26/08/2015

By Richard Beaumont, Governor Technology

The recent theft and subsequent leaking of the personal information of users of the Ashley Madison dating site for married people and its other stable brands is not the biggest data breach the world has seen in the last few years, but it is quite probably the most controversial.

Whatever people choose to think about the basic premise of the business, or the people that signed up to its services, the hacking and subsequent release of the data is illegal and quite likely to lead to serious harm for some of the users of the site.

It is therefore right that everybody who deals in the handling of personal data should look to see what they can learn from this event.

Context is King

The sensitivity of information, and therefore the lengths one should go to protect it, is often more reliant on context than the information itself.Email addresses are personal information, yet they aren’t generally thought of as particularly sensitive or needing of close protection. After all, they are about communication, so designed to be shared.

Stored in a database of people supposedly looking for an extra-marital fling however, is a completely different ball game. As has been pointed out elsewhere, some of the emails leaked indicate users in Saudi Arabia, where adultery is a capital offense. Though we don’t know it yet – the hackers may have condemned some people to death.

At the very least is seems inevitable that the marriages and careers of many people will be ruined. It doesn’t even matter if no wrong doing took place, suspicion by the mere presence of an email address in the data, will be enough to change some people’s lives forever.

Transparency, Transparency, Transparency

Amazingly enough, the privacy policy on the site is not that long or complicated. However, it is clear that different versions are served up to different users. On first access I noted my location was recorded as in the UK, and I got a policy from Praecellens Limited, operating out of Cyprus. However, I could switch my location to the USA, and then be served the policy from Avid Dating Life Inc. of Canada

What strikes me is that even a cursory reading rings huge alarm bells. For a start the Cyprus policy, presumably for EU readers, is different, but it still uses US-style language, lots of references to PII rather Personal Data. So immediately it seems like a half-hearted job.

More importantly, it makes clear that although some information ‘may be considered as sensitive’ – the policy allows for any personal information to be sold to unspecified third parties for marketing purposes. At the same time the policy also stresses how important privacy is to the business.

Of course we know that nobody reads privacy policies, and this seems to prove it. I find it difficult to believe that anyone contemplating embarking on a clandestine affair would knowingly agree to such unspecified information sharing that could easily lead to legal disclosure of their use of the site. All of which tells me that there needs to be clearer ways of surfacing this kind of information, and clearer indications of consent – something of course being called for under the EU Data Protection Regulation.

Beware the All Seeing Cookie

Running a very brief scan over a few of the public pages on the site we identified trackers from Google, Facebook and Twitter on the ‘Infidelity News’ blog. These are all organisations that can tie online behaviour directly to real identities, meaning the site is directly leaking at the very least ‘interest’ data about identified individuals in a way that could immediately impact their wider social profiles unless they are extremely careful.

However, the site clearly ignores EU cookie law requirements for consent. It doesn’t even notify visitors, let alone give them some control. Yet this is very clearly the sort of site that users might want to keep out of their browsing history. Not giving users the option for simple controls. is not only a breach of the cookie rules, it shows either a cavalier attitude to privacy, or ignorance of the power of the cookie to identify individuals.

Privacy is not Security

It also seems despite the promises of the importance of privacy, little thought was put into this when designing the system.

Email addresses were allowed to be on the system unverified – breaking data protection rules about accuracy of data as well as opening up non-users of the system to potential harm. Although the company claims that sensitive information is encrypted at rest on disk, as noted above, in this case even emails are sensitive, and were clearly not encrypted. Or at least not encrypted well enough to prevent their release.

Similarly it has been widely reported that the password re-set feature, can be used to effectively reveal the email addresses of users registered on the site.

Some reports have suggested that the security on the site is generally better than many others, which also manages to highlight quite well that security and privacy are two different realms. I don’t know whether or not the company carried out any kind of privacy impact or risk assessment. However, it seems obvious now that not enough attention was paid to privacy concerns in the development of the platform and its services.

A Watershed Event?

The nature of the business makes it an obvious choice target for malicious attack. If there had been more thought given to privacy, it would not have made a breach any less likely to happen, however it may have reduced the impact of it.

The very nature of the potential damage here could in fact become a force for change in the way that the law looks at privacy harms. Most law courts reduce harm in data breaches to financial loss. Many actions fail because direct financial harm is very difficult to establish.

In this case, financial harm is likely to be way down the priority list of members. It will be the harm to their personal lives – in many cases irreparable – that will almost certainly been the focus of the inevitable law suits. How the courts deal with this could open the door for the wider recognition of non-financial harms In breaches of privacy – and that may make this a watershed event.