Security Researcher Brian Krebs Receives Legal Threat From Former Ashley Madison Exec Over Hacking Allegations
from the possibly-some-merit-in-the-threats-for-a-change dept
Ashley Madison's former CTO, Raja Bhatia, is toying with the idea of suing security researcher Brian Krebs for libel. Bhatia has problems with an earlier story by Krebs, which quoted emails obtained from the Ashley Madison hack that seemingly indicated the company's execs participated in the breach of a rival's customer database.
The original story made these claims (again, based on the content of exposed emails):
A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.Bhatia's legal rep says Bhatia takes exception to being labelled a hacker in the headline and body of the post. Unlike countless other legal threats, this letter to Krebs takes the time to point out the specific claims Bhatia takes issue with, as well as offering up information that seemingly contradicts Krebs' assertions.
At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Contrary to the express statement in the article’s title and the suggestion in its body, Mr. Bhatia did not “hack” Nerve.com. Rather, he noticed a readily apparent security gap and remarked on it to Noel Biderman, Ashley Madison’s CEO, with whom he happened to speak shortly thereafter. At no time did Mr. Bhatia attempt to bypass Nerve.com’s security or to exploit its gap in any way. He did not bulk exfiltrate this data or attempt to alter it, as implied by the selective quotes from his emails included in your post. To the contrary, Mr. Bhatia expressly stated that he would not do so in the email sequence referred to in the article, a point omitted from your report.Bhatia's lawyer has asked for a correction and retraction of the earlier post. Krebs has refused to do, standing by his earlier assertions and posting Bhatia's letter in full.
Unfortunately for Krebs, he has a much higher bar to reach to get this thrown out. The lawsuit, if it arrives, will be filed in Canada, where Ashley Madison's parent company (Avid Life Media) is located. Canadian law shifts much of the burden of proof to defendants in defamation cases and Canadian courts have been known to reach some very questionable conclusions when dealing with these sorts of lawsuits. That being said, the SPEECH Act would likely prevent a Canadian court from issuing an unenforceable order targeting a US site. But it still would mean Krebs would need to spend money and time fighting the lawsuit.
The other thing that might hurt Krebs is any discussion of the word "hacking." The way it's used in his original post brings an entirely negative connotation to a word that is also frequently used to describe the work done by Krebs himself. Any efforts to prove the truth of his hacking allegations against Bhatia are likely to do additional damage to a word that can also cover the "neutral" and "good" ends of the spectrum. Obviously, it's in Bhatia's interests to push for redefining "hacking" as purely a nefarious activity, seeing as the legal threat refers to the "implications" of Krebs' post almost as much as it refers to any "false and defamatory statements."
In a very colloquial sense, Bhatia's discovery of a security flaw is "hacking." Bhatia's legal team obviously views the use of "hacking" in this context to be wholly negative. Litigation over "hacking" allegations has the potential to further push "hacking" towards being synonymous with "evil." According to Krebs' own words, no real "hacking" was done, at least not in the criminal sense (where protective schemes are attacked and breached). This "hack" was no more inappropriately intrusive than uber-troll Weev's incremental alteration of user ID numbers to access AT&T user account info.
On the other hand, arguments in favor of a more colloquial definition of "hacking' could work in Krebs' favor, where "hacking" simply means using or accessing something in a way the general public wouldn't. In that sense, the headline and the quasi-accusation would be truthful, if not especially accurate. Krebs could argue his use of the word "hacking" wasn't meant to have negative connotation but was simply used as accessible shorthand for Bhatia's actions. Either way, colloquial use of a term that encompasses a wide variety of actions (good and bad) isn't really enough to rise to the level of defamation.
The larger issue may be the statement that Bhatia exfiltrated nerve.com's user database. As the letter states, other emails indicate he did no such thing (and indeed wouldn't) even though he had the opportunity.
At this point, it's Bhatia's move. Krebs is refusing to comply with the requests of Bhatia's attorney. Now that everyone's lining up to file a lawsuit against the company, it's probably a safe to assume a few lawsuits will be filed in the other direction, targeting those utilizing information obtained from the hack. Bhatia has a favorable venue and very little to lose by pursuing this, so I would expect an announcement of a lawsuit in the near future.