Ashley Madison Hack

Does Ashley Madison own your Extramarital Sex Life?

Not everyone thinks adultery is a bad thing, and even people that condemn it can harmlessly indulge in fantasizing about a romantic, extramarital fling. It’s a niche that dating website Ashley Madison (AM) exists to fill. But even adulterers don’t want everyone to know about their marital infidelity – particularly their significant others. That’s why AM has gone to great lengths to market the value of privacy in these matters.

Look at the image from their homepage. It doesn’t have over 37 million members – it has over 37 million “anonymous” members. It’s not the world’s leading married dating service – it’s the world’s leading married dating service for “discreet” encounters. It has numerous security and media accolades to reinforce their credibility in this matter.

What’s not on the homepage is that AM and its parent company were recently hacked.

The data breach has the potential to expose over 37 million people’s affairs to the public, and as this blog post suggests, could lead to significant numbers of divorces, domestic disputes, and general marital angst.

Anonymity Sells Adultery

The possibility of anonymous sexual encounters, safe from the prying eyes of significant others, is the product AM sells to its customers. Trying to create a “safe” online environment for something as taboo as marital infidelity necessitates anonymity, and a data breach of this magnitude shatters that trust. Impact Team, the hackers claiming responsibility for the attack, posted a statement outlining some of the data they’ve collected from AM’s 37 million users:

“We will release all customer records, profiles with all the customers’ secret sexual fantasies, nude pictures, and conversations and matching credit card transaction, real names and addresses…”

Nude pictures. Sexual fantasies. Real names and addresses. Credit card numbers. A lot of this sounds like deeply private and personally identifiable information (PII). It doesn’t seem like people are really taking steps to protect their identities if they’re sharing this kind of information. And AM’s privacy policy and terms and conditions don’t exactly go above and beyond the minimum standards for privacy protection (and nobody reads them anyway). A few issues include:

AM will provide physical and email addresses to “trusted third-parties” so “they can offer goods and services that we believe may be of interest or benefit to our users”.

PII and metadata can also be provided to other parties that help them provide the service, or provided to companies that buy or join AM’s parent company (a common weakness in many website’s privacy policies).

AM creates profiles that “allow us to collect messages, instant chat and/or replies from individuals or programs for market research and/or customer experience and/or quality control and/or compliance purposes. Further, we may use these profiles in connection with our market research to enable us to analyze user preferences, trends, patterns and information about our customer and potential customer base. You acknowledge and agree that some of the profiles posted on the Site that you may communicate with as a Guest may be fictitious”.

So anonymity is really not a huge part of the user’s experience of AM, nor is it as firmly entrenched in their service as their homepage implies. It’s really difficult to see AM as respecting the privacy of its users.

Fantasies and Ransoms

Online profiles are significant tools that people use enact their identities online, and their creation is key to many social networking and dating sites. AM allows people to enter personal information, sexual likes/dislikes, post both public and “private” photos, etc. However, in exchange for allowing you to post a profile on their website, their terms and conditions say they assume ownership of this content.

Ashley Madison Terms and Conditions

Screenshot from Ashley Madison’s Terms and Conditions

Well, they don’t own it, but you have no right to identify yourself as the author of the content. Nor do you have the right to control what they do with your images, writings, messages, conversations, etc.

Profiles are interesting because they allow people to perform a role they want to play in a social event. Zizi Papacharissi’s 2011 book A Networked Self: Identity, Community, and Culture on Social Network Sites suggests that many researchers study social networking sites to gain insights into how people construct identities and manage people’s impressions. Many of the studies in the book found online identities to be highly positive “idealized” representations of people, which is consistent with what researchers have discovered about online identities. But Papacharissi notes that this is now problematic, as copyright laws essentially give websites a degree of ownership over these idealized representations. Just as in the case of AM.

Now hackers have stolen these adulterers’ fantasy versions of themselves, but these profiles belong to AM – not the users that created them. And AM has taken action, and successfully* used the Digital Millenium Copyright Act to delete some of the data Impact Team posted online.

So your sexual fantasy persona is supposedly safe and sound, because it is now part of AM.

AM usually charges people to have their profiles completely removed (referred to Complete Profile Removal), which means they could essentially keep your ideal self for as long as they saw fit. Some reports attributed this, as well as the misleading nature of the Complete Profile Removal, as the reason for the attack. If that was the motivation it appeared to have worked – AM will now let people exercise this option for free. However, it seems to have taken a group of hackers holding the private data of over 37 million people hostage before AM woke up to the fact that their behavior reflects other trends in online extortion.

