When the Ashley Madison data breach story first broke, it was quite isolated. It was a criminal matter for local authorities and a PR disaster for Ashley Madison itself, but that’s as far as it went.
Now that the hackers have released the data, there is much greater potential for the incident to affect people around the world – including here in New Zealand. With that in mind, we’ve put together some questions and answers about the issue.
Some sites will respond to requests to remove illegally obtained material. Get in touch with the host site and ask for it to be removed. In some cases it may be possible to seek a court order to prevent distribution of the details.
Keep an eye on developments, particularly in Canada, where the site is hosted. Law enforcement agencies there are looking into the original hack and the subsequent leak. It may also be possible to join legal action there.
There may be some comfort in that use and dissemination of the hacked data in New Zealand might well be in breach of the Privacy Act. This should hopefully stop the data from spreading much further here, and being used inappropriately.
If someone is threatening, blackmailing or intimidating you, you should contact the Police immediately.
If contact, profile or credit card information from Ashley Madison is being distributed by someone you know, you can make a complaint to this office. We will be able to investigate, but that process will take some time.
If your presence on the list has made its way to a radio or television publication, you should complain to the Broadcasting Standards Authority. And if it is being published in a newspaper or magazine (print or online), you should complain to the Press Council.
Not without considerable risk that you might end up being in breach of the Privacy Act! Principle 8 of the Privacy Act says that you should not use personal information without taking reasonable steps to check that it is accurate. There is no way to ensure that the Ashley Madison data is accurate because Ashley Madison did not require email verification. People did not have to prove that their emails were, in fact, theirs – or that the addresses real in the first place.
This means that you cannot be sure of the accuracy of any information in the data dump, so using it to make any decisions (including whether to hire someone) would be an interference with his or her privacy.
A recent Human Rights Review Tribunal judgement highlighted how important this is: A company distributed inaccurate credit reporting information about an individual without taking the necessary steps to make sure it was accurate. The organisation was found to have interfered with his privacy and ordered to pay $25,000.
Are you sure? Even if you have this proof (which you probably don’t), the only thing you’ve proven is that they used the website at some point in the last 10+ years. They may have signed up to test it, they may have signed up in a moment of weakness but never taken any action, they may had their partner’s consent or they may be a serial adulterer. An individual’s presence on this list only tells you that they are on the list. Any conclusions you draw from that are up to you, and based on one data point. Getting your assumptions wrong could prove very harmful to the person concerned, and very costly for you.
The best thing to do is to delete it. If you share it around, you run the risk of causing great harm, and potentially exposing yourself to a long and costly legal process.
If you collect it (by saving it) or disclose it (by sharing it), you could be found to have interfered with the subject’s privacy.
Interfering with someone’s privacy is a big deal. Not only is it unethical and illegal, it can also be expensive. For example, the Human Rights Review Tribunal recently ordered a man to pay someone $18,000 as compensation for the stress and humiliation he caused by distributing a private letter about her employment. We expect that someone’s alleged presence on a dating site for adulterers would cause even more stress and humiliation than the letter in this case – so tread lightly. The current record for damages is $168,000.00. You don’t want to be the next record breaker!
The news media is exempt from most of the Privacy Act, and the right to freedom of expression is enshrined in the New Zealand Bill of Rights Act. However that does not mean the news media has carte blanche.
The Broadcasting Standards Authority and Press Council both have privacy requirements. If you’re a broadcast journalist, you’ll need to defend the fact that publishing this information isn’t ‘highly offensive to an ordinary reasonable person.’ Given the nature of this information, that defence will be a challenge.
If you’re a print journalist, the standard is even higher – the Press Council dictates that any publication of private material needs to be in the public interest or public record.
Both of these standards will be hard to make because the information is
1) Intimate and personal
2) Difficult (if not impossible) to verify as accurate
As an example, the hosts of an Australian radio show used this data to tell a woman her husband was registered on Ashley Madison while live on the air. Lets forget about the legal liabilities involved for a moment. Even the hosts recognised they had crossed the line and left common decency behind with that stunt.
We haven’t yet decided what we’re going to do, and we’re not sure if this falls under our jurisdiction. If we do anything, it will most likely be in conjunction with our counterparts in the jurisdictions in which the business is based, and the content is hosted. These collaborations can be quite fruitful, as illustrated by a recent report of the Australian Privacy Commissioner’s investigation of Adobe’s 2013 high-profile data breach. He found Adobe in breach of the Privacy Act for not taking adequate steps to secure customer information. That case has now been settled.
Ashley Madison is in a similar situation. While we have not investigated their systems and processes, the fact that individuals were able to abscond with several years’ worth of unencrypted data certainly does raise some very serious questions. We would like to see those questions answered.
The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner have begun a joint investigation into Avid Life Media, the parent company of Ashley Madison and several other websites. Given that the company is based in Canada, and considering the global scope of the breach, the two authorities will be investigating jointly, and with the help of other international counterparts. Both authorities have already been in contact with the company to determine how the breach occurred and what is being done to mitigate the situation.
For more information, contact: