A colleague, Mark Heyink,
writes about the abuse of personal information.
© Mark Heyink
2015
Privacy
Online www.privacyonline.co.za
The hacking of the Ashley Madison website, which
has as its logo “Life is Short - Have an Affair”, is one of the more dramatic
examples of why the issue of privacy is so important. It graphically illustrates many of the questions
relating to the abuse of personal information in the 21st century
and how the threats posed by evolving technologies, allowing for the abuse of
information generally and personal information in particular, hold for our
democratic society.
The “infidelity” or “cheating” website, as Ashley Madison has become
termed, suffered a breach in which the personal information of 32 to 33 million
customers was compromised. The
sensitive information compromised included among other information seven years
of credit card information, contact details, eMails and communications between
participants. IT Web reports, quoting the Sunday Times, “that the personal
information of over 70,000 South Africans (including many government officials
and academics)” is among the information compromised.
When
Ashley Madison’s parent company, Avid Life, failed to adhere to demands by the
hackers, called the “Impact Team”, the personal information of customers was
made public. By the nature of the website the publication of customers’
personal information has naturally caused severe embarrassment, hurt,
disruption to families and law enforcement agencies in Canada have linked two
“unconfirmed suicides” to the hacker’s publication of the personal information.
This
gives rise to several issues which deserve consideration and debate. Firstly,
there are those that take the attitude that the victims, by participating in
the website, deserve the embarrassment and hurt that may come their way. This
goes to the very core of privacy. We may all do things that others
disapprove of. If what we do is not unlawful and we do it privately, a
fundamental human right of privacy protects us. If we do not respect this right
it is a very small step to allowing moral judgments to be exercised by
publishing to the world the actions or communications made in private, for the
advancement of political, commercial and social or even purely personal agenda
and gain, regardless of the consequences to persons whose privacy has been
infringed. In terms of our Constitution this is unlawful.
That the
action of the hackers is unlawful is supported by the Canadian authorities
formulating charges against them, which include the extortion, theft and
mischief to property. Even though the enforcement of criminal charges against
the hackers may prove problematical, this does not detract from the unlawful
and morally reprehensible actions of the hackers. It serves to illustrate
how anarchy on the web can be easily perpetrated if the right of privacy is not
enforced and that, without the cooperation of governments, becomes difficult to
counter. In the South African context this brings the delays in
implementing appropriate legislation to protect citizens sharply into focus.
Ashley Madison is not blameless as it represented that it would protect participants’ privacy and it
would appear that its security was seriously deficient. While it may suffer no
criminal penalty, having reported the breach as required by Canadian law, the
penalty for its failure lies in the enormous reputational damage that the
website has suffered and the lawsuits which are likely to be brought
against it. It is reported that a national class action of Canadian citizens
claiming US Dollar 760 million will be instituted. It is also reported that
Avid Life were not long ago, considering an initial public offering at a
valuation of US Dollar 1 billion. One doubts that an IPO is any longer feasible
or that any other potential purchasers would be found, so tainted is the
website and the company’s image.
Another
element of the fallout from the hack is that its CEO, Noel Biderman, has left
by “mutual agreement”. This follows on from the replacement of Amy Pascal at
Sony Pictures and the CEO of Target, after devastating hacks on those companies
information systems compromised personal information of its customers.
While we
may shake our heads at the failure of Avid Life to protect personal information
the fact is that typically the boards of South African companies and
institutions do not take information security seriously. The identification
of government officials and academics whose interaction with Ashley Madison has
been easily detected as a result of .gov.za and .ac.za extensions to the eMails
used in their communication with Ashley Madison, is evidence of this disregard.
Either these employees do not know that they should not be using their
employer’s information and communication systems for these very personal
purposes, or the policies and the enforcement of the policies by the employers
are deficient. Which South African directors will, like Noel Biderman, be
the first to “fall on their swords” for the general apathy and neglect that
exists in implementing appropriate information security? It is not a case of
if, but rather of when.
The
framers of our Constitution have enshrined privacy as a fundamental human
right. The Protection of Personal Information Act provides the framework
necessary to protect against the abuse of personal information. We should do
everything possible to prevent the right of privacy being subverted by
government, big business, individuals or criminals in the advancement of “their
agenda”.
