Webinar: Why the Ashley Madison Hack Represents a Turning Point in Data, Privacy and Security
In the world of data privacy and security, a breach-a-day seems to be increasingly the norm. However, the recent hack of the affair-promoting AshleyMadison.com website has plunged the dynamics of data breaches into new territory when it comes to discussions about data, privacy and security. In this webinar hosted by the UC Berkeley School of Information, panelists discussed the legal and ethical implications surrounding this breach and why it represents a turning point in the data science dialogue. Here, we provide a summary of the key points covered in the discussion.
About the Presenters:
Chris Hoofnagle is an adjunct professor at the UC Berkeley School of Information and a lecturer in residence at the Berkeley School of Law. He has taught computer crime law, privacy law, and internet law. Chris is the author of Federal Trade Commission Privacy Law and Policy (Cambridge University Press 2016).
Anna Lauren Hoffmann is a postdoctoral scholar and a professional faculty member at the UC Berkeley School of Information working at the intersections of information, technology, culture, and ethics. Her research considers the ways in which the design and use of information technology can promote or hinder the pursuit of social justice.
Toshiro Nishimura (MIMS '15) is a Research Analyst at Cloudmark. His blog post titled “Does Blackmailing Pay? Signs on the Bitcoin Blockchain of Responses to Ashley Madison Extortion Emails" has been cited by several major news outlets reporting on the controversy.
As the moderator for this webinar, Anna Lauren Hoffman set the stage for the discussion, framing the timing of the Ashley Madison breach, and the enormity of the related implications. To do it, she summarized a link list of stories she’d compiled as a timeline of reporting and commentary, capturing everything from the technical to the social to the ethical implications of the breach. She noted this has been referred to as the first “true hack,” since this was the public’s worst nightmare, with the exposure of so many intimate details—occurring at the intersection of a variety of perspectives. Together, the panel described the legal, technical and ethical issues involved:
- Notification requirements may not be sufficient. States differ in their requirements for notifying users when breaches occur—which is tied to state-specific “trigger information,” such as social security or credit card numbers. If you’re a business, and you have trigger info, you have to notify the public. However, the Ashley Madison breach was unique because the issue arose regarding whether a site holding such sensitive personal information—that may not be defined as trigger information—would be required to notify users.
- Hacker techniques are less sophisticated. Forensic analysis shows that often the breach is caused by something really basic—like the Google breach in which executives were targeted with a spear-phishing email.
- Hacker motivation is changing. The first generation of breaches were performed by more economically-motivated actors who were breaking into systems to steal social security and credit card numbers. But now, many are motivated by ideology, which is very difficult for the criminal justice system to deal with. Ideological hackers are very unpredictable and a potential danger for those sites that encourage users to become emotionally involved with their offerings.
- We’re now in a world of “forced disclosure.” Many times, companies are forced to disclose, even if they aren’t required to do so, in order to get out ahead of the data dump. If user data is going to be compromised, they don’t want the hackers to be the first to spread the news.
- The impact has spread. The information leaked in the Ashley Madison case forces us to look beyond privacy and the individual, since being named in a sensitive dataset can reveal information beyond the user and extend to other individuals and relationships.
- “Immorality” abounds. There was an abundance of unethical and illegal practices in this case—including the affair-promoting purpose of the site, the fact that Ashley Madison didn’t make good on privacy promises to users, and purportedly used bots to inflate the number of available females. In addition, there were unethical actions of the hackers themselves, and all of the blackmailers who tried to exploit thousands of dollars from exposed users.
- Companies may shy away from law enforcement. Increasingly, as companies are breaking their own rules internally, they shy away from opening up the logs for forensic analysis—fearing they’ll turn from victim into defendant.
- Who owns the higher moral ground? The immoral activities of the site all came to light through an act of vigilantism in which a group of hackers did this to “make their moral code” known to the world. At what point does such finger-pointing become right?
- The economics of security is second to quality. It takes great effort and cost to optimize security and deep levels of encryption on a site. Many companies seem to feel that if the consequences are not too great, they can rebound from the inconveniences associated with a breach.
- The economics of hacking is changing. It takes great effort and potential exposure to transform social security and credit card numbers into actual cash. However, in this instance, blackmailers could obtain cash directly from the individuals they were exploiting.
- A treasure trove of data is available for the taking. With companies increasingly using social media and related data to gain insights into consumer behavior, what are the ethical implications of using illegally obtained data that is provided to the public?
There are many new issues that this breach has brought to light, and they will continue to evolve as society becomes increasingly connected and consequentially vulnerable. The following links were provided as additional resources during the discussion: