Reason.com

Free Minds & Free Markets

What Ashley Madison Teaches Us About Data Hygiene

The real moral of the Ashley Madison hack? Our data is fundamentally insecure.

Pro Juventute/FlickrPro Juventute/Flickr

Last week, a hacktivist group called the Impact Team made good on earlier threats to expose the personal data of millions of users of the online adultery service Ashley Madison. Much of the public discussion so far has revolved around the ethics of "doxing," the harm dealt to blameless children or guilty adults living in authoritarian regimes, and the worryingly high number of  blackmail-susceptible .gov and .mil email addresses used to register accounts. But to frame the Ashley Madison hack as primarily a run-of-the-mill morality tale is to miss the urgent message about our own online lives: Our data is fundamentally insecure, and it is only a matter of time until our own digital habits—innocent though we believe them—catch up to us. If they haven’t already.

It is clear that the Impact Team was not a big fan of the "cheating dirtbags" that used Ashley Madison, which has been around since 2001. But for these reactionary hackers, deceptive and inadequate data security was the website’s ultimate sin.

We first learned that hackers may have breached Ashley Madison’s parent company, Avid Life Media (ALM), in July. The Impact Team leaked snippets of user data and internal communications to prove they had the goods before demanding that ALM permanently shut down Ashley Madison and related "sugar daddy" website EstablishedMen.com.

ALM’s reaction was lackluster, to say the least. An initial ALM statement from July claims that the company identified and patched the security holes hackers had exploited and was working with law enforcement to catch the baddies before they posted the data. Former ALM Chief Technology Officer (CTO) Raja Bhatia told security journalist Brian Krebs that its analysis team in Israel was poring through dozens of fake dumps to identify the criminals. And, initially, ALM erroneously categorized the real data set as another false positive.

While it is true that ALM did not verify email addresses, and the presence of someone’s email address in the database does not prove that person actually created the Ashley Madison account associated with it, the data was quickly confirmed as authentic by the many spouses who suddenly became very interested in the elusive art of hacking back. Unfortunately for the millions of people who chose to entrust their most scandalous secrets to a faceless Canadian tech bureaucracy, their email addresses, home addresses, credit card information, and extramarital sexual proclivities are now free to browse for anyone with enough morbid curiosity and patience to download a 10 gigabyte data set that will never be entirely deleted. 

But if Impact Team had only wanted to expose adulterers, it could have dumped the data right away. Instead, its initial July communication quite clearly calls out ALM executives for promising security standards that they were not, in truth, delivering. If you’re going to run a "honeypot for people who have something to hide," as writer Violet Blue described the website, you’d better be damn sure to invest in beefy security. ALM did not—and in fact was highly misleading about the security it did offer Ashley Madison users. 

For a $19 fee, users could purchase a "full delete" service that was advertised to remove "site usage history and personally identifiable information" from the ALM servers. But as the leaked data shows, the full delete was a lie. The Impact Team chided ALM for raking in almost $2 million on full delete fees in 2014 despite maintaining the data that users paid them to remove—a straightforward case of deceptive advertising in which the FTC may soon take interest.

While Ashley Madison skimped on security, it went big on boasting. ALM CEO and self-styled "King of Infidelity" Noel Biderman famously touted Ashley Madison’s near military-grade security, claiming that his website immediately anonymized all user data and could delete all personal information from its systems like "you’re a ghost." A 20 gigabyte dataset of internal communications that the hackers later dumped revealed that Biderman prioritized public relations over robust security; former CTO Bhatia frankly admits, "security was an obvious afterthought."

People who publicly brag about their "unhackable" systems make themselves a prime target for hackers. They also tend to be easier to hack, and Ashley Madison was no exception. "For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off," the Impact Team scolded ALM. One Impact Team member told Motherboard that ALM's security was a joke: "Nobody was watching. No security." A common password was "Pass1234."

