The biggest lesson from Ashley Madison is about security, not fidelity

Life’s short. Use PGP.

Once IPO bound, Ashley Madison is almost certainly doomed to shutter following a ruinous hack. As an early indication of its inevitable shutdown, parent company Avid Life Media announced yesterday that CEO Noel Biderman is stepping down.

Likewise, its 37 million users may never recover from having their most private thoughts and fantasies spread around the Web.

The website that helps married people have extramarital affairs promised discreet encounters and robust security. It even had a “full delete” service that purported to delete “all traces of your usage” for a fee. And even after the attack, the website still flaunts a gold and purple medallion icon with the words “trusted security award” next to it.

Last week a group calling themselves the Impact Team released 32 gigabytes’ worth of data pulled from Ashley Madison’s servers. The leaked data has already resulted in six lawsuits in the U.S. and two in Canada, many of which are seeking class action status. Considering that 37 million accounts were affected, Avid Life Media, Ashley Madison’s parent company, is only likely to see more suits.

Legal costs

Even if none of these cases win, the mounting legal battles are likely to drain Avid Life’s cash reserves.

Earlier this year, Target paid out $10 million in damages to settle a class action lawsuit over a data breach that took place in 2014. Home Depot meanwhile is still fighting a consolidation of class action lawsuits. Already, Ashley Madison is facing more than half a billion dollars in damages. In addition to legal costs, the company, which reportedly earned $115 million in 2014 revenue, is likely to see a drop in its paying user base in the wake of the attack.

On top of class action lawsuits, Avid Life Media could face scrutiny from the Federal Trade Commission, which was recently granted the ability to look into instances of unfair trade based on poor security infrastructure.

Legal framework

Traditionally, there’s very little legal framework for consumers seeking recourse from cybersecurity incidents. Damages from a hack can be hard to prove. For instance, if a person’s financial information was stolen during a hack, but hasn’t been used, it’s difficult to assess potential financial loss. In the case of Ashley Madison, how do you calculate the damages incurred as a result of leaked information about a potential affair? Plus, most companies aren’t obligated to secure user information unless it’s a health care business or a financial institution regulated under the Health Insurance Portability and Accountability Act and the Securities and Exchange Commission, respectively.

However, there is an interest among members of Congress and the White House to build just such a framework. A number of cybersecurity bills have been introduced to Congress over the past 10 years, though meaningful legislation articulating for what companies are liable in the event of a hack has yet to materialize. The two cybersecurity bills currently on the table in the House (H.R. 624) and Senate (S. 754) are more focused on allowing companies and the government to share information about breaches and security measures than providing consumers with legal protections.

Now, because of the outcome of an FTC case against Wyndham Worldwide, consumers might have a bit more support. An appeals court ruled in favor of the FTC, which accused Wyndham of “failing to safeguard consumer data.” What it means is that under certain circumstances, the FTC can penalize companies for not implementing a certain standard of security.

“It wouldn’t apply to a malicious, determined hack that got through industry-standard security. It probably wouldn’t even apply to a lot of security breaches caused by negligence. What it would apply to is companies that just take a passive, haphazard approach to data security,” said Josh King, general counsel at Avvo, an online legal advisor.

Ashley Madison didn’t do much to prove the identity of its members. Registering for Ashley Madison only required an email address, and it’s possible a number of accounts were created under dubious circumstances (created for blackmail and other reasons).

Failing to provide a reasonable identity verification process could easily fall within the purview of the FTC, thanks to the Wyndham case. But, even if Ashley Madison’s security is up to snuff, the company still might attract the gaze of the FTC for promising services it did not deliver.

Not only did Ashley Madison boast about top-notch security and then fail to protect its unpaid users, it also neglected to comprehensively delete user profiles covered under its “full delete” service. Internal data reveals that Ashley Madison retained GPS coordinates, date of birth, as well as height and weight even for users who paid $19 to have their information deleted from its servers.

There are also questions about whether Ashley Madison stocked its user base with fake accounts meant to goad male users into spending more money.

Cultural implications

One way or another, Ashley Madison users will have their day in court. However, whatever recompense they’re ultimately offered will probably not add up to their losses. Money can’t make up for the emotional effects of divorce or even greater losses that have occurred as a result of the hack.

“There are a lot of ancillary effects,” said King. “It reinforces why it’s so important for people to take their privacy seriously when they’re dealing with sensitive stuff.”

King noted that because the Ashley Madison incident has obtained such a high level of visibility among prurient Americans, it stands to teach them a lesson about online security. “You can’t just rely on the privacy policies of these companies,” he said; you have to secure yourself.
 
Despite two years of persistent data breaches at major companies, many U.S. consumers still haven’t taken precautions with their personal data online. While Americans don’t seem motivated by having their financial information stolen, they may, as John Oliver once astutely pointed out, be more inspired by leaks of their most personal data — their dick pics.

The Ashley Madison hack shows a holistic picture of just how much information people are willing to turn over to companies even though they are often under no real obligation to protect that information. This isn’t about handing over your dick pics and credit card information; it’s about entrusting a for-profit company with your deepest fantasies and thoughts.

Perhaps the breadth and the nature of the Ashley Madison hack will have Americans running to encrypt their email or even start using sites that don’t track, such as DuckDuckGo. Could 2015 kick off the Year of the Black Phone, or herald a large uptick in preventative measures taken to effectively hide our identities online?

Unlikely, said Malwarebytes security analyst Adam McNeil. “Events such as the disclosure of data from Avid Life Media should make consumers more aware of the potential dangers of sharing personal information with online entities, but the pessimistic reality is that it probably won’t.”

He said similar leaks of private photos from iCloud and Snapchat could have woken Americans from their optimistic apathy — and yet, here we are.

“While events should cause consumers to embrace the notion of online security (and security in general), history has shown that it probably will not.”