«from Hacking Scandal INTRODUCTION Ashley Madison promised users that they could conduct secret extramarital affairs without their spouses finding ...»
Ashley Madison Experiences Fallout
Daniels Fund Ethics Initiative
University of New Mexico
from Hacking Scandal
Ashley Madison promised users that they could conduct secret extramarital affairs without their
spouses finding out. With the tagline “Life Is Short. Have an Affair,” Ashley Madison offered an
“Affair Guarantee” that guaranteed users would have an affair within three months of joining. While joining the site was free, connecting with other users required them to purchase credits. For $19 Ashley Madison would also scrub a user’s profile, deleting all information related to their interactions on the site. Ashley Madison was so successful that it considered launching a $200 million initial public offering in London.
That was before the wide-scale hacking of the Ashley Madison site and the posting of user emails, names, addresses, sexual fantasies, credit-card transactions, and account information on the Internet. At the time of the hacking incident, Ashley Madison claimed that it had about 40 million registered users. The resulting fallout included reputational damage, family conflicts, divorces, suicides, a $578 million lawsuit filed against the company, and the resignation of Avid Life founder and CEO Noel Biderman. The hacking scandal taught consumers an important lesson: nothing on the Internet is totally free from hacking risks. Therefore, nothing on the Internet can be completely anonymous and untraceable. Even those who had paid $19 to have their data deleted found that some transaction data had been kept on Ashley Madison’s servers and were among the information hacked and posted on the Internet.
This case begins by examining the premise of Ashley Madison and its background. A discussion follows that debates the ethics of the site itself as well as the hacking incident. We also examine some ethically questionable tactics Ashley Madison allegedly employed that goes beyond infidelity.
HISTORYNoel Biderman founded Ashley Madison in Toronto, Canada, in 2001. The name was taken from a combination of two of the most popular girl names of the time, Ashley and Madison. Ashley Madison is part of Avid Life Media, an entertainment company that owns other dating websites including CougarLife and EstablishedMen.
Biderman was inspired to start Ashley Madison after learning that a significant percentage of people using dating services were not actually single. It is estimated that 10 to 30 percent of online daters are already in committed relationships. To communicate through Ashley Madison, users purchase credits from the company. Men are charged both for sending emails and for reading emails from female users. Ashley Madison provides email addresses meant to be secret from one’s spouse or significant other.
The site immediately initiated controversy. Many consumers were outraged for what they saw as an encouragement to cheat on one’s partner. Biderman defended Ashley Madison, claiming that people are not going to cheat on their spouses just because they see an advertisement for Ashley Madison. Rather, they are already inclined to cheat. He also claimed that Ashley Madison can save marriages by allowing people who might be in a non-sexual relationship with their partners to obtain what they need and still be able to stay in their marriages.
His defense did little to stem the backlash. Ashley Madison was denied a number of marketing opportunities. For instance, the city of Phoenix refused its $10 million offer to rename the Sky Harbor Airport as Ashley Madison International Airport. Trish McDermott, founder of Match.com, has accused Ashley Madison of founding “a business built on the back of broken hearts, ruined marriages and damaged families.” Despite the controversy, Ashely Madison did extremely well and membership soared. In 2014 the site reported $115 million in revenue.
THE HACKING INCIDENT
On July 12, 2015, Ashley Madison employees logged on to their computers only to find a message informing them that the site had been hacked. The hackers, who called themselves the Impact Team, claimed that they would release customer data unless Ashley Madison and EstablishedMen were shut down. A week later the Impact Team posted the warning on Pastebin, and the next day Ashley Madison announced that it had been the victim of a hacking incident.
Ashley Madison had a choice to make. It could bow to hackers’ demands to shut down, or it could refuse and take the chance that the hackers would release customer data to the public through the Internet. Unsurprisingly, Ashley Madison refused to capitulate to hackers’ demands. Instead, it increased its security controls and worked with law enforcement to locate the hackers. According to Biderman, law enforcement was hot on the trail of the hacking culprits. However, the hackers already had information on millions of Ashley Madison users. On July 22 data from two Ashley Madison users were leaked. The Impact Team gave Ashley Madison 30 days to give in to their demands. On August 18 the message TIME’S UP was posted on Pastebin, and the Impact Team released 10-gigabytes of information pertaining to user emails.
The data was found to be legitimate after some of the Ashley Madison users whose data were leaked confirmed that they were customers. On August 20 the Impact Team dumped mostly internal data including emails by Noel Biderman. On August 23 the Impact Team made a third data dump. In all information from 32 million users was posted on the Internet. This included transaction details that spanned from seven years before the incident. While many users used fake email addresses and pseudonyms on the site, credit card details that were posted gave clues as to the identity of the person. Included among the email dump were government-issued emails.
secure site. The hackers allege that it was incredibly easy for them to hack into the site and that any claims of security were false.
Ashley Madison and law enforcement heavily criticized the criminal actions of the hackers. Ashley Madison announced a $500,000 ($377,000 USD) reward for anyone with information on the hackers. It reassured users that no credit-card numbers were posted. Despite this fact, a classaction lawsuit was filed against Ashley Madison
THE ETHICS OF ASHLEY MADISON
It is clear that many people view Ashley Madison as a moral outrage. Conservative television host Sean Hannity blasted Noel Biderman on his show for founding a “pimping” service. The hackers themselves called those that use Ashley Madison “cheating dirtbags.” On the other hand, cheating on one’s spouse or partner is not illegal, and others believe that Ashley Madison has the right to promote a service that does not violate laws, despite the ethics involved.
