By – Steve Baker
January 17, 2017
On December 14, 2016 the U.S. Federal Trade Commission announced a settlement in the Ashley Madison case, along with 13 different US states and the District of Columbia. Ashley Madison also settled with the Privacy Commissioners of Canada and Australia.
As a result, Ashley Madison is now subject to a permanent injunction, and has agreed that its liability was $8.75 million. Because the company could not pay this sum it instead agreed to pay $1,657,000 as restitution, half going to the FTC and half to the states.
What was the Ashley Madison business?
Ashley Madison advertised itself as a site to find someone interested in having a discrete extramarital affair. Members paid through credit card. Though based in Toronto, it operated in 46 countries around the world. Ashley Madison’s revenues in 2014 were more than $100 million. The company’s earned an estimated $47.4 million from U.S. members alone in 2015.
Since 2002 Ashley Madison has had about 19 million U.S. members. 15.7 million of these are males; 3.19 million were women. Ashley Madison had information on some 36 million people, including 19 million people in the U.S. There were also about 1 million members in Canada and 670,000 in Australia.
Members could create a profile for free, but only those who upgraded to paid memberships could send messages, chat in real time, or send virtual gifts. Those interested in quitting Ashley Madison were offered an option of a “full delete” of all of their information and emails for an additional $19.
Who were the defendants?
The settlement was with Ruby Corporation (formerly known as Avid Life Media) Ashley Madison, and ADL Media. Thus the settlement binds not only Ashley Madison, but also the other dating sites operated by the company — Cougarlife.com, Establishedmen.com, and Mancrunch.com. It did not name the owners or operators of Ashley Madison individually.
Why was there a case?
In July 2015 someone hacked into the Ashley Madison computer system and stole data on the accounts of some 36 million users. The “Impact Team” demanded that Ashley Madison stop operating both that dating site as well as that of Establishedmen.com, and threatened to make the information public if Ashley Madison did not do so. When Ashley Madison failed to comply the hackers did make the stolen information public.
What was Ashley Madison charged with?
The FTC and the States focused on both deceptive claims made in its advertising and marketing, as well as on Ashley Madison’s security practices.
The FTC complaint asserts four types of deception.
- That the company had taken reasonable steps to protect the security of member’s information; 2. That Ashley Madison had received a “trusted security award,” when it had not,
- That many of the communications received were from real women when they were not,
- That the company would delete all the information of members that paid $19 for the full delete option.
In addition, Ashley Madison was charged with “unfair” practices by not taking reasonable steps to prevent unauthorized access to their system. We explain each of these issues in turn.
On its web site Ashley Madison had a seal that said “trusted security award.” See it here. Ashley Madison admitted that it simply made this up. There were no separate third parties that had bestowed this on the company.
Use of fake profiles
Ashley Madison also created fake profiles of women. This was an effort to get recipients to become full members who could communicate with others using the web site. In 2014 they had 28,417 “engager” profiles on their site, all but three of which were of women. Thus when someone first came to the site, and had not yet paid for a full membership, they would receive winks and emails from these fake profiles. But members could not respond without upgrading to a paid full membership. The FTC complaint states that this practice only took place until August 2014.
However, there were newspapers reports in 2013 that Ashley Madison had been sued by a former employee who alleged she got carpal tunnel by typing up 1000 fake profiles for the company to use in a new website for Brazil.
Though it seems not to have been addressed by the settlement, those who examined the Ashley Madison data stated that of the 37 million profiles on the dating site reported that at most 12,000 belonged to women who were active on the site.
This is the second time that the FTC has taken action against a dating company using fake profiles to get people to enter their credit card information and sign up for a paid membership. The same allegations were made in the FTC’s case against JDI Dating. In addition, several years ago the Australian Competition and Consumer Commission took legal action against Jetplace for using fake profiles.
The Full Delete
Ashley Madison advertised that if a member ever decided to quit the service it would delete their “digital trail” by deleting any messages sent or received, profiles, usage history, photos, etc. Only after purchasing did members learn that Ashley Madison would keep “some” information for 6-12 months for “legal and financial” reasons. Many of these profiles were also part of the hacked information.
