Ashley Madison Continues To Use Dubious Legal Takedown Threats To Try To Disappear The Data It Failed To Protect

from the not-a-good-idea dept

We've written a few times now about how the parent company of Ashley Madison, Avid Life Media, has been committing perjury and issuing completely bogus copyright demands to try to hide the information that was leaked after its servers got hacked. Last month, that tactic (despite not complying with the law) apparently worked briefly, until the full data dump happened last week. But that hasn't stopped the company from continuing to try. EFF wrote a long blog post detailing how this was a clear abuse of the law, but Avid Life Media doesn't seem to care.

After the leak came out, a few sites sprung up quickly to help people search the database. Whether or not you think it's appropriate to set up such a site (or to use it) is a separate issue, but what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons. There were two main sites that got the bulk of attention for setting up such a database, and one has already shut down and the other has received a takedown demand (though not a copyright one). I won't link to either site, but here's what's now posted on one of the sites:
Meanwhile, the creator of the other main search engine has said on Twitter that he, too, has been hit with "a vexatious DMCA from lawyers acting on behalf of Avid Life Media" and reporters are similarly mistakenly calling it a DMCA, but according to the copy the guy posted to Pastebin, the letter sent by Avid Life Media's lawyers at giant law firm DLA Piper to CloudFlare is not actually a DMCA, but rather a weird "please, take this down because... vague reasons and terms of service violations." That is, there's no real legal threat (because there's no basis for one). It's just vaguely threatening hoping to scare off people:
Our firm is counsel to Avid Life Media, Inc. (“ALM”) with respect to its intellectual property and data privacy matters. As you may know, ALM is the parent company of the online dating and social networking service Ashley Madison. Because users entrust ALM with highly sensitive and intimate details (collectively the “Ashley Madison User Data”), the privacy of ALM’s users is of utmost importance. As a result, ALM proactively and arduously regulates any authorized (and unauthorized) use of Ashley Madison User Data.

This letter is to inform CloudFlare, Inc., and all related entities (collectively, “You”) that, upon information and belief, CloudFlare, Inc.’s client (“Your Client”), has posted a searchable database of the Ashley Madison User Data to a website hosted on a domain name hosted by You. Specifically, Your Client has posted the Ashley Madison User Data at the following URL: https://ashley.cynic.al/ (the “URL”). Your Client’s publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information, and potentially expose millions of individuals around the world to identity theft.

Moreover, we believe that the website content hosted at the URL may violate the Your Terms of Use, located at: https://www.cloudflare.com/terms. Specifically, the website content hosted at the URL may violate the Terms of Use in that it likely infringes upon the privacy and personal data rights of the Ashley Madison users. Accordingly, ALM requests that You take action to remove and/or disable access to all content at the URL.

Please note that this letter is made without prejudice to any other rights or remedies that may be available to ALM. Nothing contained herein should be deemed a waiver, admission, or license by ALM, and ALM expressly reserves the right to assert any other factual or legal positions as additional facts come to light or as the circumstances warrant.
CloudFlare, in response, told the guy that it had forwarded the name of the actual hosting provider (a non-US company) to the lawyers at DLA Piper, and at last check, the guy claims that his hosting company, ColoCall out of Ukraine, has not done anything about it. That may change, but it's not clear what legal basis ALM has for the demand. It's nice to see that ALM is no longer making totally bullshit copyright claims, but these weird "privacy and personal data rights" claims don't have much legal basis either.

Filed Under: dmca, leaks, privacy, takedowns
Companies: ashley madison, avid life media, cloudflare


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Baron von Robber, 25 Aug 2015 @ 9:47am

    Stop, drop and roll, Ashley!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 9:49am

    ALM has exposed millions of people to the world of identity theft by deciding to use 5 letter passwords. GG

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 25 Aug 2015 @ 10:04am

    Ashley Madison you have it all wrong with the DMCA

    You are wrong. WRONG WRONG WRONG.

    You need to see the light and STOP using the DMCA to try to deal with this.

