HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

The Ashley Madison Scandal: It’s About More Than Infidelity

Article Cover Image

About The Author

Rachel Dean (Regular Writer)

Rachel graduated from the University of Leicester with her LLB European Hons in 2010. She is now a trainee solicitor at Lockett Loveday McMahon in Manchester and is due to qualify in May 2016. Her interests lie predominantly in commercial law.

Scandals are something that societies have relished for decades and ours is no different. The recent hacking of alternative dating site Ashley Madison with thousands of users’ details spread across the internet has been one of the most controversial media events of the year. Its impact on the individuals concerned and the company are already apparent; what is not yet clear is the wider impact the hack will have.

The dubious moral compass of all those involved has meant that discussion, blame and vigilantism has been rife in the media. But ultimately the scandal has exposed – or reiterated, depending on your perspective - the issue of internet privacy and its vulnerability to attack and manipulation. It has shown that now, more than ever before, compromised data compromises goodwill and this is something all businesses, large and small will now need to carefully consider. It was said in 2012 by the then director of the FBI, Robert Mueller that there were only two types of companies: ‘those that have been hacked and those that will be’.

Some three years on from that quote, will this hack be like opening Pandora’s Box: will it cause a fundamental shift in the way in which we use the internet or is that pure hyperbole? And where do the lines of morality and law merge on such topics?

Going back to her roots

Ashley Madison is a Canada-based alternative dating website coming under the parent company Avid Life Media. I label it “alternative” because it is not like standard dating sites. This one is designed with married individuals in mind and targets those who are looking for a discreet extra-marital affair with someone in a similar position. It was created in 2001 and officially launched in January 2002 by Noel Biderman who, until 28 August this year was its chief executive officer. The site claims to have 39 million members internationally, with 1.2 million in the UK alone.

Whilst the site’s Frequently Asked Questions section says ‘No, Ashley Madison does not encourage anyone to stray. In fact, if you are having difficulty with your relationship, you should seek counselling’ it goes on to state that if an affair is what you need, they have the goods [my paraphrase]. Now, please do not get me wrong, I do not agree with what Ashley Madison purports to be a successful business model, but morals aside, the crux of the issue is the leak of the site’s members’ information. Unfortunately, despite what the FAQ’s and most of the other blurb on the site suggests: ‘[a]t Ashley Madison…you never compromise your safety, privacy or security and will never have to reveal your identity unless you choose to’, a shocking revelation of identities was exactly how things unfolded.

Information Exposed

Beginning in July this year and still making the news months later, the infamous hack was carried out by a group calling itself the Impact Team. Whilst two other sites, Cougar Life and Established Men (both owned by Avid Life Media) had their data compromised, it was Ashley Madison which suffered the biggest shockwaves. Originally releasing just 40MB of data including credit card details and Avid Life Media documents, the hackers threatened further information releases if the sites were not shut down. The hacker’s main contention seemed to be the fact that Ashley Madison charges a fee of £15 for a ‘full delete’ service which was not in fact being carried out, leaving details of hundreds of previous members available on the site. The hackers then went on to open the floodgates by sharing personal accounts via a list of members on the internet.

With various fake accounts and dud email addresses released on the list there was some scepticism that the hack had caused much damage at all. However, the most recent news stories have centred on suicides in Canada occurring as a direct result of the information leak with other US members, formerly in the spotlight choosing to publicly apologise and accept the consequences of their actions.

Does morality come into it?

Whilst I will explore the legalities of the hack and the ramifications for internet technology and cyber protection below, I wish to discuss briefly the vast morality content in many of the articles, blogs and posts I have seen on the issue and ask whether they have a point.

In the first media waves of the leak there were some calling it poetic justice or divine retribution and maybe they were right to do so. As a Christian myself, I hold a view that marriage is intrinsically special and should be valued. That when a couple says ‘I do’ in front of their family and friends, that vow should mean a great deal and be thereafter treated with reverence with both parties doing all they can to stay faithful. As such, I do find the whole premise of Ashley Madison and what it stands for morally wrong. I also find it hard to understand why anyone would sign up to a site offering what Ashley Madison does, I appreciate that marriage is not easy and that couples sometimes struggle.

I also know that not one of us is perfect, whether married or not. I admit at first feeling perhaps a little smug at the thought of ‘cheaters’ being exposed but on a deeper analysis and consideration of the matter that is simply not right. For one, it is very likely that some of the members whose details have been exposed have never actually cheated on their spouse. But even with regards to those who intentionally joined for an affair, as a lawyer and even more so as a fellow human I have no authority to judge. This is because, much like in the Bible where Jesus invites ‘him without sin to cast the first stone’ at the woman who had committed adultery, we all make mistakes. We have all said, emailed or text something that we hope never comes out or done something we hope no-one ever finds out about.

So no, morality should not come into it. It was personal, confidential information and held as such by Ashley Madison. It was exposed and shared without consent. Regardless of the content, personal data like that should be protected.