Certainly the wide-scale growth of Ashley Madison membership and use of its services demonstrate consumers’ willingness and acceptance to use the site. Biderman continues to maintain that his site does not create infidelity, using an analogy of how a divorce lawyer does not cause people to divorce. There is also no question that consumers are often fascinated by “taboo” subjects such as adultery. After the Noel Biderman interview featured on Sean Hannity’s show, Ashley Madison claims that 42,000 people signed up in one day.
The ethicalness of the hackers’ actions are also called into question. Although the hackers committed the act based on moral grounds, what they did was clearly illegal and constitutes theft.
Law enforcement is actively investigating the hack to try to track down those involved. Many of those who dislike Ashley Madison might find it hard to sympathize with an illegal act done to ruin a company when those actions cause pain to the families involved.
In terms of the information that hackers were able to access, Ashley Madison had taken some precautions. For instance, it did not store entire credit numbers in its database. It also hashed user passwords rather than storing them as plain text, making it somewhat harder for hackers to decipher them. However, the company did store personally identifiable information that hackers were able to obtain, including IP addresses. These IP addresses would later reveal email addresses that were connected to members of Congress, law enforcement agencies, and other government officials. This failure to exercise additional security has prompted a class-action lawsuit against the firm.
DID ASHLEY MADISON COMMIT FRAUD?
Unlike the hackers’ actions, Ashley Madison’s core services were not illegal, although certainly morally questionable. However, access to the released data has revealed that Ashley Madison might have been involved in more questionable dealings from a legal standpoint. It has been known for a long time that some of the “winks” that men receive on the site are actually fake. Ashley Madison indicates this in its “legal” and “terms” part of the website. According to Ashley Madison, these 4 winks and the responses they generate were used for marketing research purposes. Despite the disclosure, some believe it is morally and legally questionable to fool paying customers with fake posts. Additionally, Ashley Madison was criticized for allowing a sports scientist to eavesdrop on an online conversation for research purposes. This act cast doubt on how Ashley Madison views the privacy of its users.
This question got even bigger after customer data was released on the Internet. The Impact Team maintained that while Ashley Madison claimed it was a successful infidelity site, approximately 90percent of the users are male. This implied that many of the female profiles were fake. The CEO of Errata Security broke down the genders and reported that there was approximately 5 million women who used the site versus 28 million men. If true, this would directly contradict an assertion by Noel Biderman that the gender makeup of those who used the site was about equal.
Journalist Annalee Newitz began her own investigation into the data. After examining the data, she reported that only about 12,000 women were active on Ashley Madison. Ashley Madison responded by saying that it is impossible to figure out how many users are women based upon the hacking information. Newitz conceded that she had misunderstood the data; actually, the data that the Impact Team released did not involve human activity at all. Instead, she maintains the data reveals emails that occurred when fake humans sent email to male users. According to her research, out of 70,572 bot (fake) accounts, only 43 were directed toward women. The rest were targeted toward men. This implies that the company extensively used fake posts and profiles to engage men and keep them using the service. It would also call into question how Ashley Madison was able to guarantee heterosexual affairs if there was such a large discrepancy between men and women.
If true, then this could indicate fraudulent activity on Ashley Madison’s part. This is not the first time Ashley Madison has been accused of creating fake online profiles to attract men. In 2013 a former female employee sued Ashley Madison for injuries she claimed were caused by repetitively typing up hundreds of fake profiles of women to entice male subscribers. Ashley Madison claimed these assertions were false and the employee was never involved in creating fake profiles.
Others dispute the accuracy of Newitz’s claims and caution against using the data from making conclusions about the number of women on the site. This caution may be appropriate because there are a lot of data still missing, and as seen by Newitz’s earlier assertion, the data can easily be misinterpreted. Of course, this still does not change the fact that identifiable information from millions of Ashley Madison customers is now accessible on the Web.
DID ASHLEY MADISON DO WHAT IT PROMISED?
Another issue that may indicate questionable dealings is the $19 fee used to “scrub” a user’s profile.
For $19 Ashley Madison claimed that it would remove all information associated with a member’s profile. However, this removal of information was not as thorough as users thought. The company still maintained transaction data in its payment database linked to identifiable information. Data labelled as “paid delete” were released onto the Internet affiliated with people’s locations, birthdates, etc. Ashley Madison claims that it removed what it promised it would remove. It never promised that it would remove transaction data from its database and is therefore not guilty of 5 misrepresentation. One woman filed a lawsuit after she found that the $19 she had paid to have her profile scrubbed still had identifiable information that was leaked.
Additionally, Ashley Madison did not verify its users’ email addresses. This allowed many users to create fake email addresses when registering, which may have offered them some protection in the data leak. On the other hand, because Ashley Madison did not verify the email addresses, it also made it possible to use others’ email addresses to register. For instance, a person could use a celebrity or politician’s email address to develop a profile and hide his or her identity.
Some people are complaining that their email addresses were used without their consent. Others claim that profiles were created as a prank by friends or office workers. Even if profiles or emails were used from people who had nothing to do with Ashley Madison, they still had to pay to have their information scrubbed.
This creates the potential for people who had nothing to do with Ashley Madison to be implicated in the scandal. Ashley Madison claims that it cannot be proven its users had affairs based solely on their membership. However, with a taboo subject such as adultery, even an innocent person who never connected with anyone on the site is implicated and could suffer reputational damage.
After the scandal, Noel Biderman stepped down as CEO citing that it was best for the firm. Many people posted comments on Twitter making fun of the fact that philanderers were being exposed.