Saturday, September 12, 2015

Crime, ignorance, ethics, and irony in the wake of the Ashley Madison affair

I'm hoping that the Ashley Madison hack will be a turning point in cyber-ethics, the point in time when we collectively decide that:
  • hacking companies and publishing the private information they have stored about people is morally reprehensible; 
  • lying to your customers about how you handle their data is unforgivable and needs to be punished; 
  • passing judgment on the sex lives of consenting adults is a fool's game; 
  • hacking people and products just because you don't like them is irresponsible and stupid; and 
  • hacking organizations to show they are not protecting data as well as they could be is a waste of skills and everyone's time - we know this already so creating more evidence does nothing to advance human knowledge or improve life on earth.
Sadly, a lot of the early media coverage and social discussion of the Ashley Madison hack showed few signs that we are at this hoped for ethical turning point. In light of this, I thought I would try to move the discussion forward with thoughts on five different parties to this whole mess.

1. The Perpetrators: So-called hackers

The people who recently stole and published gigabytes of data from the website need to be identified and made to answer for violating the privacy of the tens of millions of real people whose information is apparently in that data dump (the number of real people affected is hard to determine because the website's owners, Avid Life Media or ALM, made little effort to prevent people creating multiple fake accounts and are alleged to have created many such accounts themselves).

To be clear: there is nothing brave or noble or good about what was done by these "hackers" (whom it would be better and more accurate to call "data thieves"). Furthermore, any deaths or other harms that come from the theft and release of this data are on the heads of the person(s) who perpetrated these acts. They had no right, moral or otherwise, to carry out these acts.

By stealing and then publishing this data, the perpetrators have enabled countless scams, frauds, and other criminal acts, not least of which is blackmail. There is no legal, logical, or ethical analysis of their actions which can absolve them of responsibility for what they have done (and which cannot be undone, as well they know).

As for the rest of the world, most notably the world's media, claiming that people who are named in that data dump somehow deserve exposure is a totally untenable position, not least because many of those named didn't actually have affairs, or seek affairs, or even sign up to the site. Some people surfed the site out of curiosity or for titillation; and registering people on the site was a common prank, made possible by the irresponsible and frankly avaricious data handling practices of its owners.

Look for someone to sue the Ashley Madison data thieves for privacy violation, which is different from suing the company that failed to keep the secrets from which it made its money, Avid Life Media. The latter form of legal action is already underway to the tune of $578 million.

2. The Corporate Victim: Avid Life Media

Whatever you think of the business model of ALM, and I happen to think it sucked, they have been victimized by criminal perpetrators. If you condone the actions of those perpetrators you are appointing yourself judge and jury and enforcer of your own values, a course of action which, if replicated, poses a threat to society.

What if I dislike the way you do business? What if I think your employer needs a dose of "hacktivism" acted out as the righteous liberation of confidential data, which may happen to include, like it did in the Sony Pictures hack, the identity data of current and former employees, yourself included?

Are we really going to make the leap from justifiable anger at shady business practices to trashing cyberspace and turning it into a playground for disaffected bullies and jerks? What do we do when someone gets hurt? When someone takes their own life? Do we just dismiss them as collateral damage in our self-appointed war on whatever it is we don't like?

3. The Corporate Creeps: Avid Life Media

In their eagerness to make money, the folks running not only cut corners on security, they deceived people. Here's an example, an email that was sent to someone who had registered on the website and then asked to be removed. The email certainly reads like the person's request had been honored:

However, after the recent dump of data from ALM's computers, this person found their information was still there, more than five years after they thought it had been removed. At some point ALM actually introduced account removal as a paid service! I don't know when that was, but if you've spent any time studying privacy law and the widely held principles of fair information practices, it is simply staggering that a commercial organization would charge a person to delete data about them.

Of course, if you read the above email closely, it doesn't actually say the person's data has been erased. This is just one of many ways in which ALM used weaselly wording in an effort to make money however it could. While making apparently serious claims to guarantee customers an affair, the terms and conditions state "there is no guarantee you will find a date or partner on our Site or using our Service. Our Site and our Service also is geared to provide you with amusement and entertainment."

But when you take money for promising to remove people's information, and then don't? That's beyond weaselly, and many people have alleged that their data persisted on ALM's systems even after they had paid to have it removed. These deceptive practices are particularly heinous because of how Ashley Madison positioned itself, as both the epitome of discretion and the endorser and enabler of actions some portion of the population find to be immoral and worthy of exposure.

4. The Innocent Victims: Ordinary people

To be clear, meeting people online is not, in my opinion, immoral. I met my partner of 30 years through a dating site, one that was located on the pages of the San Francisco Bay Guardian. We used pen and paper and postage stamps not computers, but it was clearly the precursor to online dating services, with which I have no problem. I know numerous couples who, like my partner and I, met through a dating service of some kind and remain happily married and monogamous.

And as long as nobody gets hurt, I don't have a problem with adults enjoying non-monogamous inter-personal relationships. I'm pretty sure many monogamous people fantasize about affairs without having them, which may contribute to their staying in a relationship. And I expect a lot of Ashley Madison clients were doing just that. Of course, many people, married or otherwise, surfed the site out of curiosity or for titillation; and registering people on the site was a common prank, made possible by the irresponsible and frankly avaricious data handling practices of its owners.

5. The Big Loser: Society at large

Make no mistake, if we continue down this road - exercising a self-appointed right to publish confidential personal data without the data subject's permission - we all lose. And by all, I mean humanity, and by lose, I mean serious losses, not least of which are the potential benefits of responsible data sharing, from telemedicine to population healthcare and genetic cures, from energy efficiency to environmental protection and improvement programs, and so on.

It is my firm and considered opinion that the promised benefits of big data and the Internet of Things will not be realized if we humans don't learn to avoid the temptation to abuse the underlying technology for selfish and/or misguided purposes.

Which leaves us with this irony: the criminals who stole and published the Ashley Madison data, wrong as they were, may have given us an opportunity to take stock of the way we are using digital technology, revealing in the process how far we have yet to go in our efforts to enjoy its benefits while managing its risks.

No comments: