What Can We Learn From Ashley Madison?
Brooke: This is On the Media, I'm Brooke Gladstone. The website Ashley Madison has the tagline "life is short, have an affair", and it's aimed at people who want just that.
Clip of Noel Biderman: Well, to us, the perfect affair is meeting someone and not being discovered.
Brooke: CEO Noel Biderman made a vow of security last year.
Clip of Noel: So everything we do from the moment you sign up is all about the discretionary part of it.
Brooke: But come on, this site is built on broken promises. This week it was hacked by something called the impact team, demanding that Ashley Madison be taken down. The impact team claims to have information on 37 million accounts. Names, addresses, photos, credit card numbers, sexual fantasies; the works, which it will release unless the site is removed.
The hackers say that they're doing this because Ashley Madison charges $19 to complete delete they're users information, but then it doesn't do it, it lies. And also, it's users are skeevy. Ashley Madison's parent company, Avid Life Media, says its the hackers who are lying. Paul Ford is a programmer and writer who pondered the hack this week on Medium. Such hacks, he says, follow a typical sequence. One, a massive company fails to secure your data and someone steals it. Two, the breach is discovered, either by internal audit or when the data is released. Three, you get a letter from the company saying that it takes security very seriously and is giving you free credit monitoring for a couple of years. But this latest hack is different.
Paul Ford: The Ashley Madison hack, this is more like one, the massive company did not secure data, two, you only see your kids on weekends.
Brooke: Before you started writing about the Ashley Madison hack, you had a conversation with your wife?
PF: I was gonna write about this thing and I was like "oh my god what if she's a member?", like I don't want that to come out later, I should check in first. And she's like "what are you even thinking", so it was a good moment for us. Probably less of a good moment for other people, it is a big group of human beings who all have one single bead of sweat coming down their forehead right now. It's easy to laugh at them but people have their own arrangements and their own deals. If you're a person who had a bad patch in your marriage or whatever this is a situation that sucks.
Brooke: You point out that this is just the latest chapter in a series of significant online privacy violations. Two summers ago you had the Ed Snowden NSA revelations. Last summer the hacked photos of nude celebrities. November's hack of Sony. This month, an organisation called hacking team, that sells intrusive hacking capabilities, was itself hacked. And then of course, we all know about the Target and Home Depo and Ebay and JP Morgan and the government hacks. What does this all mean, Paul?
PF: I think it means two things. It's very very hard to build private secure services that are connected to the global internet. And I think everybody sort of admits we're doing it wrong but it's really hard to do it right. And the second thing is, there's a real insentive not to build them right to get as much information about everyone as possible for these big services, because if you're Ashley Madison, or anybody, you get those 37 million names. That's almost like direct mail back in the day, you can market to those 37 million people. They show up, you know a little something about them, their address.
B: Their sexual fantasies in the case of Ashley Madison.
PF: Exactly, so imagine the Amazon products and the affiliate links that you can promote based on that information
B: You wrote that at it's heart, this problem with protecting our data stems from, essentially, a conflict between the centralized and decentralized internet, and that we've always been at one end or the other, swinging like a pendulum
PF: When the web got going, you just gave somebody some money, you got an account and you put up a webpage. And people didn't know who you were, that was the joke, nobody knows your a (this work was too unclear). The thing about the decentralized services is that they don't really require you to truly identify yourself and they're very disruptive. Napster was a good example. Napster shows up and it really freaked out the music industry. Or BitTorrent and so on and one of the reasons we have I think things like Netflix or Spotify is as a reaction to those decentralized services that were pretty anonymous.
B: And also functioning in violation of copyright rules, right?
PF: Exactly. People weren't super exited about giving all of their intellectual property over to Apple but it was a better solution than letting anyone download it whenever they wanted it. The way that the internet has been going is there are these great, huge decentralizing moments and then people start to figure out like "i'll get someone to set up a username and an account and then i'll get a little more information about them" or "i want them to do their online banking with me" or whatever so you form these very central points which have millions of users.
B: Because they're enormously convenient.
PF: And they're enormously profitable if they're done right.
B: Now, decentralized data storage, as you mentioned, ensures greater anonymity but can also lead to anonymously trading child porn, buying drugs online, intellectual property theft. Now centralizing data is more convenient, but it leads to these massive hack attacks. That's really simplifying things. But it's essentially a rock and a hard place situation, right? Is there no middle option?
PF: See, I read this book in 2002 called Translucent Databases by a guy named Peter Wayner. It's a short book and it just describes an approach to obscuring data inside of a data base so that it's still useful in some ways. You might know the zip code but not know the street address and so on. The user of the website, they might have full access to it. They can update their name, they can change their address, whatever. They can make decisions about how they want that information to be used as well, but what it really does is scramble the eggs. It's an approach to just hiding and obscuring as much by default as possible, adding lots of garbage and then hashing that all together into a big mess.
