Ashley Madison Hack: Can People Sue?
Online purveyor of pro-paramour lifestyles, AshleyMadison.com, encouraged users to “have an affair,” because “life is short.” Well, the company’s lifespan may now be in jeopardy thanks to a possible litigation tsunami heading its way.
Who can exposed Ashley Madison users sue? The website or the hackers? What can “victims” legally claim? What are the chances of Ashley Madison successfully defending themselves? Will the business survive a litigation onslaught?
Let’s deconstruct the scandal and possible legal aftermaths.
The AshleyMadison.com Hacking Scandal Basics
What is AshleyMadison.com?
From its website: “Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands signup everyday looking for an affair…With Our affair guarantee package we guarantee you will find the perfect affair partner.”
Who owns AshleyMadison.com?
Avid Life Media (“ALM”), a Canadian company that also operates websites called Cougar Life and Established Men.
Who hacked the site and when?
An ostensibly ethical hacking collective known as the Impact Team claimed responsibility for the breach. Impact Team announced its coup mid-July; at that time, it made demands of ALM, offering a month-long compliance window. ALM didn’t comply with the demands, so Impact Team leaked the data mid-August.
What reason did Impact Team give for its act of hacktivism?
Impact Team targeted two of Avid Life’s properties. Excerpts from its public statement regarding the hack:
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
How did Avid Life Media respond to the initial hack?
The company behind Ashley Madison did not comply with Impact Team’s initial requests. Instead, ALM told users it had augmented security on the site. When the initial data dump hit, ALM speculated that the information wasn’t real. After its forensic team had explored the matter, however, the company acknowledged the breach.
What information did Impact Team eventually release?
Via two giant data dumps, initially only accessible with a Tor browser, Impact Team divulged around 32 million accounts. Some accounts are bogus; some are legit. Currently, most people aren’t paying much attention to email addresses not attached to payment accounts. And even for accounts that do include credit card info, there is no guarantee that the card holder’s identity wasn’t hijacked.
We should note that Impact Team didn’t release full credit card information, only the last four digits.
Did Impact Team explain why it eventually released the data?
Yes. According to Impact Team:
We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data … Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters. …
“Too bad for ALM, you promised secrecy but didn’t deliver.”
Impact Team also urged the exposed to “make amends” and encouraged: even though it is “embarrassing now,” Ashleymadison.com users will “get over it.”
Did Ashleymadison.com make any effort to secure user data?
Yes. The site used a PHP bcrypt algorithm to store passwords, which is considered an acceptable method among digital security specialists. However, as Robert Graham, CEO of Erratasec explained, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.”
Avid Life’s Statement About The Data Revelation
“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of Ashleymadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the company said in a statement. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
Two Important Things to Consider About the AshleyMadison.com Hack That Could Impact Potential Legal Actions Stemming From the Incident
Fake Accounts: Countless Ashley Madison accounts are fake and created by bots.
No Verification Required: AshleyMadison.com doesn’t require email verification to create an account. As such, an innocent person’s address could have landed in the data scrum if:
- The email address is publicly available online, and a bot picked it up in an automated profile creation scrape;
- Someone else used the email of an enemy – or friend – to set up an Ashley Madison account;
- A reporter or investigator set up an account to get a peek behind the curtain for research purposes.
Legitimate accounts are most likely attached to credit card information – like reality TV’s Josh Duggar’s account.
Ashley Madison Hack: What Can People Sue Over?
According to statements issued by the collective, one of the main reason’s Impact Team targeted Avid Life Media’s sites was the company’s paid security option.
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life.”
Which raises a question: Can “hack victims” (i.e., Ashley Madison users) successfully sue Ashley Madison and Avid Life Media? It’s an insanely complicated question.
An ocean’s worth of individual details would factor into the fitness of any potential claim. That said, let’s take a look at some potential types of lawsuits that could be brought, then deconstruct the likelihood of success.
Hypothetical Ashley Madison Lawsuit Category: Defamation / False Light Invasion of Privacy
Can Ashley Madison users sue the website for defamation or false light invasion of privacy – a tort very similar to defamation which is on the law books in some states? On a scale from one to ten, the chances are about a .5. Why? Two reasons:
- Though there are rare exceptions (like in Massachusetts), “truth” is a rock-solid defense against slander and libel claims. And in the case of the Ashley Madison hack, Impact Team covered its proverbial “butt” by pointing out that not all of the accounts are necessarily real.
- Due to Section 230 of the Communications Decency Act, Internet service providers and certain social media platforms enjoy a considerable amount of third-party defamation immunity protection.
Now let’s look at some hypothetical scenarios.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Ashleymadison.com / ALM
Again, the likelihood of an individual user successfully suing Avid Life Media for defamation is between slim and none. Under U.S. law, to win a defamation claim, plaintiffs must prove that the defendants made false statements of fact. In this case, though Impact Team hacked and leaked data, AshleyMadison.com – nor its employees – made false statements of fact about users.
Intention also plays a primary part in state-side slander and libel suits. In this case, Ashley Madison executives didn’t act with actual malice, neither did they act with reckless disregard for the truth.
HOWEVER, Ashleymadison.com’s website featured verbiage that promised a premium account option – and option that included information “deletion.” This program could be the basis of a solid breach of contract claim, which we’ll get to below.
Hypothetical Ashley Madison Defamation Lawsuit: Individual User v. Impact Team
Like ALM, it’s unlikely that individual users can bring successful defamation lawsuits against the Impact Team. Firstly, the collective didn’t spread lies; it leaked information. Even in instances where an automated bot scraped an email address from the Web and amended it to Ashley Madison’s database, the hackers, in theory, should be immune from libel liability. Why? Because in the collective’s release statement, Impact Team admitted that a large chunk of the user data was most likely false. The team even highlighted an ongoing class action, over fake profiles, against ALM.
Hypothetical Ashley Madison Lawsuit Category: Individual User v. Individual Online Shame Spreader
Theoretically, one type of Ashley Madison defamation lawsuit that has a shot at success is between an individual whose information was falsely leaked and a person who publicly makes assertions based on the presence of that false information. Huh? This scenario is best explained in an example.
Example of a Potentially Successful Ashley Madison Defamation Lawsuit
John and James are co-workers and rivals for a job position. Turns out that John’s email address was among those leaked in the Ashley Madison data breach. John, however, has never used Ashley Madison and is happily married. His email landed in the website’s records on account of a bot that scraped the Web for addresses to make fake profiles – a subversive online marketing technique. In fact, John had no idea his email was even in the leak.
Now let’s cut to James, John’s work rival. He searches through the Ashley Madison data dump and comes across John’s email. Teeming with schadenfreude, James immediately takes to Twitter and scolds:
“John Doe is an adulterous CHEATER! He’s slept with the entire office and probably has a disease!!”
A tweet like this could be deemed defamatory (or at least false light). For starters, James makes a false statement of fact by asserting that John is a cheater and has a disease. Arguably, this is a reckless statement because the Impact Team explained the probability of false-positive accounts and highlighted the ongoing lawsuit involving fake profiles. Moreover, James extrapolated an entire story based on one piece of information.
There is no guarantee that John would win our hypothetical case, but of all the possible Ashley Madison defamation conflicts, a scenario like his has the best chance of success. But again, all online libel lawsuits depend on the details of the case, so it’s best to speak with an attorney about specifics.
Hypothetical Ashley Madison Lawsuit Category: Data Breach / Online Privacy
Hypothetical Ashley Madison Lawsuit Category: Individual U.S. User v. Ashleymadison.com / ALM
“Ashley Madison users can surely sue for violations of online privacy, right?”
Believe it or not, the United States doesn’t have a universal online privacy law. California’s online privacy statute comes the closest, but as of this writing, it doesn’t appear that ALM has violated it. After all, the company did take steps to secure passwords; the hackers were just smarter.