    You should be using the new super dooper RTBF ! (Right To Be Forgotten)

    The new RTBF has advantages over the outdated DMCA.
    1. While the DMCA can only be used within worldwide jurisdiction, the RTBF can be used in even wider worldwide jurisdiction!
    2. You can't use the DMCA to take down articles critical of DMCA requests, but you CAN use RTBF to take down articles critical of RTBF requests!
    3. Coming Soon!... the ability to recursively take down all future articles about an RTBF request! (just try that with the puny DMCA.)
    4. You don't have to be an actual copyright owner to use RTBF. (although it is doubtful that you need copyright ownership to use DMCA.)

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 25 Aug 2015 @ 10:32am

    Amateur: A minor nitpick

    Amateur is derived from amor and refers to people who do it because they love it (rather than because it's a trade). Commonly, actual amateurs are rather good at what they do.

    I'd suggest the synonym sophomoric which refers to the stupid mistakes we make when we're sophomores and think that we know things because we're no longer freshmen (pro-tip: we don't).

    reply to this | link to this | view in chronology ]

  • identicon
    Humungous, 25 Aug 2015 @ 10:39am

    Posting PII IS a crime

    Posting this information opens the sites' hosts to the possibility of defamation lawsuits and may be interpreted in some jurisdictions as possession of stolen property. This has at least some legal precedent from the Sony hack. Indeed, even in America, the least privacy conscious of western countries, most states have laws against the fraudulent use or possession of identifying information. In fact, this appears to be the route that ALM's lawyers are taking, judging from this letter.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Aug 2015 @ 1:16pm

      Re: Posting PII IS a crime

      Yeah; I was going to mention that the base of their claim is really:
      " Your Client’s publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information."

      This is debatable in the US, but much more policed under privacy laws in the EU where the server is actually hosted.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 26 Aug 2015 @ 3:18am

        Re: Re: Posting PII IS a crime

        "This is debatable in the US, but much more policed under privacy laws in the EU where the server is actually hosted"

        The Ukraine is in the EU? Or are you referring to Cloudflare and not the place the original page is hosted?

        reply to this | link to this | view in chronology ]

    • icon
      sigalrm (profile), 25 Aug 2015 @ 3:24pm

      Re: Posting PII IS a crime

      No.

      The route that ALM's lawyers are taking is to send heavily caveated, non-legally binding demand letters to someone that they hope doesn't have competent legal counsel, and will therefore comply because "lawyers saying scary sounding things."

      Frankly, they'd probably get a better response if they sent a letter saying "look, there's no legal basis for us to ask this, so we're not going to threaten, but you'd be doing an awful lot of people a solid if you took this content down."

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Aug 2015 @ 3:39pm

        Re: Re: Posting PII IS a crime

        Just because you slap a big "No" at the top of your comment doesn't make you any less wrong (and you are wrong, by the way). Fraudulent use and possession of identifying information about an individual is unambiguously illegal in the United States, which is what the letter is referencing when it says, "publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information, and potentially expose millions of individuals around the world to identity theft."

        Websites that allow an email lookup with no additional provision of PII will almost certainly be allowed to stay up, as past precedent has proven. Those websites that are wantonly slapping a bunch of personal names and addresses on their website for all to see should, as you suggest, by all means retain legal counsel, and that legal counsel, if it's worth its money, will almost certainly tell them that what they are doing is not only reckless and stupid, it's also illegal.

        reply to this | link to this | view in chronology ]

        • icon
          sigalrm (profile), 25 Aug 2015 @ 5:22pm

          Re: Re: Re: Posting PII IS a crime

          Fraudulent use and possession of identifying information about an individual is unambiguously illegal in the United States

          Federal Statute creating a general ban on possession of personally identifiable information (PII) in this context, please?

          This is by all accounts a non-US hosting company (Ukraine is called out) and there's nothing to indicate a locality for the person publishing the website so there are likely jurisdictional issues here.

          Past that, nowhere in the actual letter was PII referenced. It was certainly alluded to. But the lawyers reference "Private, personal, information".

          To your other point about providing information? The website in its current form checks for the presence of a user-provided email address in the dataset, and returns a yes/no along with an explanation of why presence in in the database isn't an automatic indicator of being an active user.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 25 Aug 2015 @ 6:49pm

            Re: Re: Re: Re: Posting PII IS a crime

            Federal Statute creating a general ban on possession of personally identifiable information (PII) in this context, please?


            Sure. Here you go: https://www.law.cornell.edu/uscode/text/18/1028

            Clause (a)7 would probably be the one that most applies, since this does violate several state laws, and would indeed constitute a felony in multiple states due to the volume of PII being provided.

