. I really hope you don't use the same password for all of them, but many people do. You probably run Windows 10 or OS X and are fairly unworried about the data tracking and external system access software that is undoubtedly running on your computer right now—whether legally or illegally.
You might not cruise sleazy dating websites, but you've almost certainly articulated an opinion that could offend a future co-worker and perhaps throw your job in jeopardy. You weren't tempted by Ashley Madison's adultery algorithm, but have you ever stopped to think about how many of your online purchases were algorithmically coaxed by faraway data optimizers? Like Ashley Madison users before the hack, we often don't appreciate the gravity of our online data-sharing behaviors until after it's too late.
It's not exactly our fault. The Internet is an exciting place, and scores of evangelists and experts were happy to soothe our reticence to share information online by emphasizing its trusted and secure nature. It is unrealistic to expect each person to be a computer expert and run an obscure Linux distribution that affords full control of all running processes. But it is also unrealistic to think we can attain security online without examining and changing our online data-sharing behaviors. In the words of cryptographer Nick Szabo, "trusted third parties are security holes." Good security starts with you. If we want to get serious about protecting ourselves online, we're going to have to think carefully before purposefully rendering ourselves vulnerable to such risks.