Journalists shouldn’t be rushing to out alleged cheaters named in a dump of data from infidelity website Ashley Madison, according to privacy commissioners in Australia and New Zealand.
Yesterday a mysterious group calling itself The Impact Team made good on a threat it made in July to dump the 10GB worth of confidential customer data from Avid Life Media, the parent company of infidelity website Ashley Madison, relating to some 37 million customers who had used the service. The group had threatened to release the data unless Avid Life Media shut down Ashley Madison and its companion sugar daddy website Established Men.
The group’s statement said: “We have explained the fraud, deceit, and stupidity of ALM and members. Now everyone gets to see their data.”
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
The 10GB worth of data, which included usernames, email addresses, sexual preferences, and, if they paid using a credit card, the last four digits of users’ credit card numbers, plus names and addresses, made it onto the dark web and onto torrent websites.
“I’m sure there are millions of Ashley Madison users who wish it weren’t so, but there is every indication this dump is the real deal,” security researcher Brian Krebs said yesterday.
It doesn’t take long for leaks to be downloaded and parsed into a searchable format for the average user, and the leak has already spawned several websites where users can search for specific email addresses to see if they, or someone they know, is on the website. Many are suggesting the leak will be a boon for divorce lawyers.
As potentially millions of men — reports are that around 97% of users of the site were men — stress about getting caught on the website, the media’s role in reporting the hack has been varied.
While reports on leaks and websites discovering whether certain people are compromised is an almost weekly event, in the past it has been related to relatively uncontroversial services, like Target or Adobe. The leak of Ashley Madison data is much more personal, revealing scintillating details about individuals, and it has the potential to ruin lives.
That’s even without taking into consideration that much of the data is inaccurate.
One gossip website has already outed a prominent “family values” spokesperson in the United States as having two paid accounts on the website. Several news outlets have reported that there are more than 15,000 US government or military email addresses and hundreds of Australian government email addresses contained in the dump.
While the temptation for internet vigilantism against alleged cheating spouses and the associated schadenfreude will be strong and is already happening on websites like 4chan and elsewhere, the media is so far taking a more measured approach in reporting it. It is still early days, but although several have linked to sites where you can search for email addresses, most have been reluctant to out anyone in the dump, prefacing reporting on data contained in the leak that it hasn’t been “independently verified” by the media outlet.
Security researcher Graham Cluley says journalists should tread carefully in reporting on the leak.
“Journalists and commentators would be wise to remember that the credentials stored by Ashley Madison must be considered suspect because of their shonky practices, even before you start considering whether any leaked databases are falsified or not,” he said in a blog post.
Cluley has warned that the leak could seriously damage those named, and could potentially lead to suicides.
One of the many, many flaws in the way Avid Life Media ran its operation — aside from the fact that Ashley Madison offered a service where customers could have all their data deleted for $15, and reportedly made $1.7 million in 2014 alone from this, while not actually deleting the data it was being paid to delete — is that when users sign up for an Ashley Madison account, they are not required to verify their email address.
This common process requires users to click on an emailed link sent to them by the website in order to verify their email address and continue with the sign-up process.
Without this process, people registering on Ashley Madison could use any email address they want to register. Others have pointed out that [email protected] is on the list, while a fake [email protected] is also on the list. Someone in Australia even attempted to register under an “[email protected]” email (yes, “ony”). If somehow you believe these could be legitimate, someone also registered using the email address “[email protected]”.
It’s only when those customers paid for a subscription to the site using their own credit cards that their personal details were compromised and could more likely be verified. As one relieved Ashley Madison customer put it on Reddit, “unless you paid with a credit card, or included personal identifying information in your username, password, bio, or other descriptive profile information, you are in the clear”.
Hundreds of thousands of Australians are likely to be caught up in the leak, with a data analysis showing Sydney, Melbourne, Brisbane, and Perth all in the top 25 list of cities with users on the site.
Acting Australian Information Commissioner (and privacy commissioner) Timothy Pilgrim told Crikey in a statement that media should be cautious in republishing the personal information found in the leak.
“The Office of the Australian Information Commissioner would urge those people reporting on the story to be cautious about republishing personal information that has been disclosed as part of this breach, or contacting individuals who have been identified in the published database,” he said.
“Initial reports suggest that some of the information contained in the published database is not accurate. Examples have already emerged of registered email addresses that contain the personal information of individuals who have not used the Ashley Madison site. Other standards or laws may also apply to journalists republishing personal information that has been exposed by this hack, particularly if there is no public interest justification in publishing individual details in order to report the wider story.”
Media organisations can claim an exemption from the Privacy Act regarding the publication of personal information if it is observing published, written standards that deal with privacy, such as the Australian Press Council’s Standards of Practice.
The standards call for media to avoid intruding on a person’s “reasonable expectations of privacy, unless doing so is sufficiently in the public interest”.
Professor of journalism and social media at Griffith University Mark Pearson told Crikey that an actionable right to privacy in Australia, coupled with a strong public interest exemption, would help protect the privacy of individuals and would restrain the media from revealing personal information where it wasn’t in the public interest
“We have a void where celebrity affairs can be exposed if they are defensible as true, and we don’t yet have an actionable right to privacy,” he said.
“A right to privacy … would stop these outings of celebrities being reported but would allow public service journalism to be conducted on other issues, for example if someone’s private life is in some way related to their work, or it exposes their hypocrisy.”
New Zealand’s privacy commissioner John Edwards this morning said that while New Zealand media were exempt from new anti-cyberbullying law, they too would have to face potential court cases and regulatory authorities for republishing the data.
“The media exemption still exists in the privacy act, although they would have to defend any civil claims for a tort of privacy, and they’d have to deal with the broadcasting standards authority and the press council,” he said.
Individuals publishing the data themselves, including on Twitter, could face up to $50,000 fines and up to three years in prison under the new cyberbullying law. Corporations can be fined up to $200,000.
“With the … cyberbullying law passed last month, it is not carte blanche just to use information from a public source if it would be unreasonable to do so — and I think republishing hacked, stolen, intimate data would probably hit that threshold,” Edwards said.
Australia’s own recently passed cyberbullying law would not apply to Ashley Madison users, because it is aimed only at preventing cyberbullying of people under the age of 18.
*Lifeline 13 11 14 or https://www.lifeline.org.au/