A colleague, Mark Heyink, writes about the abuse of personal information.
© Mark Heyink 2015
Privacy Online www.privacyonline.co.za
The hacking of the Ashley Madison website, which has as its logo “Life is Short - Have an Affair”, is one of the more dramatic examples of why the issue of privacy is so important. It graphically illustrates many of the questions relating to the abuse of personal information in the 21st century and how the threats posed by evolving technologies, allowing for the abuse of information generally and personal information in particular, hold for our democratic society.
The “infidelity” or “cheating” website, as Ashley Madison has become termed, suffered a breach in which the personal information of 32 to 33 million customers was compromised. The sensitive information compromised included among other information seven years of credit card information, contact details, eMails and communications between participants. IT Web reports, quoting the Sunday Times, “that the personal information of over 70,000 South Africans (including many government officials and academics)” is among the information compromised.
When Ashley Madison’s parent company, Avid Life, failed to adhere to demands by the hackers, called the “Impact Team”, the personal information of customers was made public. By the nature of the website the publication of customers’ personal information has naturally caused severe embarrassment, hurt, disruption to families and law enforcement agencies in Canada have linked two “unconfirmed suicides” to the hacker’s publication of the personal information.
This gives rise to several issues which deserve consideration and debate. Firstly, there are those that take the attitude that the victims, by participating in the website, deserve the embarrassment and hurt that may come their way. This goes to the very core of privacy. We may all do things that others disapprove of. If what we do is not unlawful and we do it privately, a fundamental human right of privacy protects us. If we do not respect this right it is a very small step to allowing moral judgments to be exercised by publishing to the world the actions or communications made in private, for the advancement of political, commercial and social or even purely personal agenda and gain, regardless of the consequences to persons whose privacy has been infringed. In terms of our Constitution this is unlawful.
That the action of the hackers is unlawful is supported by the Canadian authorities formulating charges against them, which include the extortion, theft and mischief to property. Even though the enforcement of criminal charges against the hackers may prove problematical, this does not detract from the unlawful and morally reprehensible actions of the hackers. It serves to illustrate how anarchy on the web can be easily perpetrated if the right of privacy is not enforced and that, without the cooperation of governments, becomes difficult to counter. In the South African context this brings the delays in implementing appropriate legislation to protect citizens sharply into focus.
Ashley Madison is not blameless as it represented that it would protect participants’ privacy and it would appear that its security was seriously deficient. While it may suffer no criminal penalty, having reported the breach as required by Canadian law, the penalty for its failure lies in the enormous reputational damage that the website has suffered and the lawsuits which are likely to be brought against it. It is reported that a national class action of Canadian citizens claiming US Dollar 760 million will be instituted. It is also reported that Avid Life were not long ago, considering an initial public offering at a valuation of US Dollar 1 billion. One doubts that an IPO is any longer feasible or that any other potential purchasers would be found, so tainted is the website and the company’s image.
Another element of the fallout from the hack is that its CEO, Noel Biderman, has left by “mutual agreement”. This follows on from the replacement of Amy Pascal at Sony Pictures and the CEO of Target, after devastating hacks on those companies information systems compromised personal information of its customers.
While we may shake our heads at the failure of Avid Life to protect personal information the fact is that typically the boards of South African companies and institutions do not take information security seriously. The identification of government officials and academics whose interaction with Ashley Madison has been easily detected as a result of .gov.za and .ac.za extensions to the eMails used in their communication with Ashley Madison, is evidence of this disregard. Either these employees do not know that they should not be using their employer’s information and communication systems for these very personal purposes, or the policies and the enforcement of the policies by the employers are deficient. Which South African directors will, like Noel Biderman, be the first to “fall on their swords” for the general apathy and neglect that exists in implementing appropriate information security? It is not a case of if, but rather of when.
The framers of our Constitution have enshrined privacy as a fundamental human right. The Protection of Personal Information Act provides the framework necessary to protect against the abuse of personal information. We should do everything possible to prevent the right of privacy being subverted by government, big business, individuals or criminals in the advancement of “their agenda”.