And though ALM at first questioned the validity of the data, the company did “fess up” in an appropriate amount of time. Moreover, ALM is working with law enforcement officials to find the culprits — all of which is in accordance with California’s – and other states’ – online privacy laws.
Of course, there may be extenuating circumstances that affect the validity of any given AshleyMadison.com User v. ALM online privacy lawsuit.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual E.U. User v. AshleyMadison.com / ALM
Though European Union online privacy laws are stricter than those in the United States, the probability of a successful Internet privacy claim in an E.U. court is equally as low as it is state-side. Mostly because the overseas digital privacy laws have more to do with acknowledging certain types of tracking (which you can read about here [link]) as opposed to punishing instances of data breaches.
Hypothetical Ashley Madison Online Privacy Lawsuit: Individual User v. Impact Team
Can individual users sue Impact Team for invasion of privacy? Highly Doubtful. Again, the word “privacy” isn’t even in the U.S. Constitution, and Capitol Hill has yet to pass a universal online privacy law.
Besides, finding the members of Impact Team is probably a longshot.
Hypothetical Ashley Madison Lawsuit Category: Breach of Contract
Hypothetical Ashley Madison Breach of Contract Lawsuit: Individual User v. AshleyMadison.com / ALM
“Breach of contract” lawsuits – or a breach of contract class action – may be the legal straw that breaks Avid Life Media’s back.
As a pay option, AshleyMadison.com offered members a deletion service for $19.99. And as the world now knows, it looks as if those promised deletions never happened.
Even if ALM included some tricky language in its terms about “deletion” not really meaning “deletion,” the company could still be in trouble. How? Because the language used to promote the service led the average user to believe that his or her data would be expunged completely; that was the conspicuous message.
Besides, the law, in many ways, no longer allows for “fine print” gotcha clauses, which are buried behind hyperlinks, in agate-font text. Hiding important information like that is considered underhanded and judges ordinarily don’t grant absolution for those types of tactics.
Other Possible Lawsuits: False Advertising and Fraud
In addition to breach of contract, it’s possible that the government may sue for false advertising – on account of the $19.99 deletion promise. Others will argue that it was fraud to take the money and then not fulfill the promise made. Whether or not either of these types of actions will be pursued or successful, time will tell.
Can ALM Sue Impact Team For The Hack?
Another possible Ashley Madison hack lawsuit that, theoretically, has a chance of success? ALM v. Impact Team.
The Computer Fraud and Abuse Act is the main hacking law in the United States. And, it’s controversial. Some people feel the penalties are way too steep, and it only serves in over-punishing the “little guy” instead of the true masterminds who know how to properly cover their tracks.
Even if law enforcement agents were to unearth members of the Impact Team, it’s doubtful that ALM would prevail in the end…or that the case would even see a courtroom.
Make Sure Your Legal House Is In Order
The fallout of this Ashley Madison scandal will be long in the making. And if any claims do arise, like a Phoenix out of a murky legal quagmire, rest assured that it will take years to litigate.
In the meantime, if you run a business and have an e-tail presence, be sure you’re up-to-date with the latest online privacy and data breach laws and standards.
Estes, A. (2015, August 19). The Ashley Madison Hackers Just Released a Ton of Stolen Data [Updated]. Retrieved August 25, 2015, from http://gizmodo.com/the-ashley-madison-hackers-just-released-all-of-their-s-1724920693 Ragan, S. (2015, August 18). Ashley Madison hackers publish compromised records. Retrieved August 25, 2015, from http://www.csoonline.com/article/2973036/vulnerabilities/ashley-madison-hackers-publish-compromised-records.html Doctorow, C. (2015, August 20). Ashley Madison commits copyfraud in desperate bid to suppress news of its titanic leak. Retrieved August 25, 2015, from https://boingboing.net/2015/08/20/ashley-madison-commits-copyfra.html Kim, Z. (2015, August 18). Hackers Finally Post Stolen Ashley Madison Data. Retrieved August 25, 2015, from http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/