Online purveyor of pro-paramour lifestyles, AshleyMadison.com, encouraged users to “have an affair,” because “life is short.” Well, the company’s lifespan may now be in jeopardy thanks to a possible litigation tsunami heading its way.
Who can exposed Ashley Madison users sue? The website or the hackers? What can “victims” legally claim? What are the chances of Ashley Madison successfully defending themselves? Will the business survive a litigation onslaught?
Let’s deconstruct the scandal and possible legal aftermaths.
The AshleyMadison.com Hacking Scandal Basics
What is AshleyMadison.com?
From its website: “Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands signup everyday looking for an affair…With Our affair guarantee package we guarantee you will find the perfect affair partner.”
Who owns AshleyMadison.com?
Avid Life Media (“ALM”), a Canadian company that also operates websites called Cougar Life and Established Men.
Who hacked the site and when?
An ostensibly ethical hacking collective known as the Impact Team claimed responsibility for the breach. Impact Team announced its coup mid-July; at that time, it made demands of ALM, offering a month-long compliance window. ALM didn’t comply with the demands, so Impact Team leaked the data mid-August.
What reason did Impact Team give for its act of hacktivism?
Impact Team targeted two of Avid Life’s properties. Excerpts from its public statement regarding the hack:
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
How did Avid Life Media respond to the initial hack?
The company behind Ashley Madison did not comply with Impact Team’s initial requests. Instead, ALM told users it had augmented security on the site. When the initial data dump hit, ALM speculated that the information wasn’t real. After its forensic team had explored the matter, however, the company acknowledged the breach.
What information did Impact Team eventually release?
Via two giant data dumps, initially only accessible with a Tor browser, Impact Team divulged around 32 million accounts. Some accounts are bogus; some are legit. Currently, most people aren’t paying much attention to email addresses not attached to payment accounts. And even for accounts that do include credit card info, there is no guarantee that the card holder’s identity wasn’t hijacked.
We should note that Impact Team didn’t release full credit card information, only the last four digits.
Did Impact Team explain why it eventually released the data?
Yes. According to Impact Team:
We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data … Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters. …
“Too bad for ALM, you promised secrecy but didn’t deliver.”
Impact Team also urged the exposed to “make amends” and encouraged: even though it is “embarrassing now,” Ashleymadison.com users will “get over it.”
Did Ashleymadison.com make any effort to secure user data?
Yes. The site used a PHP bcrypt algorithm to store passwords, which is considered an acceptable method among digital security specialists. However, as Robert Graham, CEO of Erratasec explained, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.”
Avid Life’s Statement About The Data Revelation
“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of Ashleymadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the company said in a statement. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
Two Important Things to Consider About the AshleyMadison.com Hack That Could Impact Potential Legal Actions Stemming From the Incident
Fake Accounts: Countless Ashley Madison accounts are fake and created by bots.
No Verification Required: AshleyMadison.com doesn’t require email verification to create an account. As such, an innocent person’s address could have landed in the data scrum if:
- The email address is publicly available online, and a bot picked it up in an automated profile creation scrape;
- Someone else used the email of an enemy – or friend – to set up an Ashley Madison account;
- A reporter or investigator set up an account to get a peek behind the curtain for research purposes.
Legitimate accounts are most likely attached to credit card information – like reality TV’s Josh Duggar’s account.
Ashley Madison Hack: What Can People Sue Over?
According to statements issued by the collective, one of the main reason’s Impact Team targeted Avid Life Media’s sites was the company’s paid security option.
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life.”
Which raises a question: Can “hack victims” (i.e., Ashley Madison users) successfully sue Ashley Madison and Avid Life Media? It’s an insanely complicated question.
An ocean’s worth of individual details would factor into the fitness of any potential claim. That said, let’s take a look at some potential types of lawsuits that could be brought, then deconstruct the likelihood of success.
Hypothetical Ashley Madison Lawsuit Category: Defamation / False Light Invasion of Privacy
Can Ashley Madison users sue the website for defamation or false light invasion of privacy – a tort very similar to defamation which is on the law books in some states? On a scale from one to ten, the chances are about a .5. Why? Two reasons:
- Though there are rare exceptions (like in Massachusetts), “truth” is a rock-solid defense against slander and libel claims. And in the case of the Ashley Madison hack, Impact Team covered its proverbial “butt” by pointing out that not all of the accounts are necessarily real.
- Due to Section 230 of the Communications Decency Act, Internet service providers and certain social media platforms enjoy a considerable amount of third-party defamation immunity protection.
