If You Used Ashley Madison, Don't Worry
Cheating on one's partner almost inevitably ends badly for all concerned. Patrons of the recently hacked infidelity-enabling site Ashley Madison, though, need not be overly worried -- the user information released this week does less to threaten them than to exemplify the uselessness of much of the data that online services collect.
Ashley Madison claims to have 38 million members, men and women who are looking to have affairs. It works like a dating site with some peculiarities: For example, it charges $19 to delete an account -- demonstrating that the site's owners at Canadian company Avid Life Media understand perfectly well how concerned members are about the security of their information.
The perpetrators of the hack -- which Brian Krebs, the cybersecurity blogger, first reported on July 19 -- demanded that Avid Life Media take down the Ashley Madison site, as well as companion site Established Men, which is supposed to help young women find sugar daddies. Their motivation remains unclear: They called the site's users "cheating dirtbags," but moral outrage is a rather thin and illogical excuse for hacking a database. Avid Life refused to comply, instead uselessly offering free profile deletion to clients.
Now, the hackers claim to have released the stolen information, a 10-gigabyte archive of more than 30 million profiles with e-mail addresses, messages and transaction data. This time around, they say they want to expose Ashley Madison as a scam, with "thousands of fake female accounts" and an 90- to 95-percent male population of actual users. They referred to a lawsuit filed against Avid Life by a Brazilian woman living in Toronto, who claimed to have been paid to create 1,000 fake female profiles to launch Ashley Madison in Brazil.
The accusations don't pass the smell test. Men might be slightly more inclined to be unfaithful than women, but not by nine to one. Men who tried the site reported connecting with real women. The site wouldn't have grown so popular if it had been a swindle.
So what about the data? Some may be fake: The dump contains the last four digits of credit-card numbers, which Ashley Madison's founding chief technical officer, Raja Bhatia, told Krebs that the service didn't retain. That said, security professionals and specialized news websites have proclaimed the archive legitimate, in part because it contains internal documents from Avid Life. I have downloaded it and seen, for example, a file containing the company's floor plan and another purporting to contain the list of its shareholders. Besides, Krebs and others reported that verified clients confirmed that the dump contained their information.
What are the uncovered users going to tell their partners? For one, they can believably claim identity theft. The site encouraged users to set up free, anonymous e-mail addresses, so why would anybody use a real name? As cybersecurity blogger Graham Cluley put it, "I could have created an account at Ashley Madison with the address of email@example.com, but it wouldn't have meant that Obama was a user of the site."
There are 15,000 addresses in .gov and .mil domains, suggesting their owners were government employees or military officers. Each of these people could have set up an account -- whether to have an affair or out of curiosity -- or been spoofed, set up by an ill-wisher, or picked at random by someone looking at his mailbox when signing up. Michelle Thompson, a member of the U.K. parliament from the Scottish National Party, has already said her e-mail address had been used without her knowledge. No one can prove her wrong.
In short, the hack revealed a large but random selection of e-mail addresses, useless bits of credit card numbers, possibly fake photos, optimistic height and weight numbers, and heavily encrypted passwords that it will take an inordinately long time to crack (Ashley Madison used serious encryption technology for them). The information is largely useless for any practical purposes, though a jealous husband or wife could probably make a scene after taking hours to download and sift through the archive, which would suggest paranoia.
For all the concern about the reams of information that websites and the government are collecting, the Ashley Madison case shows how much of it can be garbage. How many people give a fake name when subscribing to a new service, or use separate mailboxes for various online activities? How many succumb to the temptation of "improving" their personal data, changing sex, height, profile picture or country of residence just for the fun of it? Dreaming is free, right?
The real Internet scam might be the business of collecting, parsing and reselling personal data. We are not our multiple web identities or social network accounts, no matter what the networks' policies demand. Getting the truth would require demanding some sort of digital ID at every corner -- something that not even authoritarian states such as China can achieve. Unfaithful husbands and privacy advocates can rest easy. Those who pay good money for data collected from the Internet, though, should worry.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author on this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor on this story:
Mark Whitehouse at email@example.com