Life is Short... Sue Everyone: Legal Perspectives on the Ashley Madison Hack
15:56
Happy almost Hack-versary, AshleyMadison.com
On July 20, 2015 the hacking collective Impact Team accessed and downloaded the personal and financial data of Ashley Madison’s users - almost all 37 million of them. Impact Team attempted to hold AM hostage - their terms: shut down or the information is released. Ashley Madison did not shut down and on August 18, 2015, the Impact Team dumped 9.7 gigabytes of personal and financial data.
The hack tapped into the more base elements of our collective imagination.
Because… sex. Because… cheating. Because… drama.
I’ll also note, Impact Team’s message to the world after AM refused to shut down their site was, “prosecute them [them being Ashley Madison] and claim damages”... more on that later.
If the Ashley Madison Hack were a play (possibly a period drama produced by the BBC - featuring men in flowy shirts), it would have four main characters:
- Ashley herself;
-
Users of the site;
- Hackers; and
- Retrievers (i.e. the people who, after the hackers released the data, retrieved the data from various sources)
Easily as important as the actual humans involved - in my opinion - are the legal perspectives on the hack. Really, though, I'm talking about legal implications of the unauthorized access of information (which in this case happened to be perpetrated via computer).
Let’s start with the hackers. The obvious one. What have the hackers done wrong?
... a lot.
Theft
They took the data - data is property
Extortion
Using a threat as a means to an end
Mischief
Possession of stolen property
Again, data is property
Unauthorized use of credit card data
This includes obtaining and possessing)
Interception of private communication
Unauthorized use of a computer
All the more traditional charges (theft, extortion, possession of stolen property) didn’t quite cover the particular type of crime that occurs when a computer system is accessed without authorization. Criminal legislation addresses the potential harm to society and the individual - which means it has to be tailored to the crime itself. Theft of a bike and theft of data are two very different things. This is where international law comes in.
The Budapest Convention on Cybercrime was drafted to address the unique issues at play here. Canada signed in 2001 but only ratified the convention in November, 2015 (which is interesting timing, given that the 2015 election was in October) ... BUT many of the changes required by the Budapest Convention were made overtime (specifically over the time Stephen Harper was in power). It's important to note, our odd, burger-loving neighbours to the south ratified the convention in 2007.
Signatories were required to implement similar laws regarding the illegality of unauthorized access and interception of data in and to make efforts to harmonize the rules governing search and seizure of stored computer data (including retention of that data for prosecution purposes). The convention encourages cooperation of law enforcement agencies and also sets up extradition schemes between signatory countries.
The Budapest Convention also addresses the enforcement of copyright laws, but thats a discussion for another time...
The Budapest Convention requires signatories to make changes to their criminal laws; creating offences against the confidentiality, integrity and availability of computer data and systems.
Article 2 proposes to define criminal unauthorized access like this...
Article 2 - Illegal Access
Intentional access to a computer system without right.
(with or without infringing security measures)
(with or without intent to obtain data or dishonest intent)
The brackets are optional. Meaning the convention contemplates hacking being illegal whether or not you actually infringed security measures (I find that odd).
(2) Failure to Secure
AM stored highly personal information unencrypted at the database level. Despite security threats that may have been discovered by AM’s officers/directors, and AM made representations that the data was secure. AM called itself… and this is not a joke… “the last truly secure space on the Internet.”
I can't make this stuff up.
We’ve implemented Article 2 by creating s.341.1(1) of the Criminal Code. It looks like this [font is mine b/c Times New Roman is... annoying]...
It’s called “Unauthorized use of a computer” - this section makes it illegal to:
- Obtain computer service (directly or indirectly);
- Intercept any function of a computer system (directly or indirectly);
- Use a computer system with intent to obtain or intercept;
- Use / possess / traffic in or permit another person to have access to a computer password;
You have to have done these acts fraudulently and without colour of right for this section to apply to you, and, if the act is sufficiently serious, it has potential for 10 years in prison.
That means that if you access another computer system that you didn’t have authorization to access, on purpose, to obtain information or mess around with people, even if it was just for fun … you’re caught by this section of the criminal code.
Canada's adoption of the Budapest Convention also resulted in s.184(1) of the Criminal Code - “Interception of Communication”. It is illegal in Canada to intercept a private communication between two people without the permission of either the communicator or the recipient. This is an indictable offence (max 5 years).
Important to note: it doesn’t apply to people who intercept the communication as part of managing the computer system or protecting the computer system from interception or unauthorized access. Sys admin people, breathe a sigh of relief.
Important to note: it doesn’t apply to people who intercept the communication as part of managing the computer system or protecting the computer system from interception or unauthorized access. Sys admin people, breathe a sigh of relief.