The hacking within the context of English law

Though the Ashley Madison hack shocked many here, it was not the first time that something of that nature occurred on our soil. In June 2014 we saw the media sensation of the phone hacking case involving the News of World come to a head in a trial at The Old Bailey which held Andy Coulton guilty of hacking and sentenced to a maximum of two years in prison whilst Rebecca Brooks walked free. Over Christmas of the same year, many families and computer game enthusiasts were affected by a hack of Sony and PlayStation by a group calling themselves ‘Lizard Squad’, who despite prosecutions continue to carry out attacks. More recently, WH Smith was in the news for a technical issue which caused hundreds of customer contacts to be disclosed. It is therefore unfortunately not a new phenomenon. The legal framework to combat it has not quite developed as quickly as the technology savvy hackers and is it is fair to say, still takes a piecemeal approach.

This article makes a hypothetical assumption that those involved are prosecuted in the UK and that English Data Protection law applies to the case.

In terms of criminal law, there are a couple of pieces of legislation in the UK, one being the Computer Misuse Act 1990 (CMA). The CMA was introduced in August 1990 as a reaction to the developing scope of the internet. It introduced three offences into the criminal law of the UK:

  1. unauthorised access to computer material,
  2. unauthorised access with intent to commit a further offence, and
  3. unauthorised modification.

Anyone found guilty of an offence under the CMA faces a maximum penalty of six months’ imprisonment and a £2,000 fine. It is undeniable that if tracked down and prosecuted, the hackers of Ashley Madison would be found guilty of an offence under this legislation.

The other UK law which could be utilised for criminal prosecution of the Ashley Madison hackers is the Terrorism Act 2000. This piece of legislation covers situations where the threat of an action is designed to seriously interfere with or disrupt an electronic system on the conditions that:

  1. it is designed to influence government or intimidate the public or a section of the public and
  2. it is made for the purpose of advancing a political, religious or ideological cause.

It seems clear the Ashley Madison hacker’s intention was designed to influence both the public at large as well as intimidating that section of the public who has signed up and were potentially willing to have an affair. They directly stated they were acting for an ideological and moral cause. It is obvious therefore that the hack would come within the confines of these criminal offences.

However, the other element of the matter has to do with Ashley Madison’s own protection of the information. The Data Protection Act 1998 (DPA) governs the protection of personal data in the UK and, through 8 principles dictates how personal data should be obtained, held, processed and destroyed. Arguably they would be found liable for various breaches of the DPA in light of how the information was held and protected, and certainly in relation to the aforementioned “full delete” service, which Ashley Madison was clearly abusing. In the UK, a breach of the law in this area can lead to a £500,000 fine from the Information Commissioner’s Office (ICO), the body who regulates data protection. Most recently, the ICO issued a £200,000 fine to a green energy company for nuisance calls, and back in 2012 an NHS Trust received a £325,000 fine for data protection breaches after patient details were discovered on hard drives sold on the internet at auction. Unlike other regulatory bodies, it is clear that the ICO have some sharp teeth and are not afraid to use them, even in circumstances where there was no intention to harm.

So, it was illegal under English Law…what now?

Whilst there is no doubt that what the hackers did was illegal, at least in the UK, in spreading member information across the web, the issue is tracking the individuals down in order to prosecute them.

With members spread far and wide it is not surprising that there has already been a lawsuit filed in Los Angeles accusing the company of negligence, invasion of privacy and emotional distress and seeking unspecified damages. In Canada too, Avid Life Media was sued recently in a class-action suit seeking $760m in damages.

Remedies for UK members

For the 1.2 million users of Ashley Madison in the UK, it seems legal claims are also likely to start appearing. They may however face a hurdle or two…

In an ideal world, aggrieved members of the site would have an injunction claim to protect their privacy as the hack was a clear breach of their Article 8 rights under the European Convention on Human Rights (ECHR) and schedule 1 of the Human Rights Act 1998 (HRA) – ‘everyone has the right to respect for private and family life, home and correspondence’. Whilst Ashley Madison’s T&C’s have attempted to exclude all liability for any privacy breach, it is highly likely that, as is common with extremely wide exclusion clauses, they would be found to be void for unreasonableness.

Jurisdictionally too, law firm Collyer Bristow suggests claimants may struggle. Avid Life Media is Toronto based but the law of the Republic of Cyprus governs the T&Cs. As Cyprus is in the European Economic Area (EEA), the company could face claims issued in the EU, the UK obviously being a member state.

Further, even if UK based members could successfully issue against Ashley Madison, there is no stand-alone claim for ‘invasion of privacy’ in the UK, to comply with the ECHR and the HRA. Instead, the UK courts have been seen to extend the law relating to breach of confidence in order to protect privacy rights.

Fortunately, there does now seem to be a light at the end of the tunnel for prospective UK claimants. The ground-breaking decision of the Court of Appeal in Google Inc. –v- Judith Vidal-Hall and Others (Vidal-Hall) earlier this year follows other well publicised cases such as the 2003 case of Wainwright –v- Home Office and Campbell –v- Mirror Group Newspapers from 2004 in tackling the issue of misuse of private information and invasion of privacy.

