In the world of hacking, there are good guys and there are bad guys. They both steal information, but the good guys – the “white hats” – will do it to help pinpoint sites’ vulnerabilities so companies can reinforce weak spots. The bad guys – “black hats” – take information to use for their own personal gain.
Is the Ashley Madison hack a case of moral vigilantism – a sort of white hat hack – or something else?
Experts say the ethical ambiguities around this hack place it in a different realm.
Ashley Madison, the paid, online service that connects people looking to cheat on their spouses, was hacked, and the thieves stole the names and other information about its 37 million users, KrebsonSecurity reported.
The hackers, who identified themselves as The Impact Team, criticized the site’s owner Avid Life Media (ALM) for continuing to store user data after an account is deleted, and called the users themselves “cheating dirtbags.” The Impact Team published stolen information from users’ accounts and about the site’s server and finances, threatening to release more data, “including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” if ALM did not permanently shut down Ashley Madison and another dating site it owns, Established Men.
ALM chief executive Noel Biderman told KrebsonSecurity late Sunday night that the company was working to take down the information. Regardless of opinions on the morality of the site, he said, the information was still protected under property law.
“We’re not denying this happened,” Mr. Biderman said. “Like us or not, this is still a criminal act.”
Stressing the illegality of the hack, Paul Williams, chief technology officer of security consulting company White Badger Group, says neither hacker hat metaphor is wholly appropriate for committing an "ugly" act for a good reason.
“This one is more like ‘hacktivism’ to me,” Mr. Williams says. “It is definitely black hat, but it’s like Robin Hood robbing from the rich to give to the poor. In this case, these guys are doing a very ugly hack that’s blatantly against the law, but in the name of doing something good. So it’s kind of like a crossover of hacktivism and, of course, black hat.”
D.E. Wittkower, assistant professor of philosophy at Old Dominion University whose research involves the legal invocation of property rights to protect privacy, adds that since The Impact Team’s motivation is about morality – not aiding the company in boosting security or promoting criminal activity – even the more ambiguous “gray hat” label does not fit quite right.
Instead, he says he favors ALM’s claim that the hack is an act of “cyber-terrorism.” The term, he says, “in some sense, seems way overblown, but as a factual description I think might be pretty accurate, because what they’re trying to do is to utilize fear in order to bring about a change in company policy.”
“In this case, they want to stop the offering of these products,” Mr. Wittkower says. “It’s not a war against the company. They actually specifically identified a variety of properties and said, ‘these two should be shut down; the rest can stay up.’ So there’s a very specific political aim that seemed to be based in a moral judgment about those properties. They didn’t have an issue about the gay dating site. It was the adultery site.”
ALM said in a statement Monday morning an investigation had been launched into the breach, but Williams says it is unlikely the “brains” will be caught or punished since “the Internet doesn’t really support investigation too well.”
Ashley Madison called itself in an email last year “the last truly secure space on the Internet,” but apparently has been aware of the catastrophic implications of a security breach. KrebsonSecurity reported that ALM chief technology officer Trevor Stokes, asked what he would “hate” to see go wrong, said in one of the leaked documents, “I would hate to see our systems hacked and/or the leak of personal information.”
The Wall Street Journal presaged the hack in May, after the dating site AdultFriendFinder suffered a similar breach. In a report called “Risky Business for AshleyMadison.com,” potential ALM investors were urged to take the AdultFriendFinder hack as a warning of the risks associated with a security violation.