Case Study: Ashley Maddison

Introduction

Avid Life Media is a firm that owns multiple online dating services including ‘Established Men’, ‘Cougar Life’ and most notably: Ashley Madison. The latter is a controversial platform advertised as a service where men who are in monogamous relationships can commit adultery with the tagline “Life is Short, Have an Affair”. Users would sign up for free using any email address, and would be allocated an email account by Ashley Madison, which they would have to essentially pay money to send and receive messages from the platform.

On July 12 2015, a group of hackers called ‘Impact Team’ hacked into Ashley Madison servers and posted login ransom message notifying staff if the Ashley Madison and Established Men services did not get shut down, staff and user personal information would be published. After not bowing to ransom pressure, Ashley Madison’s data was leaked onto the public forum ‘Pastebin’ revealing the personal information such as the address, contact information and sexual preference of millions of users, as well as corporate documentation and correspondence.

Ethical Implications

Clearly there are ethical issues with regards to a service that encourages adultery; however, there are also issues underneath the surface in the claims against Avid Life Media, including claims of fraud and false advertising (Sawayda, 2015). The most public of these issues is the adultery solicitation. Despite being completely legal, this is an example of something that is deontological ethically bad, because regardless of the intended outcome, providing the platform is widely-considered ethically bad. Figures 1 and 2 show the marriage rate in Australia over the past century; despite the rate being on a decline, monogamous relationships still comprise a majority in Australia (Qu, 2020). With a vast majority of people not supportive of adultery or ‘open’ relationships, it is understandable how Impact Team’s motive was driven ethically. This was also evidenced by their statement calling users of Ashley Madison “cheating dirtbags” (Sawayda, 2015).

Whilst Avid Life Media’s business model is built on deontological ethical controversy, Impact Team’s hack was an act of utilitarianism. The hacking, stealing and publicly releasing sensitive personal information is illegal and ethically bad, however the intended result is there will not be a service encouraging and soliciting adultery, which is ethically good.

Legal Implications

There are other ethical implications at play with the case of Ashley Madison; however, there are also multiple legal implications for both Avid Life Media and Impact Team. Despite being based in Canada, Avid Life Media still fall under the ‘Privacy Act 1988’ due their collection of information on Australian users (Hemingway, 2019). As forementioned, the provision of a service the likes of Ashley Madison are legal in Australia, provided that Avid Life Media adheres to the Australian Privacy Principles (APP), which they did not. Most notably they failed to adhere to ‘APP11 – Security of Personal Information’ by implementing poor information security and cyber security practices to protect the information they held. Under APP11.2, Avid Life Media are required to destroy information when they have no further legal use for it (Hemingway, 2019); however, when users paid a fee to have their account permanently deleted from the system, Avid Life Media retained some information which was later leaked and used for re-identification.  Avid Life Media also failed to comply with ‘APP10 – Quality of Personal Information’ by not ensuring the user’s personal information was correct, specifically by not verifying user email addresses (Sawayda, 2015), allowing anyone to create a user account with any email address, such as a colleague for a prank or a celebrity as a joke.

Despite somewhat morally good intentions, Impact Team committed a serious crime hacking into Ashley Madison, stealing and eventually disclosing sensitive information, which is illegal in Australia under the ‘Criminal Code Act 1995’.

Judgements

Looking at the decisions made by both Avid Life Media and Impact Team, it is clear that both parties believed they were acting ethically, and both should have been well aware of the illegality of their decisions. Ashley Madison’s service is widely considered unethical in Australian culture, however in the founder Noel Biderman’s opinion, people are already inclined to cheat, Ashley Madison is facilitating that urge and possibly even saving marriages (Sawayda, 2015). But Avid Life Media’s crude mismanagement of information security, as well as fraudulent and false advertisement makes them legally liable for action.

Impact Team had moral, ethical intentions, but committed a serious crime of not only stealing sensitive information, but publicly releasing said information to the world. Regardless of the intended outcome, the personal harm and fallout of the information dump affected thousands of users and employees. It is not up to a group of hacktivists to enforce an unspoken ethical law, as Avid Life Media stated: “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society” (Zetter, 2015). Despite being a popular opinion, Impact Teams ethical decision is still subjective; however, the laws broken and harm produced from their actions is not.

Recommendations

One of the major lessons learnt from the Ashley Madison hack was that information is not guaranteed to be safe and secure on the internet. Ashley Madison had weak cyber security, evidenced by Impact Team’s statement "We worked hard to make fully undetectable attack, then got in and found nothing to bypass” and also stating Avid Life Media had “no security” (Lord, 2017). Companies like Avid Life Media are responsible for the security of information and therefore there should be mandatory audits conducted on large companies that deal with sensitive information, to ensure that businesses are acting responsibly with the information as well as sufficiently protecting it. If an audit had been conducted on Ashley Madison prior to the attack, it’s possible it could have been shut down and Impact Team would not have felt the need to commit a crime based on their ethical compass.

References

HEMINGWAY, C. 2019. Lessons Learnt from the Ashley Madison Data Breach [Online]. Legal Vision. Available: https://legalvision.com.au/ashley-madison-and-data-breach/ [Accessed].

LORD, N. 2017. A Timeline of The Ashley Madison Hack [Online]. Data Insider: Digital Guardian. Available: https://digitalguardian.com/blog/timeline-ashley-madison-hack [Accessed].

QU, L. 2020. Couple Relationships. In: STUDIES, A. I. O. F. (ed.).

SAWAYDA, J. 2015. Ashley Madison Experiences Fallout from Hacking Scandal [Online]. Center for Ethical Organizational Cultures: Auburn University. Available: https://harbert.auburn.edu/binaries/documents/center-for-ethical-organizational-cultures/cases/ashley-madison.pdf [Accessed].

ZETTER, K. 2015. Hackers Finally Post Stolen Ashley Madison Data [Online]. Wired. Available: https://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/ [Accessed].