The Ashley Madison breach is undoubtedly alarming to the millions of people who used the site that encouraged extramarital affairs – especially to any customers who paid to have their data scrubbed from the site.
If you believe the apparent attackers – the individual or group calling itself the Impact Team – Ashley Madison retained customers' names and addresses even after they paid $19 for a "full delete" of their details. After the Impact Team posted some Ashley Madison user info online earlier this week, the company defended its practices and said it "does in fact remove all information related to a member’s profile and communications activity."
Regardless of who is right in this case, the Ashley Madison breach highlights a stark reality when it comes to controlling personal information shared online: Truly deleting it takes more effort than dragging a file to a virtual trash can.
"You don’t have any good way to ever ensure that that data is gone," said Doug White, a digital forensics expert who also teaches at Roger Williams University.
Auditing a site’s deletion claims can be nearly impossible, Mr. White and other experts said. Even if the site says it will delete user data, there is no sure way for customers to check if the data is permanently gone.
Furthermore, requesting a complete data scrub can be complicated for customers. As Ars Technica noted in an article last year, many users found that the process to delete their profiles and information on Ashley Madison was complicated and confusing. The "full delete" service offered by the site includes erasure of a user’s profile, private messages, profile, site history, photos, and other personally identifiable information.
But even when users request that data be removed from websites, companies have little incentive to actually erase it, said Andrew Sudbury, cofounder of the online privacy company Abine. He said full deletion of user data is not a common practice among Web companies because it has become so easy to store lots of information in cloud servers and there's little legal pressure for full data deletion. Plus, he said, customer data is a goldmine for companies that can analyze and sell it for additional revenue.
Full data deletion is also a labor intensive process. For instance, a site such as Ashley Madison would need to remove the information from every server the data exists on, including backup servers. This can be complicated if the company does not keep a thorough inventory of the kinds of information stored and where it is housed. Even after the information is "deleted" from a server, to truly ensure it is erased will mean writing over the data.
One way to aid data deletion is encryption, said Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation. If a user’s data is encrypted with a single key, destroying the key associated with an account is easier than finding and wiping each place the customer's data exists. That way, the information remains encrypted, but the key to decrypt the information is gone. The key will similarly need to be deleted and overwritten for it to be erased.
The Ashley Madison breach is "also a good case of, ‘Don't retain more data than you need,' " Hoffman-Andrews wrote in an e-mail. He recommends that all companies that store personal data audit their systems often to make sure everything they think they are deleting is actually being erased.
When it comes to data deletion, Ashley Madison may not be as bad as many other so-called dating sites, according to the EFF. In its 2012 ranking of dating sites based on their security and privacy practices, Ashley Madison was among the 3 out of 8 sites ranked that earned high marks for data deletion practices.
Even on personal computers, deleting data takes a more effort than dragging a file to the trash, emptying it, and calling it a day. Users must go a step further to eradicate the file. While the you can’t see the file anymore, White, who also teaches at Roger Williams University said, the information can still exist on the hard drive.
"Someone with piece of forensic software can find it and theoretically recover it depending on how many times you’ve written things to the disc, how many pieces of information have been stored now since it was deleted,” he said.
To ensure the file is destroyed, specialized software must be used to find the physical location of the information on the hard drive and write over it with new information at least once. According to White, more security conscious users might write over the file hundreds or even thousands of times.
When it comes to giving out personal information to any websites, experts urge consumers exercise caution. White recommends supplying a website with a fake name and address if possible, and have a credit card that is only used for more trusted sites.