I appeared on Sky News on Wednesday evening discussing the theft and dump of Ashley Madison data. As always, time on live television is a great experience but also extremely limited so I wanted to expand on some of my thoughts on the social, organisational and individual implications.
Before I get into that, some points to be aware of:
- Many of the accounts are thought to be fake, as users did not need to verify their account
- Although the site is set up to facilitate extra-marital affairs, it seems that it was also used by single people as a way to meet other single people
- A lot of the female (and presumably some of the male) accounts appear to be run by prostitutes
- There has since been a second dump of data
There has been a paradigm shift in society’s conception of privacy, facilitated by the way in which personal data is now shared, stored and stolen on the Internet. In the couple of days since the Ashley Madison data was dumped we already seem to have been saturated with ‘news’ stories about famous and non-famous people whose email addresses are included in the data. For me, this raises a few crucial questions:
- Will there be a point where privacy has become so devalued, and we all know everything about each other, and so the fact that people have sex and do stupid things will no longer be classed as newsworthy?
- Why, in ethical and legal terms, is it apparently acceptable for people to handle stolen data, when the same cannot be said of stolen goods? If my laptop is stolen, I would be far more concerned about the data being rifled through, than the actual physical device. Hacking and stealing data is illegal. Why then, when the handling of stolen data can be so much more damaging than the handling of stolen goods, is it OK for journalists (and anyone else) to download, interrogate and use that data?
- Should we not be enforcing strong encryption on the storage of personal data (rather than just stating it must be stored securely, as in the current Data Protection Act, without suggesting what that baseline of security is)?
2014 has been labelled the year of the breach. Surely every year for a good long while is going to be ‘the year of the breach’ as it becomes more obvious that there really are two kinds of organisations in the world (those that know they’ve been breached and those that don’t). Organisations need to acknowledge that, if they hold data that other people would find valuable in any way, they need to do more to keep it as safe as possible. In the face of ever-growing threats and vulnerabilities, this is more challenging, and more important, than ever.
We’re seeing an increase in breaches which target personal, explicit information. The theft of financial and corporate information can, of course, be hugely damaging. The theft of deeply personal information such as naked photographs (‘the fappening’) or sexual preferences poses perhaps more potential to be deeply psychologically and physically damaging. It is not being overdramatic to state that the potential fall-out of the theft and dump of Ashley Madison data includes divorce, domestic violence and death. When it is illegal to be gay or to have extra-marital affairs in a lot of countries, and accounts have been identified in those countries, this kind of information breach is very troubling.
The onus (arguably unfairly) increasingly falls to people using the Internet to take better security measures, including strong and unique passwords, two-factor authentication, providing false answers to security questions and considering using dummy email addresses to sign up to online accounts.
One very important point about the Ashley Madison data: phishing attacks will ride off the back of it. Be very careful when using tools to check whether a particular email address is included in the data. Some of these may themselves be people harvesting email addresses and so it is highly recommended that you use a reputable service such as have i been pwned?
Until society, legislation and organisational security catches up with the huge changes that technology has ushered in, people need to understand that while the Internet seems to offer anonymity and freedom, that offering is something of a veneer.