B: So this idea has been around for a while but these big centralized sites have not picked up on it, I assume because it runs counter to their desire to market the information they've assembled or to market to their customers.
PF: I work for big clients building websites like they do not ask for this. It's gonna make your marketing strategy more difficult, it's gonna make all kinds of things more difficult for you.
B: And meanwhile the web is becoming more centralized and more hackable. In 2001, the top 10 websites made up 31% of US page views. In 2006, the top 10 made up 40%. In 2010, it made up 75% of US page views. So, we're just heading into hackers heaven.
PF: The good news here is that the big companies like Google or Twitter, they have really good security teams. As good as it gets. But, there are points of vulnerability in the system and sometimes one of these big companies is a point of vulnerability itself. Like if you can get into somebody's Gmail then you can get into their Twitter then bam, you've got the keys to the kingdom. So, what we want to do, actually, is create many, many, many more keys. You're never gonna be able to lock everything down completely, but if you make it that instead of one key to unlock everything, there are thousands of millions of keys to unlock individual pieces of that data base, you might be in a better place.
B: Yeah, but we've discussed this with countless guests on the show in the last several years. Nothing changes except that the trespasses become more egregious and the market for credit checks and reputation management services have expanded.
PF: Look, maybe 37 million individuals having their sex lives suddenly exposed to the world would be something that would cause people to start to take security more seriously, but we give all the secrets away right now to these giant companies. Google just released a thing that lets you look at where you've been on the map. And they're like "don't worry it's private", but there it is. And what I saw was that I never go anywhere. Again, you're back in that Ashley Madison zone where you're like "oh, now I have something else to keep secret". I think that's the drag of it, right? There's always something else, you have to worry about people trying to grab your stuff. I have emails going back a long time, I'm starting to wonder (if) maybe the best thing to do is erase my own history, just get rid of it. Maybe that's the only way out for us right now, just to start to travel a little bit lighter, throw stuff away, have less digital footprint.
B: Is there something significant about the Ashley Madison hack? Is it merely salacious, or does it suggest that this whole buzz moves closer and closer to our hearts of darkness.
PF: A big chunk of North America gave it's most intimate sexual details to some company in Toronto, and I'm presuming it was a little bit because it had those ads where someone would be holding their finger in front of their lips. It said it was secret. I think we're just seeing what happens when primate behavior meets services that deal with tens of millions of people like this looks like. Men's sexual privacy is a sacred right in our culture, and suddenly these hackers have thrown that into question.
B: So we're recording on Wednesday afternoon. We don't know yet whether or not the impact team will release the user data. If it does, what do you expect?
PF: I was thinking about this. Media organisations could go in and search around and look for particular salacious stories. I bet there's a congressmen or two in there. And somebody could put up a search engine and you could go and search for your husband or last name, but then I started to think like what would actually be the worst possible thing (and) I was like why even bother with journalism in the middle, why not just put up a form letter and just (say) this person has this data and has these sexual fantasies, interacted with these users on the system and so on and then I wrote about that and somebody tweeted at me "actually, you can generate emails automatically and ask people for $100 not to publish that on the internet" and so a business plan came up. It's pretty easy to get from something like this to something just utterly terrible. Bad for culture, bad for the people who are involved. It's good for divorce lawyers and marriage councilors.
B: This is also a week when Gawker posted a story about a married executive looking for a male escort, and then took it down, very un-Gawker like behavior, and Nick Denton who runs Gawker explained it as a certain maturation process going on at Gawker now. We also know Gawker has been sued by Hulk Hogan for exposing some of his private life so there's no doubt part of that in it, but do you think there's any connection between these things, or is it just a particularly furtive sexual week?
PF: I think it's probably always a particularly furtive sexual week but there appear to be these cultural lines that people are defining, like (when) Nick Denton said we're gonna come down on this side, two of the editors of Gawker quit in response because their was nothing factually wrong with this story. All these technological questions are starting to come down to ethics. The hackers are talking about their ethics, and Ashley Madison have these ethics that are very problematic to people and it feels like ethical questions are actually aligning with business goals for organizations like Gawker or Reddit. They had one set of policies and now because they want to achieve certain things they're changing those policies, and those policies are maybe we don't wanna write these kind of stories anymore or we don't wanna allow this kind of content on our site. And there's a lot of fallout from that.
Brooke: But how does that hook up to Ashley Madison?
PF: The hackers take an almost journalist role. They did their investigation and now their gonna share what they found.
B: The hackers are becoming gate keepers, or gate openers.
PF: That's the thing we have a whole co-hoard of human beings in the world who see it as their mission in life to open gates and God help us when we see what's on the other side of some of those gates.
B: Thanks a lot Paul
PF: Thanks I know this is a tricky one.
B: This week programmer and writer Paul Ford wrote fairly random thoughts on Ashley Madison and the swiftly moving line, published on Medium.
Hosted by Brooke Gladstone
Produced by WNYC Studios