For a detailed account of the Vidal-Hall case, please see Chris Bridges’ article on KCTL, but in brief: the claimants were seeking damages for anxiety and distress in respect of their claims for misuse of information and/or breach of confidence stemming from the damage to their personal dignity, autonomy and integrity. Sounds familiar! The Court of Appeal held that misuse of private information is a tort for the purposes of paragraph 3.1 (9) of Practice Direction 6B of the Civil Procedure Rules, disapplying section 13 (2) of the DPA so that ‘damage’ now extends to mere distress rather than being reserved for monetary loss. As the recent decision only upheld a High Court decision to allow the claimants to bring the claims in England in spite of the defendant being US-based, the case has yet to reach trial in the UK and is unlikely to do so for sometime, given the further appeal to the Supreme Court. A judgment on the level of damages can therefore only be speculated for the moment.

This signals, however, an opening of floodgates for claims against data controllers and certainly seems to be a green light for potential claimants against Ashley Madison. Indeed, Luke Scanlon, a solicitor at Pinsent Masons estimates a £1.2 billion legal bill if all the UK based users of Ashley Madison sued for distress and claimed even £1000 of compensation each. At 16 times the company’s revenues, that would be enough to make the company instantly bankrupt.

Then there are the divorce cases stemming from the hack. Family lawyer Nigel Shepherd of national firm Mills and Reeve revealed recently that a married British woman had sought his advice following the exposure of her husband’s infidelity through the site. And Shepherd seems to think the divorce work from the scandal will keep coming for a while yet: 'if someone finds out if their partner is set up on a site which exists wholly for facilitating adultery, it's hardly surprising they are taking advice about it.’

For some of those outside the UK the hack has not only jeopardised marriages, but has also threatened their lives. Members resident in Saudi Arabia who were exposed as gay through the information leak, for example, feared the death penalty.

Life after Ashley

Despite the actual hack occurring back in July, the news still regularly contains some feature relating to the scandal or its implications. It has had significant consequences for the individual members, the company and wider society too and I think there are real lessons to be learned from it.

Companies will now have to give some careful consideration to their data protection systems and privacy rules. Indeed, there have been various articles within the wider press but also legal press about how businesses can avoid or, in the worst case scenario manage a data breach.

In an article on The Lawyer website by Schillings partner Magnus Boyd identifies seven principles for an effective data breach response these being; 1) Preparation. 2) Speed of response. 3) Taking responsibility for managing the containment and recovery process. 4) Understanding. 5) Communication. 6) Consistency and 7) Boldness. Whilst he notes the reputational damage may linger, the improved security measures a breach prompts can ‘instil faith and cultivate customer goodwill’. I consider that Boyd’s analysis through these seven principles is comprehensive and, indeed a good model for businesses to work from. It may be that some businesses adopt these sorts of principles within risk management policy but many more I am sure will ignore the issue believing it will never happen to them.

Conclusion

It seems to me, (from a perspective as one with limited technological insight) that Robert Mueller was right when he said ‘the more connected we become, the greater the risk to all of us’.

Technology has pervaded almost every aspect of life in 2015 and as a global society we are more connected than we have ever been, this even beginning to extend to our ‘things’ too – see Matt Bogdan’s September Keep Calm Talk Law article. The benefits of this are undisputed, but we need to learn from events such as the Ashley Madison hack.

As individuals, perhaps we should be more careful where we put our information and how much of our personal details we share, on the basis that with the right know-how and little else it is fairly easy to find out anything about anyone in a few clicks. For business too there are lessons to be learned. Information, regardless of its content and especially when deeply personal should be carefully guarded. Yes, to protect the customers it relates to, but also to defend the goodwill and reputation of the business. I have no doubt that there will continue to be those who hack for information, whether for ideological reasons or simply for the thrill. There will therefore also continue to be those who get hacked, individuals and companies alike. Hopefully the media sensation of the Ashley Madison scandal will help us all be forewarned and forearmed in the future.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Commercial Law, International Law, Privacy Law, Technology

Comment / Show Comments (0)

You May Also Be Interested In...

Living in an Interconnected World – A Legal Conundrum

17th Sep 2015 by Matt Bogdan

How Long Until Privacy Prevails?

13th Sep 2014 by Chris Bridges

Online Gambling: A Jurisdictional Nightmare

21st Aug 2014 by Chris Bridges

Is There Really a ‘Right’ to be Forgotten?

17th May 2014 by Chris Bridges

Domain Names, Trademarks, and Squatters

1st May 2014 by Chris Bridges

Data Privacy: Due Diligence Due?

13th Nov 2013 by Chris Bridges

Section Pick January

Unveiled: The Rise of Non-Disclosure Agreements in English Law

Editors' Pick Image

View More

KCTL News

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Keep Calm Talk Law's First Birthday

11th Nov 2014

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription