Ashley Madison Continues To Use Dubious Legal Takedown Threats To Try To Disappear The Data It Failed To Protect
from the not-a-good-idea dept
We’ve written a few times now about how the parent company of Ashley Madison, Avid Life Media, has been committing perjury and issuing completely bogus copyright demands to try to hide the information that was leaked after its servers got hacked. Last month, that tactic (despite not complying with the law) apparently worked briefly, until the full data dump happened last week. But that hasn’t stopped the company from continuing to try. EFF wrote a long blog post detailing how this was a clear abuse of the law, but Avid Life Media doesn’t seem to care.
After the leak came out, a few sites sprung up quickly to help people search the database. Whether or not you think it’s appropriate to set up such a site (or to use it) is a separate issue, but what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons. There were two main sites that got the bulk of attention for setting up such a database, and one has already shut down and the other has received a takedown demand (though not a copyright one). I won’t link to either site, but here’s what’s now posted on one of the sites:
Our firm is counsel to Avid Life Media, Inc. (?ALM?) with respect to its intellectual property and data privacy matters. As you may know, ALM is the parent company of the online dating and social networking service Ashley Madison. Because users entrust ALM with highly sensitive and intimate details (collectively the ?Ashley Madison User Data?), the privacy of ALM?s users is of utmost importance. As a result, ALM proactively and arduously regulates any authorized (and unauthorized) use of Ashley Madison User Data.
This letter is to inform CloudFlare, Inc., and all related entities (collectively, ?You?) that, upon information and belief, CloudFlare, Inc.?s client (?Your Client?), has posted a searchable database of the Ashley Madison User Data to a website hosted on a domain name hosted by You. Specifically, Your Client has posted the Ashley Madison User Data at the following URL: https://ashley.cynic.al/ (the ?URL?). Your Client?s publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information, and potentially expose millions of individuals around the world to identity theft.
Moreover, we believe that the website content hosted at the URL may violate the Your Terms of Use, located at: https://www.cloudflare.com/terms. Specifically, the website content hosted at the URL may violate the Terms of Use in that it likely infringes upon the privacy and personal data rights of the Ashley Madison users. Accordingly, ALM requests that You take action to remove and/or disable access to all content at the URL.
Please note that this letter is made without prejudice to any other rights or remedies that may be available to ALM. Nothing contained herein should be deemed a waiver, admission, or license by ALM, and ALM expressly reserves the right to assert any other factual or legal positions as additional facts come to light or as the circumstances warrant.
CloudFlare, in response, told the guy that it had forwarded the name of the actual hosting provider (a non-US company) to the lawyers at DLA Piper, and at last check, the guy claims that his hosting company, ColoCall out of Ukraine, has not done anything about it. That may change, but it’s not clear what legal basis ALM has for the demand. It’s nice to see that ALM is no longer making totally bullshit copyright claims, but these weird “privacy and personal data rights” claims don’t have much legal basis either.
Filed Under: dmca, leaks, privacy, takedowns
Companies: ashley madison, avid life media, cloudflare
Comments on “Ashley Madison Continues To Use Dubious Legal Takedown Threats To Try To Disappear The Data It Failed To Protect”
Stop, drop and roll, Ashley!
ALM has exposed millions of people to the world of identity theft by deciding to use 5 letter passwords. GG
Ashley Madison you have it all wrong with the DMCA
You are wrong. WRONG WRONG WRONG.
You need to see the light and STOP using the DMCA to try to deal with this.
You should be using the new super dooper RTBF ! (Right To Be Forgotten)
The new RTBF has advantages over the outdated DMCA.
1. While the DMCA can only be used within worldwide jurisdiction, the RTBF can be used in even wider worldwide jurisdiction!
2. You can’t use the DMCA to take down articles critical of DMCA requests, but you CAN use RTBF to take down articles critical of RTBF requests!
3. Coming Soon!… the ability to recursively take down all future articles about an RTBF request! (just try that with the puny DMCA.)
4. You don’t have to be an actual copyright owner to use RTBF. (although it is doubtful that you need copyright ownership to use DMCA.)
Re: Ashley Madison you have it all wrong with the DMCA
rtbf – only for Europeans, alm, is canadian.
– only affects searches originating in europe, me, a Canadian, can still find all rtbf links, because im not European, my searches are not filtered by that law
Re: Re: Ashley Madison you have it all wrong with the DMCA
Are you under the delusion that this defect will remain uncorrected?
Re: Re: Ashley Madison you have it all wrong with the DMCA
Don’t speak too soon.
