The Ashley Madison Breach: The End of The “Age of Internet Innocence”?

By now you’ve no doubt heard of the Ashley Madison data breach, which became public in July 2015, and the subsequent public release of the “data dump” of all the breached user account data on August 18th.  The latter event upgrades the incident from a mere ordeal to a full-fledged disaster. In the wake of the public release of the customer information, lawsuits have started to pour in, prompting us to write this post. 

Much has already been said about the essentials of the breach, so we’ll just add a few points to the mix:

1. The Ashley Madison Breach as the End of A General Blasé Attitude About Online Personal Information Security

We generally agree with this early post on the release of the breached data when it said:

We associate the cost of hacks mostly with identity theft and financial loss, from which most victims are pretty well insulated. Target assessed the cost of that hack at $148 million; outside financial institutions added another $200 million to that figure. You may know someone affected by that hack, but the resulting damages were likely mostly absorbed by their bank or credit card company. It was unsettling, yes, but it wasn’t widely ruinous…

The Ashley Madison hack is in some ways the first large scale real hack, in the popular, your-secrets-are-now-public sense of the word. It is plausible—likely?—that you will know someone in or affected by this dump.

“Widely ruinous” indeed, both in the nature of the site and the information, and the scale of the breach (nearly 40 million accounts).  While in past breaches, the risks of misuse of the stolen consumer information (i.e. credit card fraud and identity theft) were understood, and the possibility of embarrassment or even blackmail appreciated for high-profile victims of hacks, it is questionable whether these acknowledgements led to any widespread appreciation, particularly, changes in habits.  With the Ashely Madison breach, suddenly, quite a lot of people are jarringly faced with their sensitive secrets becoming public, and the rest of us are keenly watching, amidst a massive media frenzy.

As part of that coverage, it has been clearly demonstrated what happens to individuals for whom such information is compromised; to just briefly point out a few examples:

So, maybe, just maybe, there will be a big silver lining to the Ashley Madison breach: getting the public to be much more careful about their information privacy practices, and likely push for more enforcement by the government.  In particular, if as it appears, Ashley Madison provided a paid service promising to wipe customers’ data and then did not do so fully, this would likely form a basis for an FTC enforcement action.  More broadly, this might be extended to better data destruction practices, if not regulations, founded upon new consumer expectations for such.  And of course, there should be an impetus for better information security in general, because of the sensational nature of this breach.

2. The Ashley Madison Breach as The End of The “Ring of Gyges” Effect of Internet?

As the old comic strip put it, “on the internet, no one knows you’re a dog.”  But less whimsically, the anonymity afforded by the internet has notoriously given rise to internet “trolls” (those who spew hate-filled bile in comment boards and forums), direct harassment, and even (more recently) “revenge porn.”   This phenomenon has led some to point out that the old parable of the “Ring of Gyges,” from Plato’s “Republic” bears surprising relevance to the modern-day situation.  In the parable, the shepherd Gyges finds a ring that allows him to become invisible, and upon discovering this, he engages in all manner of cloak-and-dagger behavior to subvert the realm’s rulers and gain whatever benefit he can get away with.  Plato uses this parable to make the point that man is fundamentally more opportunistic than ethical, and will take what he can whenever he can get away with it (not surprisingly, in the Republic, Plato is making the broader point of a need for a strong, centralized state to order and run society).   While we don’t necessarily buy into this view generally, it is clear that the anonymity capabilities of the internet have brought out such behavior in many people.

The connection here is that Ashley Madison is, of course, an adultery site.  It has nearly 40 million users who, quasi-anonymously, get a chance to cheat on their partners that they would perhaps not have had without a discreet internet site.  While this isn’t (generally, these days) illegal activity, it certainly raises ethical questions, or at least, represents and activity that most of the patrons of Ashley Madison would only ever engage in privately.  This places the site’s activity in the same category as Silk Road (the erstwhile bitcoin-based illegal drugs market) or anonymous internet comment trolling generally.  Such activities only flourish when people feel reasonably assured that it will stay private, with their identities kept secret from those who it matters (i.e., the state, the general public, or just their spouses).

Thus, we can’t help but think that the Ashley Madison breach and mass data release will cause people to question, en mass, the assumption that any internet-based or connected service will be able to maintain the privacy these activities require (and which is promised).   Indeed, many may just be waking up to the reality of the risk of disclosure, per the above.  But the next dot to connect would be that the ever-present and looming disclosure risk (at least, wherever identities are not perfectly cryptographically-secure — something extremely hard to attain) would make various “unsavory” activities not worth even embarking upon online.

While this realization isn’t likely to eliminate internet trolls, it might make large numbers of people think twice about how they approach and make use of the internet.  The upshot may be a welcome expansion of common decency and generally-accepted ethical behavior to the the online arena — something few would complain about.

But there is a downside too: a potential chilling effect against societally-beneficial anonymous behaviors, such as expressing valid (but marginalized) political speech and whistleblowing.  The latter is particularly disconcerting, as society is coming to rely on whistleblowers (often anonymous) to get a handle on rampant corruption, cronyism and malfeasance amongst government and big corporations.  So, for example, a government waste whistleblower seeking to anonymously report major military contractor graft might think twice about going to Wikileaks to release this information.  Hopefully, Wikileaks and its kin, using cryptographically-secure submissions systems, will still be able to perform their socially-useful function.