For now, Ashley Madison customers are paying the price for ALM’s irresponsible data maintenance. But ALM will soon feel the heat in court. Already, the company that once toasted itself as the "last truly secure space on the Internet" is facing a $578 million class-action lawsuit in Canada. Of course, no amount of remuneration can make up for the serious harms dealt to millions of personal relationships and reputations.

It’s hard to imagine a scenario where Ashley Madison survives this devastating security failure and continues "cashing in on the economics of infidelity." But Ashley Madison is far from alone in being poor stewards of customer data. Unless we draw the right lessons from this tragic hack, we will continue to leave ourselves vulnerable to those cashing in on the economics of software vulnerabilities.

Spectators may take comfort that they were not so thoughtless to share their professional email accounts and personal credit-card information with an insecure digital adultery broker, but in all likelihood their data practices are not so different. The vast majority of us have no business sharing even a fraction of the information and devices that we unthinkingly authorize countless third-party service providers to access or even control each day (I include myself in this, although I am trying to do better). In terms of destructive behaviors that make our data less secure, our personal failings are no less than those of the most philandering online skirt-chaser.

If you are like most Americans, you regularly share information about your life, opinions, and relationships with at least one major social media network each day. You probably use the same email account from Google or Yahoo or even your place of work to register for these websites as you did for your bank accounts, Amazon.com, and health-care services. I really hope you don’t use the same password for all of them, but many people do. You probably run Windows 10 or OS X and are fairly unworried about the data tracking and external system access software that is undoubtedly running on your computer right now—whether legally or illegally.

You might not cruise sleazy dating websites, but you’ve almost certainly articulated an opinion that could offend a future co-worker and perhaps throw your job in jeopardy. You weren’t tempted by Ashley Madison’s adultery algorithm, but have you ever stopped to think about how many of your online purchases were algorithmically coaxed by faraway data optimizers? Like Ashley Madison users before the hack, we often don’t appreciate the gravity of our online data-sharing behaviors until after it’s too late.

It’s not exactly our fault. The Internet is an exciting place, and scores of evangelists and experts were happy to soothe our reticence to share information online by emphasizing its trusted and secure nature. It is unrealistic to expect each person to be a computer expert and run an obscure Linux distribution that affords full control of all running processes. But it is also unrealistic to think we can attain security online without examining and changing our online data-sharing behaviors. In the words of cryptographer Nick Szabo, "trusted third parties are security holes." Good security starts with you. If we want to get serious about protecting ourselves online, we’re going to have to think carefully before purposefully rendering ourselves vulnerable to such risks.

Photo Credit: Pro Juventute/Flickr

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Fist of Etiquette||

    Our data is fundamentally insecure, and it is only a matter of time until our own digital habits—innocent though we believe them—catch up to us.

    Unless you keep your email server in your bathroom.

  • PH2050||

    Lmao!

  • Quixote||

    This is in fact a huge scandal, revealing the idiocy of our priggish “honesty” culture, which naturally discourages people from using pseudonyms online, with horrifying results now visible for everyone to see. Gentrified sites like Facebook even claim to forbid anonymity, while on the other hand prosecutors in New York have seen themselves forced to spend millions criminalizing pseudonymous campaigns of speech with academic value along with email parodies sent out in the “names” of other individuals for the purpose of inappropriate criticism and mockery (which, as we all know, is only a small step removed from financial fraud). See the detailed documentation of one notorious case at:

    http://raphaelgolbtrial.wordpress.com

    The unfortunate result of so much necessary repression is, of course, comparable to prostitution in Victorian times. Yet, while millions give vent to their ordinary unhappiness by signing up with Ashley Madison, the honesty of prigs has been advancing unopposed, with barely a word of protest from the so-called First Amendment “community,” many of whose members are themselves conservatives who would like to roll back protections for freedom of expression. Fiddle our thumbs as we might, the chilling effect is very real. People should be aware of the crisis this points to, and perhaps start revising their feelings about anonymity, satire, and related phenomena involving forms of speech that we “really don’t like.”

  • ||

    Unless you keep your email server in your bathroom.

    And wipe it regularly with a damp cloth.

  • Unicorn Abattoir||

    Especially if Bill's using that bathroom.