Now let’s look at some hypothetical scenarios.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Ashleymadison.com / ALM
Again, the likelihood of an individual user successfully suing Avid Life Media for defamation is between slim and none. Under U.S. law, to win a defamation claim, plaintiffs must prove that the defendants made false statements of fact. In this case, though Impact Team hacked and leaked data, AshleyMadison.com – nor its employees – made false statements of fact about users.
Intention also plays a primary part in state-side slander and libel suits. In this case, Ashley Madison executives didn’t act with actual malice, neither did they act with reckless disregard for the truth.
HOWEVER, Ashleymadison.com’s website featured verbiage that promised a premium account option – and option that included information “deletion.” This program could be the basis of a solid breach of contract claim, which we’ll get to below.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Impact Team
Like ALM, it’s unlikely that individual users can bring successful defamation lawsuits against the Impact Team. Firstly, the collective didn’t spread lies; it leaked information. Even in instances where an automated bot scraped an email address from the Web and amended it to Ashley Madison’s database, the hackers, in theory, should be immune from libel liability. Why? Because in the collective’s release statement, Impact Team admitted that a large chunk of the user data was most likely false. The team even highlighted an ongoing class action, over fake profiles, against ALM.
Hypothetical Ashley Madison Lawsuit Category: Individual User v. Individual Online Shame Spreader
Theoretically, one type of Ashley Madison defamation lawsuit that has a shot at success is between an individual whose information was falsely leaked and a person who publicly makes assertions based on the presence of that false information. Huh? This scenario is best explained in an example.
Example of a Potentially Successful Ashley Madison Defamation Lawsuit
John and James are co-workers and rivals for a job position. Turns out that John’s email address was among those leaked in the Ashley Madison data breach. John, however, has never used Ashley Madison and is happily married. His email landed in the website’s records on account of a bot that scraped the Web for addresses to make fake profiles – a subversive online marketing technique. In fact, John had no idea his email was even in the leak.
Now let’s cut to James, John’s work rival. He searches through the Ashley Madison data dump and comes across John’s email. Teeming with schadenfreude, James immediately takes to Twitter and scolds:
“John Doe is an adulterous CHEATER! He’s slept with the entire office and probably has a disease!!”
A tweet like this could be deemed defamatory (or at least false light). For starters, James makes a false statement of fact by asserting that John is a cheater and has a disease. Arguably, this is a reckless statement because the Impact Team explained the probability of false-positive accounts and highlighted the ongoing lawsuit involving fake profiles. Moreover, James extrapolated an entire story based on one piece of information.
There is no guarantee that John would win our hypothetical case, but of all the possible Ashley Madison defamation conflicts, a scenario like his has the best chance of success. But again, all online libel lawsuits depend on the details of the case, so it’s best to speak with an attorney about specifics.
Hypothetical Ashley Madison Lawsuit Category: Data Breach / Online Privacy
Hypothetical Ashley Madison Lawsuit Category: Individual U.S. User v. Ashleymadison.com / ALM
“Ashley Madison users can surely sue for violations of online privacy, right?”
Believe it or not, the United States doesn’t have a universal online privacy law. California’s online privacy statute comes the closest, but as of this writing, it doesn’t appear that ALM has violated it. After all, the company did take steps to secure passwords; the hackers were just smarter.
And though ALM at first questioned the validity of the data, the company did “fess up” in an appropriate amount of time. Moreover, ALM is working with law enforcement officials to find the culprits — all of which is in accordance with California’s – and other states’ – online privacy laws.
Of course, there may be extenuating circumstances that affect the validity of any given AshleyMadison.com User v. ALM online privacy lawsuit.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual E.U. User v. AshleyMadison.com / ALM
Though European Union online privacy laws are stricter than those in the United States, the probability of a successful Internet privacy claim in an E.U. court is equally as low as it is state-side. Mostly because the overseas digital privacy laws have more to do with acknowledging certain types of tracking (which you can read about here [link]) as opposed to punishing instances of data breaches.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual User v. Impact Team
Can individual users sue Impact Team for invasion of privacy? Highly Doubtful. Again, the word “privacy” isn’t even in the U.S. Constitution, and Capitol Hill has yet to pass a universal online privacy law.
Besides, finding the members of Impact Team is probably a longshot.
Hypothetical Ashley Madison Lawsuit Category: Breach of Contract
Hypothetical Ashley Madison Breach of Contract Lawsuit: Individual User v. AshleyMadison.com / ALM
“Breach of contract” lawsuits – or a breach of contract class action – may be the legal straw that breaks Avid Life Media’s back.
As a pay option, AshleyMadison.com offered members a deletion service for $19.99. And as the world now knows, it looks as if those promised deletions never happened.
Even if ALM included some tricky language in its terms about “deletion” not really meaning “deletion,” the company could still be in trouble. How? Because the language used to promote the service led the average user to believe that his or her data would be expunged completely; that was the conspicuous message.
Besides, the law, in many ways, no longer allows for “fine print” gotcha clauses, which are buried behind hyperlinks, in agate-font text. Hiding important information like that is considered underhanded and judges ordinarily don’t grant absolution for those types of tactics.
Other Possible Lawsuits: False Advertising and Fraud
In addition to breach of contract, it’s possible that the government may sue for false advertising – on account of the $19.99 deletion promise. Others will argue that it was fraud to take the money and then not fulfill the promise made. Whether or not either of these types of actions will be pursued or successful, time will tell.
Can ALM Sue Impact Team For The Hack?
Another possible Ashley Madison hack lawsuit that, theoretically, has a chance of success? ALM v. Impact Team.
The Computer Fraud and Abuse Act is the main hacking law in the United States. And, it’s controversial. Some people feel the penalties are way too steep, and it only serves in over-punishing the “little guy” instead of the true masterminds who know how to properly cover their tracks.
Even if law enforcement agents were to unearth members of the Impact Team, it’s doubtful that ALM would prevail in the end…or that the case would even see a courtroom.
Make Sure Your Legal House Is In Order
The fallout of this Ashley Madison scandal will be long in the making. And if any claims do arise, like a Phoenix out of a murky legal quagmire, rest assured that it will take years to litigate.
In the meantime, if you run a business and have an e-tail presence, be sure you’re up-to-date with the latest online privacy and data breach laws and standards.
Estes, A. (2015, August 19). The Ashley Madison Hackers Just Released a Ton of Stolen Data [Updated]. Retrieved August 25, 2015, from http://gizmodo.com/the-ashley-madison-hackers-just-released-all-of-their-s-1724920693
Ragan, S. (2015, August 18). Ashley Madison hackers publish compromised records. Retrieved August 25, 2015, from http://www.csoonline.com/article/2973036/vulnerabilities/ashley-madison-hackers-publish-compromised-records.html
Doctorow, C. (2015, August 20). Ashley Madison commits copyfraud in desperate bid to suppress news of its titanic leak. Retrieved August 25, 2015, from https://boingboing.net/2015/08/20/ashley-madison-commits-copyfra.html
Kim, Z. (2015, August 18). Hackers Finally Post Stolen Ashley Madison Data. Retrieved August 25, 2015, from http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/
When Google is faced with a court order compelling the removal of a defamatory web page from its index, do you think Google should:
- Not remove the link at all, because doing so is sliding down a slippery anti-free-speech slope?
- Remove the link, but only from the national index of the country from which the court order originates? Or,
- Remove the link from every Google index worldwide?
This is the dilemma the Supreme Court of British Columbia had to consider in Niemela v. Malamas, 2015 BCSC 2014 (“Niemela”). The justices’ final decision: Choice B – only remove links from Google.ca, which means the pages can still be included and visible on google.com.
What Does This Ruling Mean For Canadians Who Want To Get Content Removed From Google?
What does this ruling mean in practical terms? Canadians who’ve successfully obtained an online defamation removal order in Canada may need to file another motion, in a U.S. court, to get the material removed from Google’s main index, Google.com. And even then, it may not be a sure thing since Canadian and U.S. defamation laws differ greatly.
Niemela v. Malamas: Online Defamation Case Summary
Negative Online Reviews Posted About Lawyer
In 2012, someone started posting negative online reviews about Vancouver attorney Glenn Niemela. Confident the posts were the work of a former “biker gang” client, Niemela informed the police of the situation but declined to take legal action. By 2014, though, he’d concluded that the reviews were hurting his business and filed a pair of lawsuits in an effort to get the content removed from the Web.
Lawyer Files Lawsuit Against Alleged Defamer and Google
Instead of just suing the suspected culprit, Niemela also filed a claim against Google over the “snippets” the search engine’s algorithm grabs to display in results.
In his legal pursuit of the actual defamer, Niemela succeeded. A Canadian court declared the statements on ripoffreport.com and reviewstalk.com defamatory. As a courtesy, the search engine offered to remove the offending pages from its Google.ca index, where 95% of search is done in Canada.
“Remove the links worldwide, Not just in Canada!”
