Given the sensitive nature of the data obtained in the Ashley Madison hack, it was inevitable that lawsuits would follow. The company seemed less interested in protecting its users' privacy and more interested in selling them the "privilege" of deleting their accounts and the information contained therein, should they suddenly have a crisis of conscience. (And that information appears to not have actually been deleted, despite the company's promise to do so.)
And, given the sensitive nature of the data, it was inevitable that a lawsuit would be filed that focused less on coherent legal arguments than the plaintiffs' anger at being included in a data breach that would also expose their extramarital endeavors. Alexander J. Martin of The Register has obtained a filing from just such a lawsuit.
Three John Doe plaintiffs have filed a complaint (PDF) against Amazon Web Services, GoDaddy, and 20 John Roes (anonymous defendants), in the Arizona District Court, for "intentionally inflicting emotional distress upon Ashley Madison users."
The plaintiffs want not less than $3m in damages or losses, and a jury trial to boot, and complain that the hack has resulted in them becoming victims to threats and extortion.
The misguided arguments begin almost immediately. As noted above, the plaintiffs have named Amazon and GoDaddy as defendants (referring to them as "internet service providers"), solely because copies of the "stolen data" are hosted at sites serviced by both.
While at least one class action has been filed by users against Ashley Madison for its failure to property [sic] secure the hacked information, this action deals with a different injury inflicted upon Ashley Madison users by persons and entities who have obtained the stolen data, repurposed it such that it is more readily accessible and searchable by the media and curious Internet users, and actively distributed it for their own gain. While these persons and entities may labor under the belief that their actions are entrepreneurial rather than criminal, the fact remains that they are in willful possession of stolen property.
Section 230 should see both these parties dumped from the lawsuit shortly after their responses are filed. Neither can be held responsible for copies of Ashley Madison user data uploaded to websites/online storage by third parties, and no amount of indignation is going to change that.
This would leave the plaintiffs in the position of trying to unmask the following unknown entities, none of which are tied directly to the hacking, much less hosting the stolen data central to the plaintiffs' arguments.
John Roe 1, the owner/operator of ashleymadisonpowersearch.com and adulterysearch.com
John Roe 2 the owner/operator of ashleymadisoninvestigations.com
John Roe 3 the owner/operator of greyhatpro.com
John Roes 4-20 who "are unknown at this time, but are believed to be, among other persons or entities, additional Internet service providers and website operators trafficking in the Stolen Data"
As for the first Roe, the website notes
(multiple times) that it doesn't host the data, nor has it requested any ISP host it on its behalf. Ashley Madison Investigations also points out
that it hosts no copies of the hacked data, but rather pulls its information from "public databases." Greyhat Pro
is the only site that offers no disclaimer about the location of the database it's using in its search.
Unless the plaintiffs and their lawyers have access to information proving otherwise, this claim is likely false:
Roe 1, Roe 2, and Roe 3 each own and/or operate a website within this cottage industry, wherein the Roe Defendant has copied a portion and/or all of the Stolen Data and made it searchable through the Roe Defendant’s website (collectively, the “Roe Websites”). As such, each of these Roe Defendants is in willful and knowing possession of stolen property—namely, the Stolen Data.
Screenshots of the websites are included in the filing, but notably none of them include snapshots of the statements pointing out that two of the Roe defendants are not
in direct possession of the data.
Ashley Madison Power Search/AdulterySearch:
Ashley Madison Investigations:
So, the prognosis for this lawsuit isn't good. As if to buttress the likelihood of failure, the filing -- which relies heavily on California
statutes -- cites a Canadian
court decision in support of its overall argument.
Indeed, in recognition of the fact that Ashley Madison data contains confidential information and constitutes stolen property, a Canadian court, the Ontario Superior Court of Justice, issued a restraining order requiring several websites and Internet service providers to immediately disable the Ashley Madison data, deeming it “offence related property in respect of which order of forfeiture may be made under the [Ontario] Criminal Code.”
Canadian law has no Section 230 equivalent, which greatly assists in its courts coming to these sorts
of conclusions. And, it must be noted, it cannot order US-based sites to comply with its directives.
Basically, the suit hopes to hold all of these parties accountable for the digital equivalent of receiving and selling stolen goods, plus additional damages for emotional distress. It also attempts to portray the reputation repair/protection services offered by these sites as a violation of the CFAA, citing the following sections of that law
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion
All of the sites mentioned offer people the (very dubious) opportunity to find out if their information is contained in the data, along with other details (whether it includes credit card data, etc.). The transaction is voluntary and none of the sites make any threats about publishing sensitive data if potential customers decide not to take advantage of the offered services. Considering the information is available elsewhere, these offers are generally worthless. They're unsavory and opportunistic, but they aren't extortion.
While I do have some sympathy for those whose lives have been negatively affected by the dissemination of this data, a lawsuit pursuing anyone but Ashley Madison or those behind the hacking is little more than casting about wildly in hopes that someone will recompense them for the wrongs they've suffered, while being willing to let any "someone" pay for the actions of others.