Security Researcher Brian Krebs Receives Legal Threat From Former Ashley Madison Exec Over Hacking Allegations

from the possibly-some-merit-in-the-threats-for-a-change dept

Ashley Madison’s former CTO, Raja Bhatia, is toying with the idea of suing security researcher Brian Krebs for libel. Bhatia has problems with an earlier story by Krebs, which quoted emails obtained from the Ashley Madison hack that seemingly indicated the company’s execs participated in the breach of a rival’s customer database.

The original story made these claims (again, based on the content of exposed emails):

A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of, sent a message to Biderman notifying his boss of a security hole discovered in, an American online magazine dedicated to sexual topics, relationships and culture.

At the time, was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the user database.

“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Bhatia’s legal rep says Bhatia takes exception to being labelled a hacker in the headline and body of the post. Unlike countless other legal threats, this letter to Krebs takes the time to point out the specific claims Bhatia takes issue with, as well as offering up information that seemingly contradicts Krebs’ assertions.

Contrary to the express statement in the article’s title and the suggestion in its body, Mr. Bhatia did not “hack” Rather, he noticed a readily apparent security gap and remarked on it to Noel Biderman, Ashley Madison’s CEO, with whom he happened to speak shortly thereafter. At no time did Mr. Bhatia attempt to bypass’s security or to exploit its gap in any way. He did not bulk exfiltrate this data or attempt to alter it, as implied by the selective quotes from his emails included in your post. To the contrary, Mr. Bhatia expressly stated that he would not do so in the email sequence referred to in the article, a point omitted from your report.

Bhatia’s lawyer has asked for a correction and retraction of the earlier post. Krebs has refused to do, standing by his earlier assertions and posting Bhatia’s letter in full.

Unfortunately for Krebs, he has a much higher bar to reach to get this thrown out. The lawsuit, if it arrives, will be filed in Canada, where Ashley Madison’s parent company (Avid Life Media) is located. Canadian law shifts much of the burden of proof to defendants in defamation cases and Canadian courts have been known to reach some very questionable conclusions when dealing with these sorts of lawsuits. That being said, the SPEECH Act would likely prevent a Canadian court from issuing an unenforceable order targeting a US site. But it still would mean Krebs would need to spend money and time fighting the lawsuit.

The other thing that might hurt Krebs is any discussion of the word “hacking.” The way it’s used in his original post brings an entirely negative connotation to a word that is also frequently used to describe the work done by Krebs himself. Any efforts to prove the truth of his hacking allegations against Bhatia are likely to do additional damage to a word that can also cover the “neutral” and “good” ends of the spectrum. Obviously, it’s in Bhatia’s interests to push for redefining “hacking” as purely a nefarious activity, seeing as the legal threat refers to the “implications” of Krebs’ post almost as much as it refers to any “false and defamatory statements.”

In a very colloquial sense, Bhatia’s discovery of a security flaw is “hacking.” Bhatia’s legal team obviously views the use of “hacking” in this context to be wholly negative. Litigation over “hacking” allegations has the potential to further push “hacking” towards being synonymous with “evil.” According to Krebs’ own words, no real “hacking” was done, at least not in the criminal sense (where protective schemes are attacked and breached). This “hack” was no more inappropriately intrusive than uber-troll Weev’s incremental alteration of user ID numbers to access AT&T user account info.

On the other hand, arguments in favor of a more colloquial definition of “hacking’ could work in Krebs’ favor, where “hacking” simply means using or accessing something in a way the general public wouldn’t. In that sense, the headline and the quasi-accusation would be truthful, if not especially accurate. Krebs could argue his use of the word “hacking” wasn’t meant to have negative connotation but was simply used as accessible shorthand for Bhatia’s actions. Either way, colloquial use of a term that encompasses a wide variety of actions (good and bad) isn’t really enough to rise to the level of defamation.

The larger issue may be the statement that Bhatia exfiltrated’s user database. As the letter states, other emails indicate he did no such thing (and indeed wouldn’t) even though he had the opportunity.

At this point, it’s Bhatia’s move. Krebs is refusing to comply with the requests of Bhatia’s attorney. Now that everyone’s lining up to file a lawsuit against the company, it’s probably a safe to assume a few lawsuits will be filed in the other direction, targeting those utilizing information obtained from the hack. Bhatia has a favorable venue and very little to lose by pursuing this, so I would expect an announcement of a lawsuit in the near future.

Filed Under: , , , , , , ,
Companies: ashley madison, avid life media,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Researcher Brian Krebs Receives Legal Threat From Former Ashley Madison Exec Over Hacking Allegations”

Subscribe: RSS Leave a comment
tqk (profile) says:

Re: Re:

Obviously, it’s in Bhatia’s interests to push for redefining “hacking” as purely a nefarious activity …

This ship sailed about a decade and a half ago. Nobody’d listen to us. “Hacking” has a long distinguished history (cf. MIT’s “model railroad club”, et al). It’s about curiosity about how things work. We tried to distinguish “white-hat hacking” from “black-hat cracking“, but the media’d have none of that. It didn’t fly. Meh.

Krebs is a credible security researcher and reporter. He would not mis-read an email, ffs.

However, thanks for warning me about Canadian law. I should shut up more often it seems.

Roger Strong (profile) says:

Unfortunately for Krebs, he has a much higher bar to reach to get this thrown out. The lawsuit, if it arrives, will be filed in Canada, […] Canadian law shifts much of the burden of proof to defendants…

On the other hand Canada has a Loser Pays system. If Krebs wins, Bhatia would have to pay his legal bills. That discourages a lot of litigation that would happen in the US.

Anon says:

There must be some sort of Heisenberg Principle applicable to hacking. The very act of observing creates the hacking.

How do you know you have unencrypted used data without actually opening at least one record? How do you know you can access or change fields without at least reading the fields – how do you know you have write capability without querying status or something – all of which implies at minimum getting onto a system in a manner you are not permitted to.

tqk (profile) says:

Re: Re:

There must be some sort of Heisenberg Principle applicable to hacking. The very act of observing creates the hacking.

Is Vint Cerf a co-defendant? “ping -c 1 $IP_ADDRESS”

If it’s on-line and you haven’t a valid login on it, is it illegal now to touch it in any way? Is there an RFC that says anything about what we can and cannot do to a machine connected to a network that was designed to make all connected hosts valid connectivity paths?

Bergman (profile) says:

Re: Re:

When you increment a URL, you are essentially sending a note to a security agent of the company in question requesting information.

Imagine a demonstration in a hypothetical court: Pass a note to the judge, requesting that he raise his right hand then lower it. The note does not compel him to act or trick him into doing so, he chooses to do so or not to do so of his own free will. Adding the words ‘on the internet’ to the process does not create a violation of anti-hacking statutes (such as the CFAA to name one example) nor does it imply deceit of any kind.

A request was made and fulfilled. If the company employing the security agent — whether digital or flesh and blood — has not told their agent not to give out certain information upon request, that is on the company not the person making the request.

For a court to rule otherwise would result in absurdity at best.

For example, even if you have a login and password and only access your own stored data, if that data is about something the company dislikes then accessing it would make you a hacker.

For that matter, people like OotB here on Techdirt could be accused of hacking and even convicted of it for doing nothing more than using their own account to post an unpopular opinion.

People could be sent to prison because a company made a mistake and posted confidential information in a public venue, and people read it. Ever gotten an email from someone by mistake? If an authorized request that results in information being released improperly is hacking, then reading that hypothetical email would make you a felon.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...