Back in July the infamous website Ashley Madison, which facilitates marital infidelity, was hacked by a group calling itself Impact Team, and the personal details of millions of subscribers around the world were compromised. The hackers demanded that the self-described “most famous name in infidelity and married dating” should be shut down, or all of the stored user data would be leaked to the public. As the site refused to shut down, the hackers kept their promise and have released a torrent file with over 9 gigs of information including names, emails and (allegedly) bank details, although this is disputed by the site’s operators.
Impact Team released the information with an announcement blaming the leak on Avid Life Media (ALM), the firm behind Ashley Madison, claiming that they were guilty of lying to their customers by creating fake female accounts.
This is a morality play for the digital era, with interesting ethical questions being discussed online. The news of the hacking incident have been met with a mixture of victim blaming and shadenfreude. It is indeed difficult to muster sympathy for cheaters, and ALM have not really covered themselves in glory. However, the arguments by Impact Team justifying the breach are very weak. They are saying that ALM lied to its customers because it has not enough women and a lot of profiles are fake. So they hacked the site and leaked the information, potentially ruining the lives of hundreds of thousands of people to punish that slight in an act of disproportionate vigilante justice.
Beyond the moral considerations, the case has uncovered some interesting legal issues. The first is that of the legality of the hack. This is actually quite straightforward. Ashley Madison has its offices in Toronto, and Canadian law has criminal penalties for unauthorized use of a computer (s 342.1 of the Canadian Criminal Code). Because the leak has affected citizens from various countries, prosecutors in several jurisdictions could be able to pursue the hackers if they are ever identified. For example, there are hundreds of thousands of affected users in the UK, and this action is a criminal offence under s1 of the Computer Misuse Act. Many other countries have similar anti-hacking provisions.
It would be easy to assume that the hackers will never get caught, so the affected users will have little legal recourse, other than perhaps suing Ashley Madison for negligence. The torrent file is out there, there is nothing else to do. However, Ashley Madison appears to be using an interesting weapon to remove the data. Copyright law.
Journalist Joseph Cox posted several tweets with some screenshots from the leaked data, and he reports that he soon received a DMCA notice from Twitter that it had removed the offending posts due to a copyright complaint from the authors. Cox explains the content of the removed tweets:
“The first tweet included a partial screenshot of an apparent floor plan of the Avid Life Media office. This was removed by Twitter.
But the DMCA request also asked for another two to be removed. One was a heavily censored screenshot of a spreadsheet which details the shareholders of the company and the percentile of shares they own. The screenshot did not include any names, figures, or other data, but simply the headers of two columns. Another screenshot showed the column headers of a spreadsheet detailing the company’s bank accounts. No actual bank data was included. Twitter apparently did not remove these two tweets.”
Needless to say, I think that this is a completely over-reach from ALM, at least in the two tweets dealing with table header screenshots. But beyond that, the incident poses several questions that need answering.
Firstly, does Ashley Madison have copyright over their data? This may sound like an inane question, but it is vital in order to determine whether they can make copyright claims such as the one posted above. Interestingly, this is a very complex area of law because it is dependent on jurisdiction. The US and Canada do not protect databases under copyright (see Feist and Tele-Direct respectively), while Europe has its own sui-generis database protection regime. Moreover, in some countries, such as the UK, databases may be protected under copyright if the selection and/or arrangement of the contents of the database are deemed original, but the threshold for such protection is very high (see Football Data Co). Therefore, it would be a fair assumption to make that ALM does not have any copyright over the database, and so they cannot make any claims for removal based on copyright. This includes copyfraud DMCA requests.
Secondly, even if we assume the existence of copyright on the database, can ALM even make a DMCA claim in this situation? They are based in Canada, and Joseph Cox is in Europe. So why involve a strictly American enforcement mechanism? This is an excellent example of the insidious nature of DMCA take-down requests and how they internationalise US copyright law. Most large Internet intermediaries are based in the United States, and they need to have a take-down procedure to qualify to a safe harbour giving them a limitation of liability for content posted by third parties. Companies like Google, Facebook and Twitter all have DMCA forms. Here is the kicker, you don’t need to be a US citizen to take advantage of the procedure. Just looking at 5 recent DMCA requests logged in Chilling Effects, there were 2 from the Netherlands, two from France, and only one from the US.
I happen to empathise with Ashley Madison users. Given that most of the people who registered seem to be men (86% according to the data), one could argue that the site was not very efficient in achieving actual cheating. It is also possible that even if cheating did take place, it could lead to serious consequences in some countries. Furthermore, ALM did not verify emails, so it is perfectly possible that there will be people on the site who never registered, or have been included maliciously or as a joke. As Glen Greenwald eloquently postulates in a recent article, the Ashley Madison leak has uncovered a puritanical streak that justifies this blatant breach of personal privacy. However, we cannot allow this incident to further bad copyright law. To try to stop the leaks using dubious DMCA procedures does not help any of the victims.
Maybe this is a job for the Right to Be Forgotten?