Ashley Madison – Adulterous Data Breach and Copyright Takedown Notices

Ashley Madison is a website devoted to facilitating adultery. That is literally their customer base – married individuals seeking to cheat on their spouses. Their trademark slogan is, “Life is short. Have an affair.” They further self-describe their operation as, “… the most recognized name in infidelity …” A widely reported breach of their servers resulted in a still disputed number of records being exfiltrated from Ashley Madison’s servers. (See Krebs. “Online Cheating Site AshleyMadison Hacked”, http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/, retrieved 2015-07-23).  The situation is still developing, but I summarize and cite pertinent information here and also examine the company’s use of copyright takedown notices as part of its containment strategy.

Data Breach

“Impact Team” claims credit for the breach, and is threatening to release the incriminating corpus should Ashley Madison and its parent company Avid Life Media not immediately shut down operations. (See Id.)

The responsible parties reportedly released the first records as a warning yesterday. (See CBS, “Hackers expose first Ashley Madison users”, http://www.cbsnews.com/news/hackers-expose-first-ashley-madison-users/, retrieved 2015-07-23). Whether this will be a prelude to a full distribution remains to be seen, but as of now the company seems to still have some chance of containing the breach – the chance at containment will quickly evaporate if a torrent drops. (See Ragan, “Ashley Madison hack exposes IT details and customer records”, http://www.csoonline.com/article/2949902/vulnerabilities/ashley-madison-hack-exposes-it-details-and-customer-records.html, retrieved 2017-07-23 (noting a limited release of approximately 40MB of data as a proof of claims)).

The company’s public statement on Monday was very measured and was limited to confirming the breach, denouncing the attack as “cyber terrorism”, and confirming they have a forensics team investigating the incident. (See “Statement From Avid Life Media Inc.”, http://www.prnewswire.com/news-releases/statement-from-avid-life-media-inc-300115394.html, retrieved 2015-07-23).

These sorts of measured responses are typical in breach situations especially where investigations are ongoing, and there is a good reason for them. Making false promises or misstating the facts can worsen the problem from a liability perspective. At minimum, public statements will be used against a company in any future litigation especially where the statements are not truthful. Furthur, Regulatory authorities like the FTC and state governments are increasingly holding companies to their public promises and representations about privacy and security. (See “FTC Takes Action Against LifeLock for Alleged Violations of 2010 Order”, https://www.ftc.gov/news-events/press-releases/2015/07/ftc-takes-action-against-lifelock-alleged-violations-2010-order, retrieved 2015-07-23 (claiming the company made false claims about its identity protection offerings); See also “Start with Security: A Guide for Business”, https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business, retrieved 2015-07-23 (explaining lessons learned and common issues from numerous FTC data breach settlements)).

Unfortunately, the measured corporate press releases are not being followed by the customer service representatives as the guardian reports. (See Hern et al, “Ashley Madison customer service in meltdown as site battles hack fallout”, http://www.theguardian.com/technology/2015/jul/21/ashley-madison-customer-service-meltdown-hack-fallout, retrieved 2015-07-23 (noting conflicting representations that the site was not hacked, the size of the hack was minimal, or that payment information was not compromised)).

Copyright Takedown Notices

Ashley Madison’s official press release indicates they are submitting DMCA takedown notices as part of the remediation strategy. (See “UPDATE FROM AVID LIFE MEDIA, INC.”, http://media.ashleymadison.com/update-from-avid-life-media-inc/, retrieved 2015-07-23). Specifically, the company notes:

“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.” (See Id.)

What they are referring to (I presume) is what are commonly called “DMCA Takedown Notices” which are part of the safe harbor provisions of the Digital Millennium Copyright Act, specifically section 512. That section provides limitations on copyright infringement liability for 3rd party hosts (such as internet websites) which is especially important because statutory copyright damages are severe. 17 U.S.C. 512(c)(3) provides for notices to service providers of infringing content which obligates them to remove the content (or lose the safe harbor protections).

Those notices require that the person submitting them verify that they actually own the copyright in the content or are representing the owner. Material misrepresentations about whether material is infringing results in imposed liability for, “any damages, including costs and attorneys’ fees, incurred by the alleged infringer, by any copyright owner or copyright owner’s authorized licensee, or by a service provider, who is injured by such misrepresentation, as the result of the service provider relying upon such misrepresentation in removing or disabling access to the material or activity claimed to be infringing, or in replacing the removed material or ceasing to disable access to it.” (See 17 USC 513, http://www.copyright.gov/title17/92chap5.html#512, retrieved 2015-07-23).

Now, Ashley Madison certainly owns copyright in some of the types of materials that were reported to have been leaked (such as diagrams and documentation of their internal IT systems), but their press release sounds like they are going beyond what they are permitted to assert. If the breach is as described, some of that material is user generated and thus the copyright would be owned by the user not the company. The company does, in their terms, vaguely address some copyright issues:

“17. COPYRIGHT POLICY

The Service contains information, which is proprietary to us, our partners and our users. We assert full copyright protection in the Service. Information posted by us, our partners or users of the Service may be protected whether or not it is identified as proprietary to us or to them. You may not post, distribute, or reproduce in any way any copyrighted material, trademarks, or other proprietary information without obtaining the prior written consent of the owner of such proprietary rights.” (See Terms and Conditions, https://www.ashleymadison.com/app/public/tandc.p?am_utm=0&utm_logged=1?c=1, retrieved 2015-07-23).

It is not clear what “full copyright protection in the Service” means in context of the preceding sentence which observes the “Service” contains information proprietary to the users. However, under 17 U.S.C. 204 transfers of copyright ownership (other than, “by operation of law”) must be in writing and signed by the owner or owner’s agent to be valid.

Further, some types of information allegedly breached would not be copyrightable – transactional data would seem to come under this category as lacking a “modicum of creativity” under Feist. (See U.S. Copyright Office, Report on Legal Protection for Databases, http://www.copyright.gov/reports/dbase.html, retrieved 2015-07-23 (discussing the seminal Feist case and successive jurisprudence in the context of databases)).

Final thoughts

So, overzealous assertion of copyright is a distinct possibility here, but I have not been able to find specifics of who was noticed, what was identified, and the extent of the notice. Copyright law is a very technical subject shaped, in part, by treaties such as the Berne Convention and our own constitution. The DMCA notice-takedown regime has been significantly criticized for its abuse potential for censorship, but if the data breached from your company meets the criteria, it is arguably a valuable tool for initial containment.

Ashley Madison can be credited for its swift response. Having a data breach response plan in place is vital to any corporate risk management strategy, especially if your company’s data, ahem, assets make for a scandalous headline.

Posted in Data Breach, Law, News & Commentary Tagged with: ,

The Hacking Team Data Breach in a Nutshell

I wrote briefly about the Hacking Team Data Breach yesterday in the context of data breaches generally. This is an interesting area of the law because of all the high profile breaches in the last couple of years, the upsurge in interest in cyber liability insurance products, and increasing numbers of regulatory regimes both domestically and abroad. The Sedona Conference Working Group 11 is in the process of drafting a number of documents related to all of this, so the Hacking Team breach occurs at an interesting time. This blog post is going to split into three points: (1) What was/is “Hacking Team”; (2) What was breached?; (3) What is the potential impact short and long term.

Hacking Team

Hacking Team is a company in Milan, Italy that produces a suite of tools for surveilling computers, internet communications, mobile communications, etc. Many people are familiar with remote access tool that include some old hat capabilities like key logging, screen grabbing, communication (email, instant messages, web browsing) interception etc. You can find these kinds of products all over the internet especially marketed towards the divorce and/or cheating spouses market. Those commodity commercial tools can be nasty to detect and get rid of, but are usually installed manually by the other spouse.

Hacking Team produces a product called “Remote Control System” with the current version named “Galileo”. They literally advertise their product as “The Hacking Suite for Governmental Interception” in a super creepy Orwellian promotional video. The system uses a number of techniques, including 0day exploits, to infect computer and cellphones in order to carry out pervasive intelligence gathering. These capabilities have been written about and criticized for a number of years. (See Bruce Schneier, “More on Hacking Team’s Government Spying Software”, https://www.schneier.com/blog/archives/2014/06/more_on_hacking.html; Also see Morgan Marquis-Boire et al, “Police Story: Hacking Team’s Government Surveillance Malware”, https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/).

Keeping with the theme of aiming this article at the lawyer/laymen community, I’ll tl;dr this. Hacking Team is a company that produces advanced malware for espionage and domestic intelligence operations. That malware is very advanced, and its customer base includes state actors. These are not the kind of people the Internet has warm fuzzy feelings about.

(Author’s note: I have a tendency to anthropomorphize the Internet when referring to the various communities, consensus, social media collective phenomenon that is, essentially, a global discussion and consensus opinion building.) Read more ›

Posted in Data Breach, News & Commentary Tagged with: , ,

“Hacking Team”: Data Breach

Data Breach. The word itself carries a scent of panic that grows in magnitude the more such high profile events enter the public cognizance. They are hideously complex to deal with, legally and technically, and carry high costs in terms of money, liability, and reputation. The consensus is: don’t ask if you will be breached, ask when. No one should throw stones, because we all live in glass houses in the age of cloud computing, pervasive connectivity, Big Data, and the impending arrival of the “Internet of Things”.

