The hack of the “dating” site AshleyMadison.com, which threatens to expose the personal information of millions of people who may be cheating on their spouses, was initially met with snark. So what if some alleged cheaters are going to be exposed, right? But the hackers’ reasons for holding the information hostage were not actually about the sanctity of marriage vows–in fact, they point to a much deeper and more widespread issue. In short, can any data you hand over to a faceless online company ever truly be removed?
Ashley Madison is a site aimed at married people looking for a little something on the side. Its titillating motto, “Life is short. Have an affair” seems to work, given that it claims to have 37 million users.
On Sunday, Krebs on Security revealed that a hacking group called The Impact Team said it accessed identifying personal data on the Toronto-based site’s users and threatened to publish the information if Ashley Madison doesn’t shutter its service.
The motive? Although the hackers referred in a manifesto to Ashley Madison users as “cheating dirtbags…who deserve no…discretion,” it seems The Impact Team’s anger stems from what it says is Ashley Madison’s ongoing refusal to delete users’ data even when those users paid to have their information permanently removed.
Ashley Madison parent company Avid Life Media did not respond to a request for comment for this article, but yesterday, it released a statement on the matter, saying, “We have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act.”
Perhaps more telling is the company’s assertion that “no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies. . . . As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”
In other words, if your information is online, it may well get stolen, no matter the security efforts taken by the sites holding it. Mea culpa, and caveat emptor.
Americans want privacy online, and in the post-Edward Snowden/NSA era, we’re more vocal than ever about that, even if we may have no clue how to get what we want. According to a Pew Research Center study, 93% of adults said it’s important that they be able to control who can access information about them, and 90% said controlling what information is gathered about them is also important.
It’s clear, though, that once we put information online, on banking sites, on medical sites, on dating sites, and on social media sites, we may lose that control. Ashley Madison promised to delete users’ information if they ponied up $19, but The Impact Team insists it fails to do so. In the end, it may well come down to a question of who do we actually believe when something like this–the complete deletion of your data–is so difficult to prove.
“When it comes to interacting with companies, you are in a position where you have to trust them,” said Rebecca Jeschke, the media relations director at the Electronic Frontier Foundation (EFF), a nonprofit dedicated to defending civil liberties online. “In a just world, you could. . . . It should be very clear to the consumer how their data is used and collected and encrypted and deleted. But . . . we find out routinely that’s not the case.”
Therein lies the problem. As much as we’d like to believe that we have the ability to proactively delete our personal information online, as companies like Facebook and Google say is possible, it boils down to a matter of trust, and the reality that there is no clearinghouse for deleting data.
“It’s a huge problem, and it’s not about to get easier anytime soon,” said Seth Rosenblatt, a journalist who will soon launch an as-yet unnamed security news site. “Removing information from the Internet requires getting each individual site owner that has your info to delete it.”
Good luck with that, experts say, as it’s not in the business interests of many companies to comply. After all, there are countless companies making fortunes by using people’s private information to target focused advertising at them.
There are also companies that specialize in helping people clean up what’s available online about them, such as Reputation.com, but they have no power to force other site owners to remove anything, especially when those sites are located in countries with more relaxed rules on consumer protection online.
On the other hand, the European Union, with its Right to Be Forgotten rules, has a “much more stringent framework than we do in the United States because we let companies get away with a lot more” here, says Paul Ferguson, a senior threat research advisor at Trend Micro.
No matter how much a company might like to assist users in deleting data, it may still fail at the job. According to Jacob Hoffman-Andrews, a senior staff technologist at the EFF, it’s straight-up hard to “completely” delete data because systems like hard drives, databases, applications, and others often mark data as deleted instead of actually wiping it.
That said, Hoffman-Andrews said, stronger tools can help solve the problem. “If databases and file systems offer ‘secure deletion’ as an option,” he said, “it would be easier for companies to do it.”
Using encryption can also help, he added. If users’ data are encrypted with a single key, “it’s generally easier to wipe that key when the user deletes their account than it would be to wipe each instance of their data.”
On the other hand, there’s no accounting for human error, regardless of companies’ intentions, and mistakes are the most likely reason data aren’t deleted, Hoffman-Andrews said. “Some employee just didn’t realize the data they generated needed to be deleted. Or the employee writing the delete code didn’t know about all the places data was being stored. Companies that store personal information should carry out frequent audits of their data systems to ensure they are actually deleting the things they intend to delete.”
Giant Internet companies like Facebook and Google, each with well more than a billion users, possess a staggering amount of information about us, often without us even understanding the scope and scale of what they know. Both companies say they let users have control over their personal data.
Google, for example, recently launched its new My Account tools, which provide “quick access to the settings and tools that help you safeguard your data, protect your privacy, and decide what information is used to make Google services work better for you.”
For its part, Facebook offers a number of tools for deleting accounts or individual posts, and its terms of service promise that deleted data will actually be wiped, though not necessarily right away.
A bigger problem in the case of Google and Facebook is that despite the tools both have made available, many users have little or no idea how to utilize them. Although they are available by following simple links, it’s not really in either company’s interest to go out of its way to promote them. Still, those companies make it easy compared to many others online.
Google and Facebook “don’t want you to delete your (information), so the options to do so are often buried deep in account settings,” Rosenblatt said. “It’s much harder, however, to get the site owners of less popular services that nevertheless may also have sensitive data to remove it.”
Threat research advisor Ferguson simply believes it’s a fool’s errand to ever expect personal information to be permanently and completely removed.
“You’d have almost as much luck standing on one leg and barking at the moon,” said Ferguson. “There is no such thing as 100% security, and that’s a fact. Even when people try to put in the best security in the world, there’s hidden vulnerabilities. They call it software because it’s soft.”