There were probably some awkward silences amongst a number of married couples around the world on Sunday evening and into Monday morning last week as news broke that a specialist adult dating site had been hacked.
Ashley Madison (AM) is part of Canadian company Avid Life Media (ALM), which specialises in websites offering married users opportunities to hook up with similarly attached people. Other associated ALM sites include Cougar Life and Established Men.
The group claiming that it has stolen a mere 40MB of data, including credit card details and some company information on ALM, is called ‘The Impact Team’ (TIT). They claim that the delete option on the AM site is a lie, and despite users paying £15 to have their information removed, it actually remains undeleted.
They express no sympathy for the users of the site saying they deserve any discomfort. They are demanding that the site be taken down or they will release more information. Their stated motive is said to be rooted in morality but blackmail may be a better word. The reality is they are doing this for profit.
AM is the second website of a sexual nature to be hacked in as many months. When Adult FriendFinder was attacked in May 2015, more than 3.5 million people’s sexual preferences, fetishes and secrets were exposed. Many individuals are still suffering fall out from this as their highly sensitive personal data is traded on the dark web. With persistence and the type of information available, hackers can find out who and where these people are. Therefore there is a real threat to individuals should this information go public.
What remedies are available to individuals who are targeted in this way? Under normal circumstances, subscribers would have a straightforward claim for an injunction to protect their privacy. The release of this information is in clear breach of Article 8 of the European Convention on Human Rights, which can be found in schedule 1 of the Human Rights Act 1998; everyone has the right to respect for private and family life, home and correspondence.
Should TIT carry out its threat it does not take too much imagination to identify a number of causes of action available to victims but in this short article we take issue with AM’s probable line of defence that it can be excused liability by reason of its absurdly stringent Terms and Conditions. Regarding privacy they say, ‘although we strive to maintain the necessary safeguards to protect your personal data, we cannot ensure the security or privacy of information you provide through the Internet and your email messages’.
In their disclaimer of warranties, they ‘do not warrant that any information you provide or we collect will not be disclosed to third parties’. And if you are looking for ways in which to challenge them in response to the hacking, they say ‘you agree that we will not be liable for any damages whatsoever regarding disclosure of, unauthorized access to or alteration of your content’. It is difficult to imagine many jurisdictions finding that ALM’s attempts to limit liability could be upheld. And so far as data breaches are concerned the ubiquitous Information Commissioners around the world they are unlikely to let ALM go unpunished.
Jurisdictional issues obviously increase the complexity of the matter. Although ALM is Toronto based, Republic of Cyprus law governs the T&Cs. ALM opened an office in Cyprus in early 2013 as a base for its international operations. Cyprus is in the EEA so ALM is vulnerable to claims issued in the EU. The European Commission has decided that Canada has an adequate level of protection for personal data, so ALM is not going to find refuge there either.
It is in Canada that red faced spouses, should they put their heads above the parapet, are likely to bring their claims. Given that there are 37 million subscribers, it could very possibly be one of the largest class actions the world has ever seen.
The twist of the knife is that these latest developments will have confirmed investors’ worst fears about reputational risk. In mid-April of this year, after a failed Canadian listing, ALM announced that they were planning a London IPO. By early July this listing was also looking less certain and they were close to abandoning it. In light of recent events and the increasing pressure on this uncertain listing, perhaps ALM – and investors – had a portent of things to come.
Rhory Robertson is a Partner and Clare Brown Library and Information Manager, working in the Collyer Bristow Cyber Investigations Unit.