No one is immune, not even security companies, and even sophisticated companies suffer cyber incidents. The most important thing a company can do is to have an action plan for responding to the breach including legal counsel, forensics incident response teams, and security consultants to minimize the damage and remediate the problem.

Case in point – I got a heads up email last night from a forensics colleague regarding “Hacking Team” – a firm that specializes in offensive cyber technologies and surveillance tools suffered an incident resulting in the reported exfiltration of 400GB of its internal data which is now being distributed across bittorrent. It reportedly contains internal emails, business records, and even source code to some of its tools. This data trove contains information involving the company’s business dealings with state actors, among others. (See e.g. http://www.wired.com/2015/07/hacking-team-breach-shows-global-spying-firm-run-amok/; and See http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html)

This a similar incident to what occurred with HBGary Federal in 2011 when its then CEO Aron Barr ran afoul of the Anonymous group after claiming he could de-anonymize them. That company too suffered a massive breach of internal data and correspondence, and suffered a PR nightmare.

Read more ›

Posted in Data Breach, Hacks, Cracks, and Attacks, Law, News & Commentary Tagged with: ,

NOLASec – SilkRoad trial talk – plus recent developments

It has been a fairly long time since I last posted a blog entry (October 2013, ironically also about SilkRoad), but I anticipate posting more content in the near future. Last Wednesday (March 25, 2015) was the monthly NOLASec meeting where I gave a brief talk (it has been pointed out to me that my ‘brief’ talks end up having a 4:1 ratio between real time and the time I allegedly was limited to) on some legal and technical issues in the SilkRoad / Ross Ulbricht / Dread Pirate Roberts trial.

(My slide set can be found on my Academia.edu page: https://www.academia.edu/11741266/Legal_and_Tech_Analysis_of_SilkRoad_Trial)

One of the biggest challenges with discussing SilkRoad is the secretive nature of the investigation. When SilkRoad was shut down, and Ross Ulbricht was arrested as DPR, there was a lot of speculation that the SilkRoad servers were located through Parallel Construction in the wake of the Edward Snowden leaks. As I noted in my talk, the Icelandic based server was the initial entry point into the SilkRoad infrastructure, and all of the resulting warrants and other court orders concerning the investigation cited it as the basis for their issuance (which lead, e.g., to seizing backup servers in the US). The Defense initially sought to have the Icelandic server evidence and all other evidence gained as a result of its seizure suppressed under the Fruit of the Poisonous Tree doctrine. (The doctrine is essentially a public policy doctrine that disincentives law enforcement from playing fast and loose with constitutional protections by suppressing evidence obtained in an impermissible way).

The hiccup, as the Court noted in its order denying the motion, is that the Fruit of the Poisonous Tree requires asserting a 4th amendment privacy interest which cannot be asserted vicariously. That means, in order to move forward with that argument Ross Ulbricht would have to admit to ownership of the servers which would compromise his alternate-DPR-defense theory. Because he did not assert such an ownership, the Court did not reach the merits of his suppression argument so we do not know how that would have played out. Read more ›

Posted in Law, News & Commentary Tagged with: , , ,

Silk Road gets shutdown

Silk Road was a particularly unfortunate example of good technology used for bad ends. It was a virtual black market for drugs, identity theft, and other crime. An affidavit from FBI special agent Christopher Tarbell hit the internet today which shed some light on how the FBI identified the alleged founder of Silk Road Ross Ulbricht. Ulbricht was identified by identifying information in common between his Google+ and LinkedIn profiles with internet posts made to Stack Overflow, server activity, Youtube video favorites, and other interesting tidbits. The lynchpin of the FBI effort, however, appears to be the seizure of servers from an unidentified foreign locale using the Mutual Legal Assistance Treaty. The affidavit does not give any information on how they located the physical servers given that Silk Road used TOR:

During the course of this investigation, the FBI has located a number of computer servers, both in the United States and in multiple foreign countries, associated with the operation of Silk Road. In particular, the FBI has located in a certain foreign country the server used to host Silk Road's website (the "Silk Road Web Server"). Pursuant to a Mutual Legal Assistance Treaty request, an image of the Silk Road Web Server was made on or about July 23, 2013, and produced thereafter to the FBI. (Paragraph 22, Page 14).

I am hoping the FBI made some really awesome break on their own or that Ulbricht slipped up, but cannot help but wonder if the shadow of “parallel construction” may ultimately have fallen over the road. This is certainly plausible given recent incidents involving deanonymization attacks against the tor network, and other recent news coverage raising concerns about government efforts against it.  Hypos aside, I would love to know the details on how they identified the server location.

Posted in Digital Forensics, Law, News & Commentary, Security Tagged with: , , ,