Not everyone thinks adultery is a bad thing, and even people that condemn it can harmlessly indulge in fantasizing about a romantic, extramarital fling. It’s a niche that dating website Ashley Madison (AM) exists to fill. But even adulterers don’t want everyone to know about their marital infidelity – particularly their significant others. That’s why AM has gone to great lengths to market the value of privacy in these matters.
Look at the image from their homepage. It doesn’t have over 37 million members – it has over 37 million “anonymous” members. It’s not the world’s leading married dating service – it’s the world’s leading married dating service for “discreet” encounters. It has numerous security and media accolades to reinforce their credibility in this matter.
The data breach has the potential to expose over 37 million people’s affairs to the public, and as this blog post suggests, could lead to significant numbers of divorces, domestic disputes, and general marital angst.
The possibility of anonymous sexual encounters, safe from the prying eyes of significant others, is the product AM sells to its customers. Trying to create a “safe” online environment for something as taboo as marital infidelity necessitates anonymity, and a data breach of this magnitude shatters that trust. Impact Team, the hackers claiming responsibility for the attack, posted a statement outlining some of the data they’ve collected from AM’s 37 million users:
“We will release all customer records, profiles with all the customers’ secret sexual fantasies, nude pictures, and conversations and matching credit card transaction, real names and addresses…”
–AM will provide physical and email addresses to “trusted third-parties” so “they can offer goods and services that we believe may be of interest or benefit to our users”.
–PII and metadata can also be provided to other parties that help them provide the service, or provided to companies that buy or join AM’s parent company (a common weakness in many website’s privacy policies).
–AM creates profiles that “allow us to collect messages, instant chat and/or replies from individuals or programs for market research and/or customer experience and/or quality control and/or compliance purposes. Further, we may use these profiles in connection with our market research to enable us to analyze user preferences, trends, patterns and information about our customer and potential customer base. You acknowledge and agree that some of the profiles posted on the Site that you may communicate with as a Guest may be fictitious”.
So anonymity is really not a huge part of the user’s experience of AM, nor is it as firmly entrenched in their service as their homepage implies. It’s really difficult to see AM as respecting the privacy of its users.
Online profiles are significant tools that people use enact their identities online, and their creation is key to many social networking and dating sites. AM allows people to enter personal information, sexual likes/dislikes, post both public and “private” photos, etc. However, in exchange for allowing you to post a profile on their website, their terms and conditions say they assume ownership of this content.
Well, they don’t own it, but you have no right to identify yourself as the author of the content. Nor do you have the right to control what they do with your images, writings, messages, conversations, etc.
Profiles are interesting because they allow people to perform a role they want to play in a social event. Zizi Papacharissi’s 2011 book A Networked Self: Identity, Community, and Culture on Social Network Sites suggests that many researchers study social networking sites to gain insights into how people construct identities and manage people’s impressions. Many of the studies in the book found online identities to be highly positive “idealized” representations of people, which is consistent with what researchers have discovered about online identities. But Papacharissi notes that this is now problematic, as copyright laws essentially give websites a degree of ownership over these idealized representations. Just as in the case of AM.
Now hackers have stolen these adulterers’ fantasy versions of themselves, but these profiles belong to AM – not the users that created them. And AM has taken action, and successfully* used the Digital Millenium Copyright Act to delete some of the data Impact Team posted online.
So your sexual fantasy persona is supposedly safe and sound, because it is now part of AM.
AM usually charges people to have their profiles completely removed (referred to Complete Profile Removal), which means they could essentially keep your ideal self for as long as they saw fit. Some reports attributed this, as well as the misleading nature of the Complete Profile Removal, as the reason for the attack. If that was the motivation it appeared to have worked – AM will now let people exercise this option for free. However, it seems to have taken a group of hackers holding the private data of over 37 million people hostage before AM woke up to the fact that their behavior reflects other trends in online extortion.
Whether AM’s claims of copyright infringement and other retaliatory measures will be enough to keep a lid on this remains to be seen. However, what this hack makes perfectly clear is that AM is right in that life is short, but your affairs can last forever if they get leaked online.
Image: Screenshot from http://www.ashleymadison.com
Edited to add: The hackers have apparently mitigated AM’s attempt to prevent the data from spreading.
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018