Whether AM’s claims of copyright infringement and other retaliatory measures will be enough to keep a lid on this remains to be seen. However, what this hack makes perfectly clear is that AM is right in that life is short, but your affairs can last forever if they get leaked online.

Image: Screenshot from

Edited to add: The hackers have apparently mitigated AM’s attempt to prevent the data from spreading.

More posts from this topic


The 5 Minute Guide™ to App Store Security and Privacy

Mobile devices have largely avoided the malware outbreaks that have plagued PCs for decades now for a simple reason -- app stores. Nearly all -- or even all -- the software that's on your phone or tablet now came through these official portals, where they endured some degree of vetting. But this doesn't mean it's impossible to have your security or privacy compromised by bad apps. Here's a quick run-through of the basics you need to know to keep the data on your mobile device safe and private. 1. Stick to the official app stores. If you have an iOS device, you can only use the official App Store, unless you "jailbreak" your device and take your security into your own hands. Android users, however, have more freedom. And with freedom, there's a little danger. "Anything ending in .apk might be malicious," Tom Van De Wiele, F-Secure Security Consultant, tells me. "So the official Google Play store is the only place you should get your apps." He offers a simple metaphor to remember this concept: "You don’t pick up shiny food from the street and put it in your mouth either, no matter what the promise is." In case you missed the point: The Play store is the clean table -- everywhere else is the grimy, filthy floor. 2. ANDROID USERS: Make sure to block downloads from "Unknown sources". "Phishing campaigns are focussing on providing .apk files to unsuspecting victims by email, SMS, MMS, Skype and other means," Tom says. He recommends you avoid these scams by blocking downloads from unknown sources. To do this, via Navigate to your Android phone’s home screen. Tap the Android "Menu" button. Choose "Settings". Open "Applications". Make sure there is no green check mark next to the Unknown sources item. If there is a green check mark next to Unknown sources, disable the setting. 3. ANDROID AND IOS USERS: Don't assume that your apps have been vetted for privacy. "It is not in Google’s interest to remove a lot of apps as they generate advertisement revenue for Google," Tom says, adding that the Play store doesn't do nearly as much vetting for malicious apps as the Apple iOS store does and instead opts for a “clean-up-as-you-go model." But that doesn't mean iOS apps are completely nuisance free. "Apple has the 'walled garden' of trying to control what they can when it comes to their application eco-system," he says. "This does not take into account apps that invade your privacy by asking you, for example if the app can 'access the address book', which will result in sending the contents of the address book to a remote location." You have to check the app permissions yourself to avoid these data-farming apps. 4. Look out for "bait ware." Both app stores have been plagued by what Tom calls "bait ware". These are apps "where the user is fooled into generating a lot of advertisement revenue by randomly popping up ads, fake buttons and other arbitrary functionality." New parents need to especially be on the lookout for these apps. "This is especially prevalent in baby and toddler applications which look very enticing to download and try but are merely empty husks with interwoven advertisement." Why do these apps prosper despite their dubious quality? Tom says, "Both Apple and Google are reluctant to remove them as it becomes a slippery slope on where to draw the line between sincere and malevolent behavior of an application." 5. "Walled gardens" aren't perfect solutions so check reviews and be suspicious of newer apps. Google's approach invites malicious apps to occasionally appear in its store. Often they're imitations or clones of much more popular apps. This is much, much more rare in the iOS App Store, but it has happened. To preserve your security, privacy and disk space, do some basic due diligence and check the reviews to see if they seem real and offer some substantive testimony that the app is legit. [Image by PhotoAtelier | Flickr]