3. Is This The Beginning of the “Maturation” of The Privacy Right in the US?

In our minds, another fascinating and compelling change that could come out of the Ashley Madison breach is a “maturation” of the right to privacy in general in the US.  In the US, the right to privacy is a sort of “second-tier”, or afterthought right, never mentioned explicitly in the constitution (but running as an undercurrent through important parts of it, especially the Fourth and Fifth Amendments).  Some US states picked up on this and explicitly enshrined a “right to privacy” in their state constitutions, but more broadly, the general right to privacy in the US was largely constructed piecemeal throughout the 20th century through case law: the privacy torts of commercial misappropriation, public disclosure of private facts, intrusion upon solitude, and false light publicity are now fairly well-established.

The big “problem” remaining is that this piecemeal form of the right leaves privacy generally as mostly legally-hollow without the presence of, and proof of direct damages.  This is visible in spades in recent years, where no consumer privacy suit for a breach of personal data per se has ever succeeded in the US.  Of course, if consumers have measurable financial losses subsequent to a breach and can tie the losses directly to it, these could represent damages that found a successful legal action, but such directly-attributable damages are unlikely to be present soon after a breach is discovered (if ever).

Another problem is that consumer data breaches don’t fit nicely into the four privacy torts mentioned above; usually the company being sued (the target of the breach) was negligent at worst, so the release of information isn’t an intentional action, as required for the tort of intrusion; and the act of publicizing the personal data was not an intentional one by the company (if it is provable at all), so public disclosure of private facts doesn’t fit well either (and the other two torts simply don’t apply).

Despite lacking a constitutional foundation and sources in common law, there is also no federal law in the US giving consumers an actionable, general privacy right (some limited remedies exist in the specific areas of health care data, financial/credit data, and do-not-call).  States aren’t much help either: the 50 state data breach laws almost universally provide consumers with no cause of action.  In recent years, the Federal Trade Commission (FTC) has begun to tiptoe into this vacuum, beginning to fine companies for data breaches as “unfair and deceptive” trade practices (see the recent decision in FTC v. Wyndham, in favor of the FTC); however, should this approach expand, it would provide only the government itself with the “right of action.”

In contrast, other countries around the world have established (or are concretely moving to establish) stronger general rights of privacy and corresponding regulatory regimes (particularly as it comes to digitized consumer records containing personally identifying information, or PII).  Right next door, Canada has strong modern privacy protections, with a national privacy regime (the PIPEDA) setting blanket requirements for limited use, permission, disclosure and accountability of consumer PII.  Further, five Canadian provinces (including British Columbia) make invasion of privacy an actionable tort per se, without proof of damages, and Quebec (in its charter) allows for punitive damages when “a person unlawfully and intentionally interferes with another individual’s right to privacy.”  The 2014 Canadian Anti-SPAM law (CASL) includes a private right of action, which will kick in on July 1, 2017.  Across the pond, countries with regimes under the Eurozone’s currently-applicable data protection directive (DPD 94/46/EC; a new DPD is pending) generally follow the “finality principle”, which limits the use of consumer PII to only uses specifically-approved by the consumer (so, if a valid holder of PII wants to use it for something else, it must get permission again).  Germany, for example, follows this in its Federal Data Protection Act, even providing for criminal penalties for breaches of consumer’s PII.   Europe also recognizes “progressive” notions of privacy rights such as a “right to be forgotten” (e.g., Germany requires that “PII must not be kept in a form that allows identifying the individual for longer than necessary”); and generally, breaches related to PII are seen as per se violations of personal rights.

In recent glimmers of hope in the US, in 2014, the Supreme Court in Riley v. California deemed the information on a typical cell phone or smartphone to be private for 4th Amendment purposes, and so could not be viewed by police incident to an arrest, without a warrant.  This ruling was based on a recognition of the personal nature of the information found on such devices nowadays, such that people have a reasonable expectation of privacy to it.  In a seemingly unrelated ruling, in May 2015 in ACLU v. Clapper, a federal appeals court of the Second Circuit ruled the NSA’s bulk collection of telephone call information to be unlawful (the information in question consisted of call “metadata,” which does not include call contents).  In the Clapper decision, the court strongly hinted that the NSA’s program would fail a reasonable expectation of privacy test, based upon the legitimate privacy interest customers have in their call metadata (which in itself can be very revealing) — despite the fact that the information was “voluntarily” disclosed to third parties (the telcos).  The court did not directly base its holding on this, as it found the program unauthorized on narrower statutory grounds, but it went out of its way to suggest that Congress would have to authorize such privacy-violating, sweeping data collection in targeted legislation, subject to public debate.

So, progress on the general privacy front is clearly being made in the US.  The next step is an open question, but it does seem the courts are loathe to take charge and define the boundaries of the right to privacy “for us.”  So, the onus for a “complete solution” is probably up to the public, to spur the government (federal or otherwise) to legislate a better solution.  Such a mass movement did not materialize after the less-tawdry (though major) consumer data breaches in recent years, not to mention the OPM hack and the Snowden revelations, but the sensitive and sensational Ashley Madison breach might finally do the trick.

 

Leave a comment

Your email address will not be published.


*