Opinion: Ashley Madison hack reveals need for new approach to guard intimate data
After its users' data was exposed online, Ashley Madison issued copyright takedown notices to have it removed. It's a bad use of copyright law but reflects a troubling legal environment where digital media companies own users' most personal images and information.
Shortly after independent security reporter Brian Krebs exposed the Ashley Madison breach, the hookup site that encourages infidelity announced that it was wielding copyright law against the apparent hackers.
Yes, copyright law.
Ashley Madison's parent company, Avid Life Media, is prohibiting the posting of sensitive customer and employee information stolen in the hack – apparently perpetrated by a group known as the Impact Team – by issuing takedown notices based on its copyright ownership of this information.
The Impact Team had posted some 40 megabytes of stolen data about Ashley Madison employees and customers. In an e-mail to The Washington Post, Avid Life Media said it used the Digital Millennium Copyright Act (DMCA) to get removed wherever they had been posted: "We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter."
While beneficial in this case, this approach is an example of a systemic problem in the way that our legal system currently addresses privacy and security in digital media. Instead of developing new laws for the Internet Era in order to help people from losing control of their data flows, we’ve thrown overly broad property rights at the problem instead.
Copyright is supposed to protect creative expressions in order to support artists and authors. In Feist v. Rural Telephone, the Supreme Court found that if one phone book publisher copied a bunch of entries from a phone book published by another phone book publisher, that was just fine. You can’t copyright facts. And if your business is threatened by that, then too bad for your business.
If the hackers are just posting financial information and customers’ names, then using the DMCA to issue takedowns is a poor application of copyright because those are not creative expressions. If, however, this data set includes personal conversations or compromising pictures, then this is also a poor application of copyright, for different reasons.
By republishing someone’s nude selfies, for example, you are not devaluing their creative work. They had no intention to publish those photos, or to have anyone but their intended audience see them. They are copyrightable, and Avid Life Media can claim copyright over them in their End-User Licensing Agreement (EULA), but this doesn’t identify either what copyright is supposed to be about or what is wrong about publishing someone’s nude photograph without their consent.
In this case, there are parallels with revenge porn, the practice of publishing sexually explicit photos of someone without their consent. Sometimes revenge porn includes the names and addresses of the photographic subjects and is posted on websites that offer to take them down only for a fee. There’s currently little legal recourse to be found, unless you took the photo yourself – such as a revealing selfie – in which case you can claim copyright and issue a takedown.
Copyright law is supposed to protect creative works in a marketplace so that creating and selling these works can be profitable. Protecting these intimate expressions as goods in a marketplace fails to address what’s wrong about wrongfully publishing them. It's wrong because it’s an invasion of privacy and a violation of trust, not because it threatens someone’s profits.
It also reinforces and perpetuates a perspective that contributes to the problem: the idea that personal moments and intimate expressions are potentially valuable objects that can be owned.
And here we can connect back to the Impact Team’s stated casus belli.
As Mr. Krebs reported, “The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.”
Without paying that fee, accounts were hidden but not actually deleted. Therefore, they could still be accessible by anyone who can figure out the password – whether a hacker or suspicious spouse. But the Impact Group claims that even users who do pay to have their profiles, conversations, posts, and pictures removed still have personally identifying information such as real names and addresses in the company's databases.
While I'm not defending the group or perpetrator behind the Ashley Madison data breach, the company's practice of only deleting customers' most intimate data for a fee is strikingly similar to revenge porn. What's more, Ashley Madison is able to protect its users from being exposed through the DMCA because it claims ownership over users' photos and conversations in order to charge an extortion-like "administrative fee" for a full account delete.
In both cases, and in the case of revenge porn as well, property rights determine whether or not intimate details of people’s lives can be published against their will.
To protect people in a digital environment, we need to promote legislative approaches that recognize and respect conversations, sexting, and selfies not as objects but as human activities; as asynchronous and digitally transferrable moments of a person’s life, deserving of respect and care.
D.E. Wittkower is an assistant professor of philosophy at Old Dominion University, where he teaches on philosophy of technology, digital culture, and computer ethics. He is author or editor of six books, including "Facebook and Philosophy," and conducts academic research focusing on information ethics and the conduct of personal relationships online.