            This is by all accounts a non-US hosting company (Ukraine is called out) and there's nothing to indicate a locality for the person publishing the website so there are likely jurisdictional issues here.


            Which certainly complicates things. But in international jurisdiction law, nations can invoke the passive personality principle if they feel that a foreign nation has willfully caused harm to one of its citizens. It's not a principle that's often invoked, but considering the FBI is now actively involved with the investigation of the initial hack and subsequent spread of the information, and considering some sixteen odd million Americans are having their data posted, it's not without the realm of possibility, were a foreign site to decide to openly post PII. Of course, as I said earlier, the cynic.al website is merely an email search tool, so at the moment it's probably safe from that.

            Past that, nowhere in the actual letter was PII referenced. It was certainly alluded to. But the lawyers reference "Private, personal, information".


            Of course, they also never used the phrase DMCA, either. Nor is this even formatted as a DMCA letter. So my initial claim that this isn't a case of "dubious legal takedown" using DMCA still stands.

            reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Aug 2015 @ 9:55pm

          Re: Re: Re: Posting PII IS a crime

          "Fraudulent use and possession of identifying information"

          Techdirt is not fraudulently using any information. Where has Techdirt committed fraud?

          reply to this | link to this | view in chronology ]

  • icon
    Sheogorath (profile), 25 Aug 2015 @ 11:16am

    "Specifically, the website content hosted at the URL may violate the Terms of Use in that it likely infringes upon the privacy and personal data rights of the Ashley Madison users."
    Um, how exactly? Doesn't one need to know what one's searching for in order to formulate a search term that's most likely to fetch the relevant data? If one has that information, then one is probably the owner of it. Unless one happens to be one of the many who joined one of ALM's websites with fake details, in which case no individual's privacy is at risk. At least, that's how I'm seeing it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Aug 2015 @ 12:54am

      Re:

      If one has that information, then one is probably the owner of it.

      Or the significant other of the person whose data is being searched for.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 11:35am

    what i find so amusing about this sort of hack/release of info is that it is no sooner out in the wild than the lawyers are circling like vultures! not, as you may think, to get the I.D.s of the hackers or to protect the company concerned, but to whom they can get a case from concerning the information released. no one seems to mind who did what, when, with whom, until the first law firm is contacted or shows willingness to be hired.

    reply to this | link to this | view in chronology ]

  • icon
    Pronounce (profile), 25 Aug 2015 @ 11:40am

    ALM or SONY

    I can see why they try to use (abuse) the law, but what really makes me upset is that the major news agencies are backing their bogus claims. The appearance is that news agencies are more concerned with protecting the abusers than the abused (us, the people that depend on news agencies to be fair and unbiased).

    reply to this | link to this | view in chronology ]

    • icon
      sigalrm (profile), 25 Aug 2015 @ 2:59pm

      Re: ALM or SONY

      First, if you're depending on news agencies to be "fair and unbiased", you're doing it wrong.

      Second, some of the people in those news agencies are likely ALM Customers, and as such will have run afoul of the morality clauses in their employment agreements, and hence have a vested interest in ensuring the data never gets looked at too closely.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Hero, 25 Aug 2015 @ 1:06pm

    am i crazy?

    You pretty much can't guarantee data protection with 100% certainty. Much of computer security is designed to make exploitation expensive for adversaries, to the point where it's not worth their time/money to attack you. A simple example is WPA password hashing, which runs the same hash 4096 times just to make dictionary attacks that much slower, or in other words, more expensive.

    So, if you're a company whose business model depends on protecting the privacy of your customers, and you suffer a massive data breach, why wouldn't you use every tool in your arsenal, bullshit or otherwise, to make it more difficult for third parties to access that data?

    My guess is that AVM customers care more about limiting the violation of their privacy than the proper application of copyright law. I don't know, am I crazy?

    reply to this | link to this | view in chronology ]

    • identicon
      New Mexico Mark, 25 Aug 2015 @ 1:30pm

      Re: am i crazy?

      While you make a good point about much of security being about cost vs. "benefit" for attackers, this doesn't apply nearly as much for circumstances like a targeted revenge attack, nation-state attack, or hacktivism. Additionally, many early indicators seem to show that Avid Life had a disdain for best security practices (protecting their customers' private information) -- even the ones that would not have cost the company a penny to implement.

