Life is Short... Sue Everyone: Legal Perspectives on the Ashley Madison Hack
15:56Happy almost Hack-versary, AshleyMadison.com
On July 20, 2015 the hacking collective Impact Team accessed and downloaded the personal and financial data of Ashley Madison’s users - almost all 37 million of them. Impact Team attempted to hold AM hostage - their terms: shut down or the information is released. Ashley Madison did not shut down and on August 18, 2015, the Impact Team dumped 9.7 gigabytes of personal and financial data.
The hack tapped into the more base elements of our collective imagination.
Because… sex. Because… cheating. Because… drama.
I’ll also note, Impact Team’s message to the world after AM refused to shut down their site was, “prosecute them [them being Ashley Madison] and claim damages”... more on that later.
- Ashley herself;
-
Users of the site;
- Hackers; and
- Retrievers (i.e. the people who, after the hackers released the data, retrieved the data from various sources)
Article 2 proposes to define criminal unauthorized access like this...
Article 2 - Illegal Access
Intentional access to a computer system without right.
(with or without infringing security measures)
(with or without intent to obtain data or dishonest intent)
- Obtain computer service (directly or indirectly);
- Intercept any function of a computer system (directly or indirectly);
- Use a computer system with intent to obtain or intercept;
- Use / possess / traffic in or permit another person to have access to a computer password;
Important to note: it doesn’t apply to people who intercept the communication as part of managing the computer system or protecting the computer system from interception or unauthorized access. Sys admin people, breathe a sigh of relief.
Thank you, Internet.
This is happening:
username / password - greeting - location (country/zip code or postal code) - Date of birth - Type of Affair they want (short term, long term, cyber affair/erotic chat, or other) - height - weight - body type - ethnicity - email (promising never to show the email) - discrete photo (option to blur eyes or put mask on) - Information on intimate desires, perfect match, and personal interests (read: sexual preferences and proclivities)
The website offered to “scrub” – or delete – user profiles along with all personal information from the website for a $19 charge.
(2) Failure to Secure
AM stored highly personal information unencrypted at the database level. Despite security threats that may have been discovered by AM’s officers/directors, and AM made representations that the data was secure. AM called itself… and this is not a joke… “the last truly secure space on the Internet.”
I can't make this stuff up.
AM promised to delete the data in exchange for a fee.
The user paid the fee. AM didn’t delete the data.
Contract breached.
Assess damages.
Everybody goes home.
1 comments
Great post! Will be very interesting to see how ol' common law negligence will be applied to these very modern issues. Judiciaries making incremental steps in the law is not easy when technological advancements are anything but.
ReplyDeleteAlso, I actually laughed out loud at the Litigation Pants and NL comment. If only litigation pants *weren't* an actual thing here. Sigh.