Re: Re: Ashley Madison you have it all wrong with the DMCA
I think the post was being partly tongue in check. The poster clearly has a more nuanced view of the situation.
Amateur: A minor nitpick
Amateur is derived from amor and refers to people who do it because they love it (rather than because it’s a trade). Commonly, actual amateurs are rather good at what they do.
I’d suggest the synonym sophomoric which refers to the stupid mistakes we make when we’re sophomores and think that we know things because we’re no longer freshmen (pro-tip: we don’t).
Posting PII IS a crime
Posting this information opens the sites’ hosts to the possibility of defamation lawsuits and may be interpreted in some jurisdictions as possession of stolen property. This has at least some legal precedent from the Sony hack. Indeed, even in America, the least privacy conscious of western countries, most states have laws against the fraudulent use or possession of identifying information. In fact, this appears to be the route that ALM’s lawyers are taking, judging from this letter.
Re: Posting PII IS a crime
Yeah; I was going to mention that the base of their claim is really:
” Your Client’s publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information.”
This is debatable in the US, but much more policed under privacy laws in the EU where the server is actually hosted.
Re: Re: Posting PII IS a crime
“This is debatable in the US, but much more policed under privacy laws in the EU where the server is actually hosted”
The Ukraine is in the EU? Or are you referring to Cloudflare and not the place the original page is hosted?
Re: Posting PII IS a crime
No.
The route that ALM’s lawyers are taking is to send heavily caveated, non-legally binding demand letters to someone that they hope doesn’t have competent legal counsel, and will therefore comply because “lawyers saying scary sounding things.”
Frankly, they’d probably get a better response if they sent a letter saying “look, there’s no legal basis for us to ask this, so we’re not going to threaten, but you’d be doing an awful lot of people a solid if you took this content down.”
Re: Re: Posting PII IS a crime
Just because you slap a big “No” at the top of your comment doesn’t make you any less wrong (and you are wrong, by the way). Fraudulent use and possession of identifying information about an individual is unambiguously illegal in the United States, which is what the letter is referencing when it says, “publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information, and potentially expose millions of individuals around the world to identity theft.”
Websites that allow an email lookup with no additional provision of PII will almost certainly be allowed to stay up, as past precedent has proven. Those websites that are wantonly slapping a bunch of personal names and addresses on their website for all to see should, as you suggest, by all means retain legal counsel, and that legal counsel, if it’s worth its money, will almost certainly tell them that what they are doing is not only reckless and stupid, it’s also illegal.
Re: Re: Re: Posting PII IS a crime
Federal Statute creating a general ban on possession of personally identifiable information (PII) in this context, please?
This is by all accounts a non-US hosting company (Ukraine is called out) and there’s nothing to indicate a locality for the person publishing the website so there are likely jurisdictional issues here.
Past that, nowhere in the actual letter was PII referenced. It was certainly alluded to. But the lawyers reference “Private, personal, information”.
To your other point about providing information? The website in its current form checks for the presence of a user-provided email address in the dataset, and returns a yes/no along with an explanation of why presence in in the database isn’t an automatic indicator of being an active user.
Re: Re: Re:2 Posting PII IS a crime
Sure. Here you go: https://www.law.cornell.edu/uscode/text/18/1028
Clause (a)7 would probably be the one that most applies, since this does violate several state laws, and would indeed constitute a felony in multiple states due to the volume of PII being provided.
Which certainly complicates things. But in international jurisdiction law, nations can invoke the passive personality principle if they feel that a foreign nation has willfully caused harm to one of its citizens. It’s not a principle that’s often invoked, but considering the FBI is now actively involved with the investigation of the initial hack and subsequent spread of the information, and considering some sixteen odd million Americans are having their data posted, it’s not without the realm of possibility, were a foreign site to decide to openly post PII. Of course, as I said earlier, the cynic.al website is merely an email search tool, so at the moment it’s probably safe from that.
Of course, they also never used the phrase DMCA, either. Nor is this even formatted as a DMCA letter. So my initial claim that this isn’t a case of “dubious legal takedown” using DMCA still stands.
Re: Re: Re: Posting PII IS a crime
“Fraudulent use and possession of identifying information”
Techdirt is not fraudulently using any information. Where has Techdirt committed fraud?
“Specifically, the website content hosted at the URL may violate the Terms of Use in that it likely infringes upon the privacy and personal data rights of the Ashley Madison users.”
Um, how exactly? Doesn’t one need to know what one’s searching for in order to formulate a search term that’s most likely to fetch the relevant data? If one has that information, then one is probably the owner of it. Unless one happens to be one of the many who joined one of ALM’s websites with fake details, in which case no individual’s privacy is at risk. At least, that’s how I’m seeing it.