      Trying to limit access to data that has already been exfiltrated and posted on the Internet is like pouring a glass of water into the ocean, then demanding that those molecules be put back into the glass. At that point, it is not a matter of resources, but keeping up the illusion of "doing something about it".

      Bottom line: If you think Avid Life is doing all these gyrations out of altruistic concern for their customers' privacy rather than just trying to protect their own collective naughty bits from hordes of rabid lawyers, then yes, you are crazy.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Hero, 25 Aug 2015 @ 2:09pm

        Re: Re: am i crazy?

        > Bottom line: If you think Avid Life is doing all these gyrations out of altruistic concern for their customers' privacy rather than just trying to protect their own collective naughty bits from hordes of rabid lawyers, then yes, you are crazy.

        Quite frankly, I think they're doing it out of panic.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 1:35pm

    "what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons" -- Who cares what the basis is?

    It's doing harm to persons -- I'M not much upset, but it's good principle -- so take this data down any way needed. Send in the Marines, be fine with me on this.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Aug 2015 @ 1:51pm

      Re: "what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons" -- Who cares what the basis is?

      Who cares what the basis is?

      I do. It's important.

      And what exactly are the Marines going to do? Blow up some data center because "geez, people might be embarrassed?"

      When your only tool is a hammer, every problem becomes a nail.

      reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 25 Aug 2015 @ 3:26pm

      Do no harm.

      I think that preventing someone from using or posting this database is a violation of that person's rights until it is established that what they are doing causes harm.

      And that requires due process.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Aug 2015 @ 3:30pm

        Re: Do no harm.

        So we have a right to stolen property?

        reply to this | link to this | view in chronology ]

        • icon
          Dan (profile), 25 Aug 2015 @ 3:48pm

          Re: Re: Do no harm.

          What "property" was "stolen", and under which jurisdiction's law?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 25 Aug 2015 @ 3:57pm

            Re: Re: Re: Do no harm.

            This isn't the old "stealing copyrighted material is called infringement" thing.
            Nobody questions that there is no copyright claim. That only works for copyright and ONLY in the US.
            In this case neither of those things are so.

            What is so is that a network was broken into and data stolen, threats of extortion were made, and now individuals are being threatened and extorted.

            reply to this | link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 25 Aug 2015 @ 3:52pm

          Blackmail for instance.

          It wasn't stolen. Ashley Madison still has it.

          You'll still need to present a case for harm done by those who have the data, rather than the harm done by those who obtained the data.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 25 Aug 2015 @ 4:19pm

            Re: Blackmail for instance.

            "It wasn't stolen. Ashley Madison still has it."

            Has that been used as a defence in court yet. Not in a copyright case, but in stealing data for extortion case?
            "Yes I have it, your honour, but they still have it too. Yes I know that it was their's, but it still is - it's just kinda ours now".

            reply to this | link to this | view in chronology ]

            • icon
              Uriel-238 (profile), 25 Aug 2015 @ 5:15pm

              It would be a poor defense.

              If I know my extortion schemes, it's not the having someone's secret or learning someone's secret parts that are criminal. It's the making threats and demanding money part that does it.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 25 Aug 2015 @ 7:17pm

                Re: It would be a poor defense.

                I really meant the stealing, not the extortion.
                I mean in the context that you used it.

                reply to this | link to this | view in chronology ]

                • icon
                  Uriel-238 (profile), 25 Aug 2015 @ 8:07pm

                  Stealing.

                  Well, that's how the CFAA is used to put whistleblowers into prison for longer than murderers.

                  We say that such sensitive (incriminating) material was stolen.

                  Never mind that it was incriminating.

                  So yeah, there's a really sucky law against copying information that isn't yours from computers, and it's used to put away people that inform the public when the government does criminal stuff.

                  So I personally don't take that law seriously at all, since I know it as a way to get revenge against well-meaning whistleblowers. It may have some good uses somewhere, but it's doing more bad than good right now.

                  reply to this | link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 25 Aug 2015 @ 10:06pm

                    Re: Stealing.

                    What I'm reading here is you'll sit on Techdirt all day with your fingers in your ears saying "Nothing was stolen, they've still got it, you can't steal it, it's not stealing" But you'd never actually stand before a judge and try and plead that as your defence.

                    reply to this | link to this | view in chronology ]

                    • icon
                      Uriel-238 (profile), 26 Aug 2015 @ 3:05am

                      Obsessive?