It’s also illegal to discloses the intercepted private communication (s.193 (1)). Whether you disclose all or part of it (or merely the fact the communication exists) - and you do so without the express consent of the originator or the recipient - you could be caught by this section. This is an indictable office with a maximum of 2 yrs in prison. However, there are exemptions - for example: giving evidence, criminal investigation, operating/managing/protecting computer system, and, of course, CSIS.
Regular Mischief is willfully destroying or interfering with property - BUT there’s also Mischief in relation to computer data. Shocking, I know. If you destroy/alter data in such a way so as to render it meaningless, useless, or ineffective, or if you obstruct, interrupt, or interfere with lawful use of computer data or a person lawfully using their computer (and you do so wilfully) this section applies.
Obviously there are enforcement issues. In order to prosecute people… you have to be able to catch them.
Regardless of whether or not people can be caught the fact remains…
... hacking is really illegal.
This is all interesting (perhaps only to me - I lost most of you at my unnecessary hashtag), BUT it doesn’t catch most of us. Most of us just read the news reports, but some of us accessed the data.
… you know who you are.
So what, if anything, have the retrievers of the data done wrong?
Some people viewed the data - others interpreted it and rendered it into a more... entertaining... format and published it online.
There were some incredibly detailed interpretations of the data that were then packaged in Retriever generated infograpics, videos, charts, etc. BinaryEdge, a swiss security firm, analyzed the data based on everything from race and gender to body weight. Some people even cracked user passwords using the dump and published their method and findings on the internet.
The whole thing went from salacious gossip to academic math exercise very fast.
Thank you, Internet.
Thank you, Internet.
When Binary Edge and others interpreted this data, many of them included disclaimers like this:
Why did they feel the need to put this on here?
A: Lawyers.
The more appropriate question is why did their lawyer tell them to put the disclaimer on their website? BinaryEdge analyzed a lot of the data, but they didn’t go so far as publishing names because they didn’t want to run afoul of privacy legislation or get themselves into any other type of legal hot water.
In my travels, I’ve come across people who couldn’t help themselves. They retrieved the .dump files.
Just, ya know, because they were curious. They ask me, “Do you want to see?”
My answer was always “NO”. (incidentally, this is the same answer I give when asked to play softball - not because I don't like softball - it's that my face and nose do not like softball - grad school, emergency department, you get the picture).
Why "NO"?
First of all… it’s against the law to knowingly possess stolen property (data is property). This section specifically deals with property obtained or derived (directly or indirectly) from an indictable offence. Unauthorized use of a computer is an indictable offence; therefore, this section could potentially catch anybody who has possession of the AM data.
It’s also illegal to possess credit card data when you know you’re not authorized to have it. This may be a bit of a stretch and I must say I don’t know whether or not enough detail was contained within the data dump for this section to apply (remember, I resisted the urge to look). The data must be specific enough to enable the use of the credit card - BUT if there is enough detail in the data - this section could apply to any retrievers possessing this data.
Returning to unauthorized use of a computer - this section could apply to retrievers as well. If you Use, possess, traffic in, or permit another person to have access to a computer password (that would enable a person to commit an offence under paragraph (a), (b) or (c).) you’re caught by this section.
In both offences (unauthorized use of credit card data and unauthorized use of a computer) "traffic" means to sell, export from or import into Canada, distribute or deal with in any other way.
"Distribute" - as in publish on a website or send to a friend?
“Deal with” - as in interpret?
Uh oh...
... so... possessing the data is also illegal.
The justice system may decide that charging people with possession of the AM data isn’t worth it, or that it would make the justice system look ridiculous because everybody downloaded the data, right?
I’ll remind you that a lot of people have smoked marijuana and that hasn’t stopped the government from vigorously enforcing those laws (despite the apparent intention of Prime Minister Trudeau to end the prohibition and start taxing the be-jesus out of this particular plant).
Summary:
Hacking is illegal.
Possessing hacked data is illegal.
With the rising prevalence of data dumps in the wake of security breaches, I ask you, dear reader, and generally curious human, to resit the urge to get your hands on that data.
Criminal law... that's the state's recourse. What about the users?
That's right... put on your litigation pants. (Note: lawyers do not generally wear special pants to court... except in Newfoundland).
In the wake of the data breach, AM users now look to the law for a remedy.
This is happening:
This is happening:
(US filings don't actually have the "Made in USA" badge - but they should)
Joe Doe (the Plaintiff representing a group of Plaintiffs) sued Avid Life Media, Inc. and Avid Dating Life, Inc. (AM’s parent companies), and, because I am of a curious nature, I read the Plaintiff’s Complaint (in Canada we call it a Statement of Claim).
The Complaint describes the type of information given by users, including:
username / password - greeting - location (country/zip code or postal code) - Date of birth - Type of Affair they want (short term, long term, cyber affair/erotic chat, or other) - height - weight - body type - ethnicity - email (promising never to show the email) - discrete photo (option to blur eyes or put mask on) - Information on intimate desires, perfect match, and personal interests (read: sexual preferences and proclivities)
THEN it set out the two main issues:
(1) Scrub Fee
The website offered to “scrub” – or delete – user profiles along with all personal information from the website for a $19 charge.
The website offered to “scrub” – or delete – user profiles along with all personal information from the website for a $19 charge.
(2) Failure to Secure
AM stored highly personal information unencrypted at the database level. Despite security threats that may have been discovered by AM’s officers/directors, and AM made representations that the data was secure. AM called itself… and this is not a joke… “the last truly secure space on the Internet.”
I can't make this stuff up.
The “Scrub Fee” isn’t an incredibly interesting legal issue. It’s a breach of contract problem.
AM promised to delete the data in exchange for a fee.
The user paid the fee. AM didn’t delete the data.
Contract breached.
Assess damages.
Everybody goes home.
The “failure to secure” is a much more interesting legal question. It’s interesting because it’s new, but it’s also interesting because it’s old - in that old laws have to figure out how to deal with these new… computer… thiiiings.
Before we can really talk about suing anybody for failing to do something, we have to talk about a snail. Specifically, a case about a snail in a bottle - it’s creatively nicknamed the “snail in a bottle case” (real name: Donoghue v Stevenson). In the 1930’s a lady named Mrs. Donoghue polished off a bottle of ginger beer and found a dead snail inside. She got sick and she sued the ginger beer manufacturer, Mr. Stevenson. Donoghue won because the manufacturer owed a duty of care to her and he failed to ensure the ginger beer was safe. Also, it was reasonably foreseeable that failure to ensure the product's safety would lead to harm of consumers. This is the law of negligence.
Law school was actually super easy (*pause for pelting of tomatoes from other lawyers*).
Check out how the Plaintiffs word the "failure to secure":
The US class action papers claim that Ashley Madison failed to “maintain adequate and reasonable security measures” to secure their users’ data and as a result “highly-sensitive personal, financial, and identifying information” was released.
The Plaintiffs go on to claim that the massive data breach could have been prevented had Ashley Madison taken “necessary and reasonable precautions” to protect the data. What is a reasonable precaution? The Plaintiffs claim it would have been "encrypting the data entrusted on a database level".
The Plaintiffs claim Ashley Madison should have known stronger protection was required, given the increased occurrence of similar data breaches AND given the fact that the information was so sensitive.
Meanwhile... in Canada...
A class action suit was also filed against Avid Life Media (AM’s parent company) in Canada, by a man named Eliot Shore. The lawsuit is reportedly seeking $750 million in general damages and $10 million in punitive damages. I wasn’t able to get the Statement of Claim and the class action has not yet reached the stage where the documents are available online - however, it is reasonable to assume the claims will be substantially similar to those made in the US class action.
What could come of these law suits?
It's possible we're on our way to a common law requirement for encryption of data.
If the judge ruling on the Ashley Madison case finds in the Users’ favour - a precedent will be set and negligence can be found in future breaches if enough wasn’t done to protect the data. This would be a troubling development because security, as people in the security space have repeatedly informed me, is a moving target.
It will also be interesting to see how the courts will deal with the "failure to secure" in the face of growing calls for criminalizing encryption (she said as she put a pink elephant on the table and slowly backed away). We're at a cross-roads and the law... it's confused and doesn't know what to do.
The Ashley Madison hack is almost one year old.
Nobody has been arrested for the hack, because before you can arrest someone... you generally have to know who they are.
Nobody has been arrested for retrieving or publishing the data, but they could have been.
The users are seeking recourse through the courts (a system not necessarily known for its technological competence - seriously... they still use CDs). If the users are successful, new precedent will govern the actions of those who collect, store, and deal in data.
BUT we don't know how the precarious legal position of encryption will affect the court's decision - if at all.
One year later and there remains an ocean of uncertainty.
... and so it was that all the lawyers rejoyced and said unto online companies, "My fee will be $300/hr and thou shalt pay a substantial retainer."
Thanks, Hackers. Christmas card is in the mail.
**NOTE: This post is based loosely on a talk I gave to the Atlantic Security Conference in Halifax. Thanks for having me @AtlSecCon**
1 comments
Great post! Will be very interesting to see how ol' common law negligence will be applied to these very modern issues. Judiciaries making incremental steps in the law is not easy when technological advancements are anything but.
ReplyDeleteAlso, I actually laughed out loud at the Litigation Pants and NL comment. If only litigation pants *weren't* an actual thing here. Sigh.