  • Loki||

    Unless you keep your email server in your bathroom.

    You jest, but it's only a matter of time untill team Shillary starts claiming that their bathroom email server was actually more secure than the state dept's systems and that's the real reason she kept everything on her personal bathroom server. All her previous excuses will be flushed down the memory hole.

    "What?! She just did it because she didn't want to carry two smart phones? That's some wingnut CT! And besides, PHAKE SKANDUL!!!" /shriek

  • Fist of Etiquette||

    ...you regularly share information about your life, opinions, and relationships with at least one major social media network each day.

    Are you telling me that my registration information on a website, let's say some hypothetical print magazine's blog site, might not be secure from some third party entity, for instance a resumé-building federal prosecutor?

  • DaveSs||

    Burner email address

    I don't get why anyone would engage in sleeze on their main email.

  • Bubba Jones||

    I think it's important to remember that lives weren't ruined by the data dump. Lives were ruined by the decision to be an asshole.

  • Berserkerscientist||

    Bullsh!t. Doxing is never good. We all do many things in private that we'd prefer other not to know. Just because these people did things we don't approve of doesn't make it justifiable to expose them and nuke their families. That same logic could be used to expose closet homosexuals or people into kinky sex (by people who disapprove of those things).

  • Bubba Jones||

    Cheating on your spouse is fraud. It's a violation of the marriage contract. No sympathy from me on that one.

    I would have some sympathy for the people who were on the site with the "permission" of the spouse, but I suspect that is exceedingly rare.

    If you are a single guy trolling for cougars, then it's unlikely anyone is searching your email address in the database.

  • Bruce D||

    Self-righteousness is dangerous. Tens, even hundreds, of millions have died because of it. The Ashley Madison hackers are self-righteous thieves. They've stolen information that is not theirs and are threatening to wrongfully disclose it. It is not up to the hackers to take it upon themselves to be enforcers of contracts.

    The stolen information belongs to the parties involved, not the hackers, not the public. The cuckolded husband and the cuckqueaned wife, i.e. the wronged, own that data and the hackers have no right to disclose it without their consent.

    If the hackers only disclosed the specific info about a particular person to that specific person's wronged specific spouse, then they would be acting morally, but not if they disclose it to anyone who has no right to it like the general public. Any information generated with a reasonable expectation of privacy is community property within the marriage just the same as earnings are usually considered community property. That information is the rightful property of the cuckold or cuckquean, not the rightful property of the hackers or the public.

    The hackers have no right to disclose information embarrassing to the cuckolded husband or cuckqueaned wife without their consent. It is up to the cuckold or cuckquean to decide if they want to bear the embarrassment of that information being made public, not some narcissistic self-righteous hacker.

  • gaoxiaen||

    It didn't look like a good idea when I saw it.

  • ||

    Just because these people did things we don't approve of doesn't make it justifiable to expose them and nuke their families.

    The Doxxer's aren't nuking their families, the public (to a lesser extent) and their family members are.

    Doxing is the heart of free speech. You certainly do use it in situations like this because while there are families that are going to suffer some strain, there are just as many shitheads pretty directly perpetrating fraud or worse.

    More importantly, without doxing, how do you know what the market price for your blackmail is?

  • sasob||

    It is clear that the Impact Team was not a big fan of the "cheating dirtbags" that used Ashley Madison, which has been around since 2001. But for these reactionary hackers, deceptive and inadequate data security was the website’s ultimate sin.

    So it's "reactionary" now to have morals and integrity? All that counts is what one can get away with? That bodes ill for the future of society.

  • Berserkerscientist||

    So if you speed, eat a grape while shopping, use a VPN to watch a UK Netflix show, use your friends steam account, smoke a joint, throw a CFL bulb in the garbage, etc., it is okay for someone to dox you?

    What bodes ill is the morality police thinking the ends justify the means.

  • sasob||

    You mean the ends don't justify the means? That, itself, sounds a lot like a moral judgement to me, hotshot.

  • Trevor St McGoodbody||

    Did anyone here say that right and wrong don't exist?

    We're asking whether doing something wrong to expose another person's wrongdoing is itself justified.

    And, frankly, that's the best-case scenario. Some people joined the site with the full knowledge and consent of their spouses, and possibly WITH their spouses.

  • Bubba Jones||

    Those people are unlikely to be harmed by this release. Especially in the commonly available form of searching for someone's email address.

    I'm stunned by the morons who didn't use a bimbo address.

  • Trevor St McGoodbody||

    They can be harmed with friends, colleagues, family members, etc. Their spouses won't care, obviously.

  • ||

    Did anyone here say that right and wrong don't exist?

    We're asking whether doing something wrong to expose another person's wrongdoing is itself justified.

    You're asking baselessly, without considering the consequences. The only way to prevent doxing is with just-as-if-not-more evil regulations on free speech, free association, and individual ability to contract.

    OK, doxing is The One, True Evil© who gets to decide what can/can't be doxxed and when?

  • Trevor St McGoodbody||

    I don't think you understand my position. The complaint isn't that people spoke freely. The complaint is that they broke in and revealed information they didn't have a right to see in the first place. Is that what occurred? Is it not? Please, tell me why you think so or don't think so.

    And I am not really proposing a legal remedy. I'm talking about ethics. And most importantly, I am responding to the idea anyone who defends the privacy of Ashley Madison users must not think adultery is immoral, as though there can't be an objection to means of finding out information unless we just really, really think lying to your spouse and having an affair is great.

  • Atma||

    Pretty much this.

    And there may, in fact, be a legal remedy. I'm surprised no one has talked about the tort of public disclosure of private facts. All the elements seem to fit, but I confess to not being well-versed in this aspect of the law.

  • sasob||

    Trevor St McGoodbody|8.25.15 @ 12:11PM|#

    Did anyone here say that right and wrong don't exist?

    Berserkerscientist seems to think they shouldn't exist - or that they should be of no consequence. It's pretty easy to understand: consequences are only for the suckers and other shmucks whom the special snowflakes like to prey on and take advantage of. Amirite?

  • Nonstopdrivel||

    Morals and integrity? Since when is it moral and integritous (I love that unword) to trespass on another's property—physical or electronic—for the purpose of dredging out dirt to fuel one's own overweening sense of moral outrage?

  • Fisthardcheese||

    This.

  • Atma||

    This.

  • DenverJ||

    You know who else had a mistress?

  • ||

    Can I find out under the '20 Celebrities Who Started Out as "The Other Woman"' link?!?!

  • Unicorn Abattoir||

    K-9?

  • Sirius Slayton||

    Hitler...or Bill Clinton?

  • Loki||

    A common password was "Pass1234."

    *facepalm* I'm guessing "Guest" was another popular choice.

  • Nonstopdrivel||

    you’ve almost certainly articulated an opinion that could offend a future co-worker and perhaps throw your job in jeopardy.

    Which raises a couple of interesting questions. First, does Reason allow search engines to index its comment sections? Most commenting plugins give web admins the choice whether or not to allow spiders to crawl their comment sections. Second, if a member deletes an account, do the comments disappear as well, or do they persist? If they are deleted, how long do traces remain in Reason's backup system before they're cycled out?

  • Kwix||

    First, does Reason allow search engines to index its comment sections? Most commenting plugins give web admins the choice whether or not to allow spiders to crawl their comment sections.


    A) Yes, both Google and Bing (for sure) index these stories and comments.
    B) The "DoNotAllow" rule in a spiders.txt file is just a handshake agreement. Like a wedding ring, honest spiders are honest and cheaters will cheat.

    Second, if a member deletes an account, do the comments disappear as well, or do they persist? If they are deleted, how long do traces remain in Reason's backup system before they're cycled out?


    Comments stay here, though I've seen some usernames "disappear", presumably as the account has been deleted.

    As has been stated many times in many places; always assume that if you post something to the web it's here for life.