                      Sounds like you're dwelling on one aspect of the case.

                      I told you my position.

                      And regardless I have no confidence in the US Justice System anyway, so I wouldn't even hazard a guess as to what my defense would be.

                      Feel free to read whatever the heck you like in that. I am rapidly ceasing to care what you think.

                      reply to this | link to this | view in chronology ]

            • icon
              DannyB (profile), 26 Aug 2015 @ 8:39am

              Re: Re: Blackmail for instance.

              You would really do better complaining about the Extortion. You would have a real argument there.


              > "Yes I have it, your honour, but they still have it too.
              > Yes I know that it was their's, but it still is - it's just kinda ours now".

              That is EXACTLY how copying works. Whether authorized or not, once I have a copy of something, the copy is mine, and the original is still theirs. My neighbor gave me a copy of his cookie recipe. Guess what? He still has it. And I have it. Exactly as you are saying in your argument. Yes, it's still his, but it's also mine too, and not kinda.

              You could argue the copy was unauthorized. But maybe I obtained my copy innocently, possibly without understanding the implications, from some website that offered it for download. (As in the copyright case: you should be going after the download site, not the downloader, not Google.) Some people could argue that once disclosed, this data is of public interest (eg, reporters, researchers, politicians running against an Ashley member for the same political office).

              The extortion argument is so much simpler and clear.

              reply to this | link to this | view in chronology ]

      • icon
        sigalrm (profile), 25 Aug 2015 @ 3:50pm

        Re: Do no harm.

        Uriel,

        Also, don't forget general (though not absolute) prohibitions against prior restraint.

        In the US, at least.

        reply to this | link to this | view in chronology ]

  • identicon
    Anon, 25 Aug 2015 @ 1:48pm

    Kill the hackers

    The hackers and their immediate families should be killed if discovered. This will teach everyone scumbag hacker that wants to violate someone's privacy whether a cheating site, health records, government site, etc. Everyone has a purpose for doing so, but that doesn't make it right!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Aug 2015 @ 1:50pm

    Whether or not privacy rights have a strong legal claim depends on your jurisdiction. What we should be considering though, is given the serious harm that can be done to people, what should the right to privacy on the internet entail and at what point does it trump or limit free speech rights? If someone breaks into your email account and copies your most intimate and private correspondence and leaks it on the dark web, does a third party then have the right to access and publish that information on the light web (for lack of a better term) in the name of free speech?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Aug 2015 @ 1:53pm

      Re:

      This isn't a matter of free speech - this is a matter of using copyright when it's clearly not applicable.

      THAT is the problem - incorrect use of law.

      reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 25 Aug 2015 @ 4:15pm

      I believe the answer to that is yes.

      If a snapshot of you on the bathroom is snagged by a hacker, handed over to a third party and then dropped into the lap of the New York Times (which publishes a redacted version), then only the hacker has committed a crime.

      I'm pretty sure we like it that way, given it protects whistleblowers who which to drop private data of a more incriminating sort than bathroom pics. Your attempt to suppress the pic will only assure that it gets Streissanded everywhere.

      I say this as a three-felonies-a-day sort of criminal, who doesn't really do anything particularly scandalous or heinous, and who is less pervy (probably) than the average person on the (San Francisco) sidewalk.

      If I were pervier and in a county that was less tolerant than the queerest of my bedroom activities, I might want laws to prevent me from being outed. As it is, it's a total social faux pas to out someone (as gay, a BDSM participant, a zoophile) as it is to dox them, but it's not yet illegal.

      reply to this | link to this | view in chronology ]

  • identicon
    Sibyl Simoes, 26 Aug 2015 @ 1:55am

    Note to public...there is no such thing as a completely secure data base. All of the emails are searchable at www.cheaterscout.com

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 26 Aug 2015 @ 10:12am

      When Steam was hacked

      The database of users and their private information was accessed and taken.

      But it was salted and so far there's been no indication that anyone has figured out how to decrypt it.

      So...far more can be done than what AM did to keep details safe.

      And it's really hard to find something in one's Steam account that is disreputable.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Aug 2015 @ 5:28am

    Information wants to be free.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.