Modern field guide to security and privacy

Opinion: Ashley Madison hack reveals need for new approach to guard intimate data

After its users' data was exposed online, Ashley Madison issued copyright takedown notices to have it removed. It's a bad use of copyright law but reflects a troubling legal environment where digital media companies own users' most personal images and information.

Shortly after independent security reporter Brian Krebs exposed the Ashley Madison breach, the hookup site that encourages infidelity announced that it was wielding copyright law against the apparent hackers.

Yes, copyright law.

Ashley Madison's parent company, Avid Life Media, is prohibiting the posting of sensitive customer and employee information stolen in the hack – apparently perpetrated by a group known as the Impact Team – by issuing takedown notices based on its copyright ownership of this information.

The Impact Team had posted some 40 megabytes of stolen data about Ashley Madison employees and customers. In an e-mail to The Washington Post, Avid Life Media said it used the Digital Millennium Copyright Act (DMCA) to get removed wherever they had been posted: "We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter."

While beneficial in this case, this approach is an example of a systemic problem in the way that our legal system currently addresses privacy and security in digital media. Instead of developing new laws for the Internet Era in order to help people from losing control of their data flows, we’ve thrown overly broad property rights at the problem instead.

Copyright is supposed to protect creative expressions in order to support artists and authors. In Feist v. Rural Telephone, the Supreme Court found that if one phone book publisher copied a bunch of entries from a phone book published by another phone book publisher, that was just fine. You can’t copyright facts. And if your business is threatened by that, then too bad for your business.

If the hackers are just posting financial information and customers’ names, then using the DMCA to issue takedowns is a poor application of copyright because those are not creative expressions. If, however, this data set includes personal conversations or compromising pictures, then this is also a poor application of copyright, for different reasons.

By republishing someone’s nude selfies, for example, you are not devaluing their creative work. They had no intention to publish those photos, or to have anyone but their intended audience see them. They are copyrightable, and Avid Life Media can claim copyright over them in their End-User Licensing Agreement (EULA), but this doesn’t identify either what copyright is supposed to be about or what is wrong about publishing someone’s nude photograph without their consent.

In this case, there are parallels with revenge porn, the practice of publishing sexually explicit photos of someone without their consent. Sometimes revenge porn includes the names and addresses of the photographic subjects and is posted on websites that offer to take them down only for a fee. There’s currently little legal recourse to be found, unless you took the photo yourself – such as a revealing selfie – in which case you can claim copyright and issue a takedown.

Copyright law is supposed to protect creative works in a marketplace so that creating and selling these works can be profitable. Protecting these intimate expressions as goods in a marketplace fails to address what’s wrong about wrongfully publishing them. It's wrong because it’s an invasion of privacy and a violation of trust, not because it threatens someone’s profits.

It also reinforces and perpetuates a perspective that contributes to the problem: the idea that personal moments and intimate expressions are potentially valuable objects that can be owned.

And here we can connect back to the Impact Team’s stated casus belli

As Mr. Krebs reported, “The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.”

Without paying that fee, accounts were hidden but not actually deleted. Therefore, they could still be accessible by anyone who can figure out the password – whether a hacker or suspicious spouse. But the Impact Group claims that even users who do pay to have their profiles, conversations, posts, and pictures removed still have personally identifying information such as real names and addresses in the company's databases.

While I'm not defending the group or perpetrator behind the Ashley Madison data breach, the company's practice of only deleting customers' most intimate data for a fee is strikingly similar to revenge porn. What's more, Ashley Madison is able to protect its users from being exposed through the DMCA because it claims ownership over users' photos and conversations in order to charge an extortion-like "administrative fee" for a full account delete.

In both cases, and in the case of revenge porn as well, property rights determine whether or not intimate details of people’s lives can be published against their will.

To protect people in a digital environment, we need to promote legislative approaches that recognize and respect conversations, sexting, and selfies not as objects but as human activities; as asynchronous and digitally transferrable moments of a person’s life, deserving of respect and care.

D.E. Wittkower is an assistant professor of philosophy at Old Dominion University, where he teaches on philosophy of technology, digital culture, and computer ethics. He is author or editor of six books, including "Facebook and Philosophy," and conducts academic research focusing on information ethics and the conduct of personal relationships online.


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: Ashley Madison hack reveals need for new approach to guard intimate data
Read this article in
QR Code to Subscription page
Start your subscription today