Ashley Madison and the price of getting things wrong
The publication online of the complete database of subscribers to Ashley Madison, a site that facilitates extra-marital flings, shows what happens when a company gets it wrong — and I’m not talking about morality here — and forgets about good practice.
Avid Life Media, which owns Ashley Madison and Established Men, was told by a group of hackers that unless it closed down the two pages it would publish the 60-gigabytes of data about some 33 million accounts, whose authenticity has been verified. It has since done so: if you want to check whether you or your partner is on the list, you can do so via this page by introducing an email address.
The hack could have major repercussions, not just for the company (its brand has been heavily damaged and it could face legal action), but also for its users. The intrusion and the amount of information stolen was small in comparison to previous ones in other pages, but the nature of the service makes the implications far more dangerous. Once again, leaving moral judgments aside, we need to bear in mind that Ashley Madison is a shambles in every sense: not only did it manage a highly sensitive data base without any checking procedures, meaning that any email address can be entered on the site, i.e., not the real owner’s without any verification, but the company charged for a “full delete” option that it never actually provided.
The data the hackers have published not only includes names and emails, but also an important amount of personal information such as whether an account has been opened using a false name and different email address, which could eventually be ascertained using a range of personal questions. And if you are an Ashley Madison user, don’t bother hiring a hacker of your own to remove your name from the database, you’ll just be wasting your money.
The publication of the data base once again opens the highly relevant debate about what responsibilities we should demand from certain online activities: nobody is safe from intrusion or cyber-theft, in the same way that nobody is safe from burglars, but surely a certain level of protection can be expected bearing in mind the sensitivity of the information in this case.
Ashley Madison got just about everything wrong: its encryptment was weak, numerous poor practices were evident, and the way the service was advertised made it a likely target sooner or later. Its own founder, Noel Biderman, had joked publicly about what might happen if the data base were ever published, but obviously did nothing to address the possibility.
What responsibilities should a site like Ashley Madison face for advertising that its services are subject to all kinds of guarantees, but that fails totally to actually provide those guarantees? Aside from having to deal with the immediate, and completely logical, collapse of its business, and likely closure, the company will face an avalanche of law suits related to its demonstrable malpractices and supposed guarantees of secrecy and discretion, which have been shown to be worthless.
There is no point arguing about whether the Ashley Madison hack was carried out by criminals or whether those responsible are moral guardians fighting the site’s manifest sexism: the only discussion here is about what happens when a company goes about things the wrong way.
UPDATE: A new collection of files, twice the size of the original, has just been published that includes not just user information, but internal documents and messages from its founder, Noel Biderman.
(En español, aquí)
