You may be aware that Ashley Madison, a “discreet” online dating site targeted primarily at cheating spouses, was recently hacked. The site has garnered controversy for many years, largely by running ads like these:
The hackers, who call themselves as “The Impact Group” are threatening to release data on millions of users (including compromising images and personal information) if the site isn’t taken down by its parent company, Avid Media Life, which owns a number of other hookup sites.
The motive for the hack appears to be a moral objection to the operations of the site itself, although it would be naive to count out the possibility that the real objective is blackmail, and the hackers are simply trying to confuse the issue.
All 37 million users may be affected, as well as any past users – including those who have deleted their account. AML has stated publicly that their internal investigation is ongoing, and they believe they have a good idea of who is behind the hack. According to AML CEO Noel Biderman,
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication […] I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
So far, the coverage of this issue has been a little, well, call it snide. There’s a general sense that this is not a serious issue, and even a degree of support for the hacker, including from large publications like the Daily Mail. The sense, in general, is that the victims of the hack got what was coming to them. Today, I’d like to talk about why this reaction is irresponsible, and misses a much larger issue that we should be concerned about.
Two days ago, a man claiming to be a gay Saudi posted to Reddit asking for help. As a user of Ashley Madison, he faces execution if his name and photographs (some of which depict acts of homosexual sex) become public. If his story is true, he’s far from alone: the anonymous, discreet nature of sites like Ashley Madison obviously appeals to gay people, especially in jurisdictions where gay sex is criminalized. There have already been executions for homosexuality this year. In fact, Saudi Arabia has been stepping up its executions this year, calling it a ‘streamlining of the justice system.’
The anonymous Reddit user posted,
“I am from a country where homosexuality carries the death penalty. I studied in America the last several years and used Ashley Madison during that time. I was single, but used it because I am gay; gay sex is punishable by death in my home country so I wanted to keep my hookups extremely discreet. I only used AM to hook up with single guys.[…] I AM ABOUT TO BE KILLED, TORTURED, OR EXILED. AND I DID NOTHING WRONG.”
This is horrifying, but gay users of Ashley Madison are not the only people who don’t fit the ‘get what they deserve’ narrative. What about jurisdictions where divorce is illegal? What about abusive relationships, where a spouse may not feel physically safe to ask for a divorce? What about people who made an account, but ultimately opted not to go through with it? Do all of these people deserve to be outed? Because if this information is publicly released, they will be.
In the hackers’ manifesto, they are less than sympathetic to the plight of the site’s millions of users,
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion […] With over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
Obviously, it’s unlikely that the hackers gave specific thought to these situations when they wrote that – but that’s exactly the problem. These hackers are vigilantes, not responsible guardians of data entrusted to exercise good judgement. They were never trusted with all of this sensitive information, and for good reason!
Hearing about this hack and saying ‘good for them’ is missing the point. The story here isn’t about cheaters being outed, it’s about just how little the companies we trust respect our privacy. Ashley Madison failed in their obligation to protect the privacy of their users – on a colossal scale. And they aren’t the only ones.
A Pattern of Neglect
In late May, a hacker gained access to the database of Adult Friend Finder, a hookup site – allegedly blackmailing the site for $100,000, and posting the data online. In response, a different hacker named Andrew Auerenheimer began outing public figures at random on Twitter, including details of their sexual habits. Those outed included an FAA employee, and a Washington Police Academy commander. The information on more than 3.5 million users is freely available online. And, I stress, this is not a ‘cheating’ website. These people, for the most part, did nothing wrong – and yet they find themselves publicly humiliated anyway.
It’s not just these two sites, either. Just two months ago, a blogger who goes by the name Mircea Popescu noticed that the fetish-oriented dating site FetLife did not correctly protect its database from external users, allowing anyone with basic coding knowledge to mine it and collect a master list of all profiles, images, and videos. Popescu used this to create what he refers to as the “FetLife Meatlist” – a list of thousands of female Fetlife users under 30, for purposes of public shaming.
Ironically, this is the second time I’ve run across Popescu in my writing. Popescu is a member of a group who call themselves “The Bitcoin Lordship,” who opposed a necessary increase in the Bitcoin block size for some very silly and shortsighted reasons. I remember thinking that he in particular was an ugly combination of paranoid, narcissistic, and downright mean. I now feel somewhat vindicated in that assessment, and more than a little gratified that his blog seems to have shutdown in the ensuing mess.
Trust me: nothing of value was lost.
However, again, focusing on the hacker’s motives (nasty though they may be) is missing the point. Serial philanderers and sociopaths, as colorful as they are, are distractions from the real story here, which is how profoundly these sites have failed to provide even the most basic and necessary computer security.
FetLife brags in their advertising material that they have a “Fetish for security,” and emphasize their use of SSL. Secure Socket Layer is a web-wide standard, used by practically every website and the browsers of their users. In reality, anyone with a basic knowledge of web scripting can (legally!) scrape every piece of information from FetLife’s website, since they’ve gone to no trouble to protect it. Ashley Madison and Adult Friend Finder are guilty of similar security sins.
These sites (and likely many others that have not yet come to light) have been negligent beyond belief, given the sensitivity of the information they handle. Sharing opinions and making judgements on the victims’ sex lives is not going to solve this problem..
Have you been affected by the hacks of these online dating sites? Concerned about the security of our personal information online? The discussion starts in the comments!