Re: Re:
Or the significant other of the person whose data is being searched for.
what i find so amusing about this sort of hack/release of info is that it is no sooner out in the wild than the lawyers are circling like vultures! not, as you may think, to get the I.D.s of the hackers or to protect the company concerned, but to whom they can get a case from concerning the information released. no one seems to mind who did what, when, with whom, until the first law firm is contacted or shows willingness to be hired.
ALM or SONY
I can see why they try to use (abuse) the law, but what really makes me upset is that the major news agencies are backing their bogus claims. The appearance is that news agencies are more concerned with protecting the abusers than the abused (us, the people that depend on news agencies to be fair and unbiased).
Re: ALM or SONY
First, if you’re depending on news agencies to be “fair and unbiased”, you’re doing it wrong.
Second, some of the people in those news agencies are likely ALM Customers, and as such will have run afoul of the morality clauses in their employment agreements, and hence have a vested interest in ensuring the data never gets looked at too closely.
am i crazy?
You pretty much can’t guarantee data protection with 100% certainty. Much of computer security is designed to make exploitation expensive for adversaries, to the point where it’s not worth their time/money to attack you. A simple example is WPA password hashing, which runs the same hash 4096 times just to make dictionary attacks that much slower, or in other words, more expensive.
So, if you’re a company whose business model depends on protecting the privacy of your customers, and you suffer a massive data breach, why wouldn’t you use every tool in your arsenal, bullshit or otherwise, to make it more difficult for third parties to access that data?
My guess is that AVM customers care more about limiting the violation of their privacy than the proper application of copyright law. I don’t know, am I crazy?
Re: am i crazy?
While you make a good point about much of security being about cost vs. “benefit” for attackers, this doesn’t apply nearly as much for circumstances like a targeted revenge attack, nation-state attack, or hacktivism. Additionally, many early indicators seem to show that Avid Life had a disdain for best security practices (protecting their customers’ private information) — even the ones that would not have cost the company a penny to implement.
Trying to limit access to data that has already been exfiltrated and posted on the Internet is like pouring a glass of water into the ocean, then demanding that those molecules be put back into the glass. At that point, it is not a matter of resources, but keeping up the illusion of “doing something about it”.
Bottom line: If you think Avid Life is doing all these gyrations out of altruistic concern for their customers’ privacy rather than just trying to protect their own collective naughty bits from hordes of rabid lawyers, then yes, you are crazy.
Re: Re: am i crazy?
"what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons" -- Who cares what the basis is?
It’s doing harm to persons — I’M not much upset, but it’s good principle — so take this data down any way needed. Send in the Marines, be fine with me on this.
Re: "what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons" -- Who cares what the basis is?
Who cares what the basis is?
I do. It’s important.
And what exactly are the Marines going to do? Blow up some data center because “geez, people might be embarrassed?”
When your only tool is a hammer, every problem becomes a nail.
Re: Do no harm.
I think that preventing someone from using or posting this database is a violation of that person’s rights until it is established that what they are doing causes harm.
And that requires due process.
Re: Re: Do no harm.
So we have a right to stolen property?
Re: Re: Re: Do no harm.
What “property” was “stolen”, and under which jurisdiction’s law?
Re: Re: Re:2 Do no harm.
This isn’t the old “stealing copyrighted material is called infringement” thing.
Nobody questions that there is no copyright claim. That only works for copyright and ONLY in the US.
In this case neither of those things are so.
What is so is that a network was broken into and data stolen, threats of extortion were made, and now individuals are being threatened and extorted.
Re: Re: Re: Blackmail for instance.
It wasn’t stolen. Ashley Madison still has it.
You’ll still need to present a case for harm done by those who have the data, rather than the harm done by those who obtained the data.
Re: Re: Re:2 Blackmail for instance.
“It wasn’t stolen. Ashley Madison still has it.”
Has that been used as a defence in court yet. Not in a copyright case, but in stealing data for extortion case?
“Yes I have it, your honour, but they still have it too. Yes I know that it was their’s, but it still is – it’s just kinda ours now”.
Re: Re: Re:3 It would be a poor defense.
If I know my extortion schemes, it’s not the having someone’s secret or learning someone’s secret parts that are criminal. It’s the making threats and demanding money part that does it.
Re: Re: Re:4 It would be a poor defense.
I really meant the stealing, not the extortion.
I mean in the context that you used it.
Re: Re: Re:5 Stealing.
