Ashley Madison is a website devoted to facilitating adultery. That is literally their customer base – married individuals seeking to cheat on their spouses. Their trademark slogan is, “Life is short. Have an affair.” They further self-describe their operation as, “… the most recognized name in infidelity …” A widely reported breach of their servers resulted in a still disputed number of records being exfiltrated from Ashley Madison’s servers. (See Krebs. “Online Cheating Site AshleyMadison Hacked”, http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/, retrieved 2015-07-23). The situation is still developing, but I summarize and cite pertinent information here and also examine the company’s use of copyright takedown notices as part of its containment strategy.
“Impact Team” claims credit for the breach, and is threatening to release the incriminating corpus should Ashley Madison and its parent company Avid Life Media not immediately shut down operations. (See Id.)
The responsible parties reportedly released the first records as a warning yesterday. (See CBS, “Hackers expose first Ashley Madison users”, http://www.cbsnews.com/news/hackers-expose-first-ashley-madison-users/, retrieved 2015-07-23). Whether this will be a prelude to a full distribution remains to be seen, but as of now the company seems to still have some chance of containing the breach – the chance at containment will quickly evaporate if a torrent drops. (See Ragan, “Ashley Madison hack exposes IT details and customer records”, http://www.csoonline.com/article/2949902/vulnerabilities/ashley-madison-hack-exposes-it-details-and-customer-records.html, retrieved 2017-07-23 (noting a limited release of approximately 40MB of data as a proof of claims)).
The company’s public statement on Monday was very measured and was limited to confirming the breach, denouncing the attack as “cyber terrorism”, and confirming they have a forensics team investigating the incident. (See “Statement From Avid Life Media Inc.”, http://www.prnewswire.com/news-releases/statement-from-avid-life-media-inc-300115394.html, retrieved 2015-07-23).
These sorts of measured responses are typical in breach situations especially where investigations are ongoing, and there is a good reason for them. Making false promises or misstating the facts can worsen the problem from a liability perspective. At minimum, public statements will be used against a company in any future litigation especially where the statements are not truthful. Furthur, Regulatory authorities like the FTC and state governments are increasingly holding companies to their public promises and representations about privacy and security. (See “FTC Takes Action Against LifeLock for Alleged Violations of 2010 Order”, https://www.ftc.gov/news-events/press-releases/2015/07/ftc-takes-action-against-lifelock-alleged-violations-2010-order, retrieved 2015-07-23 (claiming the company made false claims about its identity protection offerings); See also “Start with Security: A Guide for Business”, https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business, retrieved 2015-07-23 (explaining lessons learned and common issues from numerous FTC data breach settlements)).
Unfortunately, the measured corporate press releases are not being followed by the customer service representatives as the guardian reports. (See Hern et al, “Ashley Madison customer service in meltdown as site battles hack fallout”, http://www.theguardian.com/technology/2015/jul/21/ashley-madison-customer-service-meltdown-hack-fallout, retrieved 2015-07-23 (noting conflicting representations that the site was not hacked, the size of the hack was minimal, or that payment information was not compromised)).
Copyright Takedown Notices
Ashley Madison’s official press release indicates they are submitting DMCA takedown notices as part of the remediation strategy. (See “UPDATE FROM AVID LIFE MEDIA, INC.”, http://media.ashleymadison.com/update-from-avid-life-media-inc/, retrieved 2015-07-23). Specifically, the company notes:
“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.” (See Id.)
What they are referring to (I presume) is what are commonly called “DMCA Takedown Notices” which are part of the safe harbor provisions of the Digital Millennium Copyright Act, specifically section 512. That section provides limitations on copyright infringement liability for 3rd party hosts (such as internet websites) which is especially important because statutory copyright damages are severe. 17 U.S.C. 512(c)(3) provides for notices to service providers of infringing content which obligates them to remove the content (or lose the safe harbor protections).
Those notices require that the person submitting them verify that they actually own the copyright in the content or are representing the owner. Material misrepresentations about whether material is infringing results in imposed liability for, “any damages, including costs and attorneys’ fees, incurred by the alleged infringer, by any copyright owner or copyright owner’s authorized licensee, or by a service provider, who is injured by such misrepresentation, as the result of the service provider relying upon such misrepresentation in removing or disabling access to the material or activity claimed to be infringing, or in replacing the removed material or ceasing to disable access to it.” (See 17 USC 513, http://www.copyright.gov/title17/92chap5.html#512, retrieved 2015-07-23).
Now, Ashley Madison certainly owns copyright in some of the types of materials that were reported to have been leaked (such as diagrams and documentation of their internal IT systems), but their press release sounds like they are going beyond what they are permitted to assert. If the breach is as described, some of that material is user generated and thus the copyright would be owned by the user not the company. The company does, in their terms, vaguely address some copyright issues:
“17. COPYRIGHT POLICY
The Service contains information, which is proprietary to us, our partners and our users. We assert full copyright protection in the Service. Information posted by us, our partners or users of the Service may be protected whether or not it is identified as proprietary to us or to them. You may not post, distribute, or reproduce in any way any copyrighted material, trademarks, or other proprietary information without obtaining the prior written consent of the owner of such proprietary rights.” (See Terms and Conditions, https://www.ashleymadison.com/app/public/tandc.p?am_utm=0&utm_logged=1?c=1, retrieved 2015-07-23).
It is not clear what “full copyright protection in the Service” means in context of the preceding sentence which observes the “Service” contains information proprietary to the users. However, under 17 U.S.C. 204 transfers of copyright ownership (other than, “by operation of law”) must be in writing and signed by the owner or owner’s agent to be valid.
Further, some types of information allegedly breached would not be copyrightable – transactional data would seem to come under this category as lacking a “modicum of creativity” under Feist. (See U.S. Copyright Office, Report on Legal Protection for Databases, http://www.copyright.gov/reports/dbase.html, retrieved 2015-07-23 (discussing the seminal Feist case and successive jurisprudence in the context of databases)).
So, overzealous assertion of copyright is a distinct possibility here, but I have not been able to find specifics of who was noticed, what was identified, and the extent of the notice. Copyright law is a very technical subject shaped, in part, by treaties such as the Berne Convention and our own constitution. The DMCA notice-takedown regime has been significantly criticized for its abuse potential for censorship, but if the data breached from your company meets the criteria, it is arguably a valuable tool for initial containment.
Ashley Madison can be credited for its swift response. Having a data breach response plan in place is vital to any corporate risk management strategy, especially if your company’s data, ahem, assets make for a scandalous headline.