January 17, 2017

5 Must-Read Online Privacy Articles from 2016

A great deal has happened within the online privacy sphere in the last 12 months. The subject has become a genuinely hot topic, and we have done our best to dissect relevant industry issues into an easily readable form while reporting directly from the eye of the storm, so to speak. Here are five essential reads to get you up to speed on the state of online privacy, VPN, and related topics. An Open Letter to Businesses who Block VPN on Their Wi-Fi Networks Ultimately, allowing the use of VPN on your Wi-Fi hotspot is your call. However, if you truly care about your customers, don’t be in the minority of businesses that forces them to give up their online security and privacy while browsing on your network. A Twitter user asked us a question that inspired our most viral article of the year, as well as the video response we produced as a follow-up. In the post and video, we emphasize the fact that companies end up shooting themselves in the foot by putting their customers’ security at risk. If you ever come across this consumer-unfriendly practice, we urge you to share the article and/or video! Read the full article here. How Does Encryption Work? “. . .It’s easy to forget that easy access to encryption greatly benefits even normal web users like you and me.” Our widely shared article on encryption exhibits a 360-degree view on encryption, providing readers with an overview of its history and a straightforward explanation of how modern VPNs ingeniously work to protect your privacy. If you’re interested in learning what’s under the hood of online privacy, this article is for you. 4 People Who See What Porn You Watch “A large majority of web users are lulled into a false sense of security by Incognito mode or private browsing, but this is only one of the steps needed toward becoming private online.” Many things take place “behind the scenes” on the Internet – these are things that we can’t see and therefore don’t think about. This admittedly attention-grabbing headline was meant as a wakeup call to the fact that adult content browsing histories aren’t as private as most people would like to think. Read up on a few people who have access to your porn browsing history, as well as some quick tips that can help prevent snooping. Privacy, Patriotism and PR: The Case of Apple vs. FBI “In this debate, privacy, patriotism and public relations are just some of the factors influencing a public discourse that has shifted to reflect new and often clashing attitudes towards encryption.” The Apple Vs. FBI case was the Clash of the Titans between privacy players that dominated mainstream news outlets throughout the first half of 2016, with ripples that are sure to affect the dynamics between companies and governments for years to come. We made a conscious effort to explore the issue from every possible angle, and the article is still a very relevant read. Why Do Newspapers Spy on You? “The longer something on the Internet is free, the harder it will be to make people start paying for it.” Who pays for a product that costs something to make but is free for the customer? In this article, we look at the idiosyncratic purchasing habits of modern web users and why these habits have lead news websites and other services to sacrifice their visitors’ privacy in order to stay in business. This piece is good food for thought for all consumers of online news.    

January 13, 2017

Mikko Hypponen: ‘Data is the New Oil’

"I believe data is the new oil," F-Secure's chief research officer Mikko Hypponen says. "And just like oil brought us both prosperity and problems, data will bring us prosperity, and problems." We're just beginning to understand how so-called "big data" is changing everything, even medical care. A new report from the Century Foundation reveals how the private information we share with practitioners gets anonymized and then mined. That information combined with metrics from search engines and wearables can then be melded for "predicative analysis" which is able to project behavior with “a surprising degree of accuracy," despite laws meant to protect medical privacy. Presumably these learnings could be used to make us healthier but they could also be used to deny us treatments or insurance coverage. And while we worry about government surveillance, many of us voluntarily share our thoughts, pictures and intimate details about our lives with Facebook, which then purchases more information about us from third-parties to make sure the ads we see are even more effective. Mikko has noted that Twitter connects our offline data to our profiles through our phone number. So when you share your mobile number for a proactive reason, such as activating two-factor authentication or account recovery, we're also feeding the data beast to make ourselves even more profitable to the sites we use. And then there's Internet of Things, which is coming into your home whether you like it or not. "You will buy whole appliances and you won't even know they are IoT appliances. I mean, you go and buy a toaster and there is an IoT feature... Why would you even need IoT features in a goddamn toaster?" Mikko asks. "But it's going to be online anyway. Why? Because it's going to be so cheap to put it online. And the benefits it creates are not benefits for you, the consumer, they're benefits for the manufacturer. Because now they can collect analytics." Our Freedome VPN team has found that when it comes to connecting with free Wi-Fi, people are willing to give up almost anything -- even their first born. Data. On one hand, prosperity and opportunity. On the other, problems and problems we haven't yet imagined. That's why controlling our personal information matters more than ever. Data Privacy Day -- held annually on 28 January -- is an international effort to get people around the globe to think about the importance of controlling what we share. To mark the day, Mikko will be doing a Reddit IAmA on the day before -- 27 January -- where you can ask him anything and our Freedome VPN team will be in the streets spreading the word about the importance of privacy. To prepare you can read Mikko's recent Q&A session on Quora and feast on this playlist of dozens of talks and interviews he's given: [youtube]

January 12, 2017