Well, that’s how the CFAA is used to put whistleblowers into prison for longer than murderers.
We say that such sensitive (incriminating) material was stolen.
Never mind that it was incriminating.
So yeah, there’s a really sucky law against copying information that isn’t yours from computers, and it’s used to put away people that inform the public when the government does criminal stuff.
So I personally don’t take that law seriously at all, since I know it as a way to get revenge against well-meaning whistleblowers. It may have some good uses somewhere, but it’s doing more bad than good right now.
Re: Re: Re:6 Stealing.
What I’m reading here is you’ll sit on Techdirt all day with your fingers in your ears saying “Nothing was stolen, they’ve still got it, you can’t steal it, it’s not stealing” But you’d never actually stand before a judge and try and plead that as your defence.
Re: Re: Re:7 Obsessive?
Sounds like you’re dwelling on one aspect of the case.
I told you my position.
And regardless I have no confidence in the US Justice System anyway, so I wouldn’t even hazard a guess as to what my defense would be.
Feel free to read whatever the heck you like in that. I am rapidly ceasing to care what you think.
Re: Re: Re:3 Blackmail for instance.
You would really do better complaining about the Extortion. You would have a real argument there.
> “Yes I have it, your honour, but they still have it too.
> Yes I know that it was their’s, but it still is – it’s just kinda ours now”.
That is EXACTLY how copying works. Whether authorized or not, once I have a copy of something, the copy is mine, and the original is still theirs. My neighbor gave me a copy of his cookie recipe. Guess what? He still has it. And I have it. Exactly as you are saying in your argument. Yes, it’s still his, but it’s also mine too, and not kinda.
You could argue the copy was unauthorized. But maybe I obtained my copy innocently, possibly without understanding the implications, from some website that offered it for download. (As in the copyright case: you should be going after the download site, not the downloader, not Google.) Some people could argue that once disclosed, this data is of public interest (eg, reporters, researchers, politicians running against an Ashley member for the same political office).
The extortion argument is so much simpler and clear.
Re: Re: Do no harm.
Uriel,
Also, don’t forget general (though not absolute) prohibitions against prior restraint.
In the US, at least.
Re: Re: Re: Prior Restraint
Yep. That’s the right to which I was referring.
The only exception I know of is national security.
Kill the hackers
The hackers and their immediate families should be killed if discovered. This will teach everyone scumbag hacker that wants to violate someone’s privacy whether a cheating site, health records, government site, etc. Everyone has a purpose for doing so, but that doesn’t make it right!
Re: Kill the hackers
How’d your wife take it?
Re: Re: Kill the hackers
Doggy style was one of many ways
Re: I'm not very good at this.
Is this Poe?
Sometimes I can’t tell. Which I think is the point of Poe.
Re: Re: I'm not very good at this.
Just the angry words of a recently singled man
Whether or not privacy rights have a strong legal claim depends on your jurisdiction. What we should be considering though, is given the serious harm that can be done to people, what should the right to privacy on the internet entail and at what point does it trump or limit free speech rights? If someone breaks into your email account and copies your most intimate and private correspondence and leaks it on the dark web, does a third party then have the right to access and publish that information on the light web (for lack of a better term) in the name of free speech?
Re: Re:
This isn’t a matter of free speech – this is a matter of using copyright when it’s clearly not applicable.
THAT is the problem – incorrect use of law.
Re: I believe the answer to that is yes.
If a snapshot of you on the bathroom is snagged by a hacker, handed over to a third party and then dropped into the lap of the New York Times (which publishes a redacted version), then only the hacker has committed a crime.
I’m pretty sure we like it that way, given it protects whistleblowers who which to drop private data of a more incriminating sort than bathroom pics. Your attempt to suppress the pic will only assure that it gets Streissanded everywhere.
I say this as a three-felonies-a-day sort of criminal, who doesn’t really do anything particularly scandalous or heinous, and who is less pervy (probably) than the average person on the (San Francisco) sidewalk.
If I were pervier and in a county that was less tolerant than the queerest of my bedroom activities, I might want laws to prevent me from being outed. As it is, it’s a total social faux pas to out someone (as gay, a BDSM participant, a zoophile) as it is to dox them, but it’s not yet illegal.
Note to public…there is no such thing as a completely secure data base. All of the emails are searchable at http://www.cheaterscout.com
Re: When Steam was hacked
The database of users and their private information was accessed and taken.
But it was salted and so far there’s been no indication that anyone has figured out how to decrypt it.
So…far more can be done than what AM did to keep details safe.
And it’s really hard to find something in one’s Steam account that is disreputable.
Information wants to be free.