  • Nonstopdrivel||

    It's not a smart idea to marry someone who cheated on their ex to be with you: anyone willing to sneak around on their ex for you will be just as willing to sneak around on you for their next.


    The same concept applies here. Those of you applauding these hackers for exposing the folks you consider moral degenerates need to remember that what's good for the goose is good for the gander. In other words, you could be next. Anyone ruthless and unscrupulous enough to break laws in order to expose adulterers won't hesitate to target another demographic you just might find yourself in. You better hope you've never emailed your buddy a lewd joke. You better hope you've never sent your wife a sexually explicit text and she's she's never slipped you a scantily clad selfie. (In which case, God have mercy on your poor sex life.) You better hope some of the more outrageous comments you post on Reason never get associated with your real name.


    Just as we can vote against smoking bans on philosophical grounds while selfishly enjoying the positive effects that accrue from them (yay, my clothes don't smell like smoke when I go out!), so also it's entirely possible to enjoy the discomfiture of philanderers while simultaneously condemning the tactics used to expose them. There's nothing intellectually inconsistent about that.

  • sasob||

    You better hope ...

    You better hope you aren't a dishonest phony or pretending to be someone you aren't.

  • meliss567||

    Start making cash right now... Get more time with your family by doing jobs that only require for you to have a computer and an internet access and you can have that at your home. Start bringing up to $8596 a month. I've started this job and I've never been happier and now I am sharing it with you, so you can try it too. You can check it out here...
    www.homejobs90.com

  • Cocoa Toasters||

    I can't say I feel bad for the people who used the site. You cheat on your spouse, you deserve something like this happening to you. If you want to be sexually active with more than one person, fine. Don't do it while married then. If you can't control your urges and stay faithful to your spouse then maybe you shouldn't get/be married.

    Pfft, says someone who has never been married...

  • ashliedriscoll||

    Start working at home with Google! It’s by-far the best job I’ve had. Last Wednesday I got a brand new BMW since getting a check for $6474 this - 4 weeks past. I began this 8-months ago and immediately was bringing home at least $77 per hour. I work through this link, go to tech tab for work detail,,,,,,,

    http://www.homejobs90.com

  • Bruce D||

    It's a scam. You'll never get paid. All you'll do is spend hours polluting the internet with stupid solicitations.

  • Non-ideologue||

    What discourages is the astounding indifference that government and the private sector shows toward data security. A few years ago (2013? whitehouse.gov / issues / foreign-policy/cybersecurity ) Obama made cybersecurity the nation's #1 national security priority. That was far too late to demonstrate even basic competence, but late is better than never. Since then, the IRS, office of personnel management and who knows what else have been hacked. The private sector is no better ( heritage.org/research/ reports/2014/10/ cyber-attacks-on-us-companies-in-2014 ). If it it costs a penny extra, businesses won't take security seriously. It takes incidents like the massive Target hack to nudge brain dead dinosaurs into action.

    Well, business is amoral and the public sector is inept. Between the two, the interesting question is whether the cost to the American economy is hundreds of billions or trillions. There is no way to know. Businesses won't confess, fearing lawsuits and bad publicity. It is time for regime change. Liberals, conservatives and their subjective ideologies and values have failed. It is time for objectivism ( ivn.us/2015/08/21/ opinion-america-needs-move-past- flawed-two-party-ideology/ ). It can't possibly do any worse than the garbage the worthless left and right has delivered.

  • missmao||

    Amen.

  • sasob||

    Indeed.

  • ||

    Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do...... ✹✹✹✹✹✹ www.online-jobs9.com

  • elenasestes||

    Start working at home with Google! It’s by-far the best job I’ve had. Last Wednesday I got a brand new BMW since getting a check for $6474 this - 4 weeks past. I began this 8-months ago and immediately was bringing home at least $77 per hour. I work through this link, go to tech tab for work detail,,,,,,,

    http://www.onlinejobs100.com

  • CarmenRocha||

    I nice article to come across. I also gone through some useful information related to how Public Relations and Social Media affect different organizations. Check this out http://www.hjmt.com/services/l.....elations/.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online