But Niemela wanted more from Google. To secure his good name, he sought removal of the defamatory pages from Google’s worldwide index, especially Google.com. “[A]ny person’s honour, reputation and personal privacy ought [not] to be marginalized or compartmentalized to solely one jurisdiction, being Canada, by solely blocking the offending URLs from google.ca,” Niemela rationalized in his lawsuit.
Court Ruling: Only Remove From Canada’s Search Index
The British Columbian court, however, didn’t think Niemela’s argument satisfied the necessary legal tests. Specifically, the bench didn’t think Niemela demonstrated how his life or career would be irreparably harmed if the contested webpages weren’t de-indexed across all of Google’s properties.
The judges also disagreed with Niemela’s lawsuit against the search giant, in which he argued that search engine text snippets amounted to defamation. But the judges disagreed since Google’s algorithm is a “passive instrument” that does “not authorize the appearance of the snippets on the user’s screen ‘in any meaningful sense’.”
International Internet Law Attorneys
Kelly Warner’s online defamation lawyers frequently work with clients in Canada and enjoy professional relationships with attorneys in British Columbia, Quebec, Alberta and Ontario. Solving cross-border Internet law cases is one of our strengths.
Judge Lewis Kaplan hammered his gavel on the cybersquatting scrum between programmer Jason Kneen and OfficeLinks.com executive Harsh Mehta. In tennis speak: “Advantage, Kneen.”
A Quick Background Summary of the Mehta v. Kneen Cybersquatting Laws Case
- Kneen, a U.K.-based programmer, bought workbetter.com in 1999.
- More recently, Harsh Mehta, an office sharing startup co-founder, bought workbetter.us to market his service.
- In April 2014, Mehta approached Kneen about buying workbetter.com; he offered $500; Kneen ultimately refused and declined to sell his domain.
- Sometime around the failed domain sale, Mehta initiated the USPTO trademark application process for “Work Better.”
- Shortly after Mehta started the official process, according to Mehta, one of his “over-zealous” employees allegedly tried to get workbetter.com at the registration level. Twitter apologies were offered and accepted over the incident. At that point, most people assumed the workbetter.com domain battle was over.
- But then Mehta filed a cybersquatting lawsuit against Kneen over the desired domain.
Tech industry pundits buzzed about this cybersquatting laws case (including yours truly) — probably because it was possible for people to appreciate both parties’ arguments.
Judge on Mehta v. Kneen Cybersquatting Lawsuit: “This is a really bad one.”
Unlike us in the peanut gallery, Judge Lewis Kaplan saw no ambiguity. “However you slice it, there are good cybersquatting cases and there are bad ones. And this is really one of the bad ones,” Kaplan stated in his ruling. He went on to explain his position:
Plaintiff Didn’t Prove “Bad Faith Intent To Profit”
Mehta allegedly knew that Kneen owned workbetter.com but tried to register the mark anyway. For his part, Kneen had not – and at the time of this writing has not – violated any regulations in relation to the domain. As such, according to current U.S. intellectual property standards, in theory and praxis, Kneen isn’t doing anything wrong.
To put another way: if a URL isn’t being used to parasitically profit off another brand’s mark, owning a dormant URL isn’t necessarily a violation of trademark law.
To Win A Cybersquatting Lawsuit, Plaintiffs Must…
To win an online copyright or trademark lawsuit, plaintiffs typically must prove, at the very least, that the defendants:
- Were using their marks – or ones confusingly similar;
- Profited from the use of the contested marks; and
- Acted in bad faith.
Owning A Domain For A Long Time Worked In Favor of The Defendant (This Time)
Since Kneen owned the URL long before Mehta had an interest in it, under sui generis circumstances, the judge ruled that Kneen did not act in bad faith by refusing to sell the domain. Moreover, in this case, the court reasoned that any future sale of the domain would fail to contravene Mehta’s trademark since Kneen bought it almost a decade before Office Space Solutions came into existence.
Speak With Someone Who Understands Cybersquatting Law
Cybersquatting laws are nuanced. Kelly Warner attorneys are exceptionally well-versed in domain disputes and other online intellectual property legalities. Our cybersquatting law attorneys:
- Help clients secure, register, and defend trademarks and copyrights – both online and off;
- Settle domain disputes;
- Work with clients on UDRP petitions;
- Act as both plaintiff and defense counsel for intellectual property litigation; and
- Conduct research for startups and established businesses.
Get in touch. We’ll do our best to change your mind about lawyers and help protect your intellectual property – online and off.