The exposure of user data from Ashley Madison, a website for people seeking extramarital affairs, is renewing thorny debates about when publishers should spotlight private information that has been leaked online.
Not surprisingly, the answer — yes, but only in some circumstances — is complex, scholars say. And it will continue to evolve amid increasingly high-profile data breaches, when armies of malicious hackers can pry into social media user accounts, retail transaction records, and more.
“Your old model of privacy was, ‘OK — things that are inside of this box are secret and things that are outside of this box are not secret.’ That certainly doesn’t apply now, when the boxes that your things are in are not your own,” said Nick Seaver, a cultural anthropologist who has studied digital privacy at the University of California-Irvine’s Center for Social Computing.
“I think everybody with any sense of ethics and belief in privacy is squirming about this,” said Dan Gillmor, a journalism professor at Arizona State University.
The first round of major Ashley Madison revelations began this week after a group claiming responsibility for the data breach posted the apparently authentic account details online.
Although not available with simple Googling, the files have been accessible on more obscure corners of the Web to those who went looking for them.
Some companies immediately built websites to access the database in limited form for the stated purpose of searching whether it contained specific email addresses. Media companies also dove into the files, publicizing some elements of user accounts with varying degrees of vagueness.
Many news organizations, for example, have reported the existence of government email domains among the leaked data. The Boston Globe has carried Associated Press reports on the incident that included researchers’ findings of some 15,000 federal email domains in the data.
Boston magazine said Wednesday that it had found five user accounts with Boston city email addresses, one with a Boston Police email, and a smattering of others from different local Massachusetts agencies.
Just finding someone’s e-mail address is no guarantee that an account is associated with that person because Ashley Madison did not verify the e-mails that users supplied. Boston magazine did say that it declined to publish the names of those accounts “for ethical reasons.”
Gawker Media went further than others, posting a story detailing the alleged Ashley Madison accounts of Josh Duggar, an evangelical Christian TV personality. Accounts associated with Duggar’s addresses spanned the time that he served as an official with the socially conservative lobbying group Family Research Council, Gawker said.
On Thursday, Duggar posted a statement online acknowledging his infidelity. “I have been the biggest hypocrite ever. While espousing faith and family values, I have been unfaithful to my wife,” he said.
Publishing that sort of information would seem to fall within the legal tests protecting news organizations in the US, where celebrities, politicians, and others who have entered the public sphere have very limited ability to keep other parts of their lives secret, noted Andy Sellars, a lawyer and fellow at Harvard’s Berkman Center for Internet and Society.
“Public figures in general have a really hard time trying to bring a privacy claim,” he said.
To withstand legal challenges, news organizations also must clear legal hurdles showing that the information in question was newsworthy. That question can be much less straightforward than whether someone is a public figure, although courts have shown deference to the media’s professional judgment and ethics, Sellars said.
“It’s tricky, because on the one hand you don’t want to have judges serving as editors,” he said. “At the same time, if you’re purely deferential, you could never sustain a claim against media companies.”
The personal nature — and uncertain status — of the Ashley Madison information sets it apart from other data leaks that caused a flood of media attention, including last year’s disclosure of corporate emails from Sony after the company produced a movie that featured a comical plot about trying to assassinate North Korean leader Kim Jong-Un.
The fact that the information at issue was actually stolen from Ashley Madison also might not matter for purposes of First Amendment law, provided the case at hand meets several tests, including whether the information was true and a matter of public interest, Sellars noted.
Publishing other kinds of personal information, such as credit card numbers or Social Security numbers, would not shield a news organization from liability if someone used that information for fraud or theft, however. Ashley Madison’s parent company, Avid Life Media, said that no full credit card numbers were stolen from its files.
The ethics of probing data such as the Ashley Madison user accounts are less formal than the law, of course. But leading privacy scholars advise people to always consider the context of how the information was shared in the first place, Seaver said.
“User data from any kind of service, but obviously something like Ashley Madison in particular, is tied up in assumptions about who is going to see it,” Seaver said. “Whether or not you think the people who used it are bad, it seems pretty clear that this is a violation.”
News organizations that disclose details about government or notable corporate e-mails in the database without naming names are within the law, but there is also an ethical question about that step when the information is relatively easy to find, Sellars said.
“You’re walking them to the line and you’re doing so knowing that there are these services out there allowing them to search the database,” he said. “How much are you actually protecting identity here if you’re giving them all but the name?”
The hackers who breached Ashley Madison’s data systems advertised their own ethical motivations for doing so, noting both its distaste for the “cheating dirtbags” who used it and Avid Life Media’s promises to delete all user profile information for a fee, which it said the hacked data proved was untrue.
“Some people will say, `Well, they broke the law, they hacked into this private company’s computers and stole data.’ Yeah, that’s true. But from the other side, you have to say, were they doing this for a public service?” said Richard Forno, a cybersecurity professor at the University of Maryland-Baltimore County. “Depending on who you talk to, you’ll get two wildly different opinions on the issue.”
In a statement, Avid Life Media denounced any idea that the breach was a form of righteous “hacktivism,” saying the attack was not only against its members but also “any freethinking people who choose to engage in fully lawful online activities.”
“If it is your private pictures or your personal thoughts that have slipped into public distribution, no one has the right to pilfer and reveal that information to audiences in search of the lurid, the titillating, and the embarrassing,” Avid Life Media said.
Avid Life Media also will have some questions to answer about how well it secured its users’ data, Seaver noted.
“The problem isn’t that people are going to search for other parties on this database. The problem is this database got made and existed in a form that could be distributed online,” he said. “Nothing is unhackable.”
Updated 5:20 p.m. with additional detail.