The “legal and financial” reasons seem to have been keeping the information to counter possible credit card chargebacks. The Report of the Privacy Commissioners seems to have accepted this as a valid reason, although they noted that there was no reason for keep profile pictures. The FTC order requires that Ashley Madison disclose its terms and conditions on deleting profiles.
Not surprisingly, Ashley Madison stressed its security measures in its advertising with statements such as “Our service is 100% secure,” “risk free,” and “completely anonymous.” The Canadian and Australian Privacy Commissioners released a report detailing the steps Ashley Madison had, or had not, taken to protect the security of its information. It does appear Ashley Madison did make some real efforts to try to keep its information secure, and that after the breach it took more steps to beef up its security.
How Did the Breach Happen?
The report of the privacy commissioners suggests that this is what happened. Ashley Madison employed a virtual private network to allow remote access to its systems. To access this, you needed a password and also a “shared secret,” that was common for everyone. Ashley Madison does not seem to have terminated passwords for employees or contractors after they left. At least one server was not protected by a password – thus allowing access to all servers. In addition, many passwords and encryption codes were in plain text on the servers.
Before the data was stolen the hackers seem to have spent several months examining the Ashley Madison systems, gaining administrative access, and modifying logs that would have showed the access. The Privacy report suggests that the breach may have begun with a payment processor.
What data was stolen and released
The Report also shows three categories of data were breached and released:
- Profile information, including gender, date of birth, and information such as “my intimate desires.”
- Account information, such as members’ password, security questions and answers; and
- Billing information, including real names, billing addresses, the last four digits of credit cards and, in some cases, full credit card numbers.
Effects of the Ashley Madison Data Breach
Obviously the release of this information could, and did, have a serious effect on the life of the Ashley Madison members. In addition to the obvious embarrassment members suffered and resulting divorces, there were press reports that some of these members were subject to extortion attempts and reportedly at least four suicides resulted. Many members communicated through Ashley Madison from their work email instead of their homes, for obvious reasons, and thus both federal and state email addresses were disclosed. Governments obviously looked through that information for employees who had been engaging in activities at their place of work.
Notifying Members of the Breach
One key component of most laws dealing with data breaches is a requirement that a company notify those whose data was compromised. After learning of the breach Ashely Madison issued press releases and set up a dedicated phone line and email inquiry facility to let members contact the company. It later provided written notification by email to users in some countries, including Canada, Australia and, presumably, the U.S.
Neither the FTC nor Australia/Canada addressed the notification aspect in their actions.
What flaws did the FTC find in the Ashley Madison security system
Here are the failures itemized in the FTC complaint. Note that most of them address shortcomings in password protection and access to its system. It is not a short list:
- Failed to have a written organizational information security policy.
- Failed to implement reasonable access controls, specifically Ashley Madison
- Failed to regularly monitor unsuccessful login attempts
- Failed to secure remote access
- Failed to revoke passwords for ex-employees of their service providers
- Failed to restrict access to systems based on employee’s job functions
- Failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendant’s network, and
- Allowed their employees to reuse passwords to access multiple servers and services
- Failed to adequately train Defendant’s employees personnel to perform their data security-related services, and
- Failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security, and failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures.
Does this case resolve all legal claims against Ashley Madison?
No. Needless to say, there have been a number of class actions filed against Ashley Madison.
In addition, since Ashley Madison operated in more than forty countries there is nothing to prevent other government agencies from taking additional action. Finally, civil settlements like that of the FTC do not prevent criminal charges.
Why is Ashley Madison being singled out instead of whoever hacked their system?
Ashley Madison may well contend that it is the victim here, that the breach was done by someone else and that it has already suffered the consequences of its actions. This approach, however, overlooks the fact that it was the information of its members that was stolen from Ashley Madison, and that the company had pledged to keep it secure.
Obviously legal action can also be taken against those who hacked its systems. That has not happened so far, but it would be hard to believe that law enforcement agencies have not investigated this.
What will FTC do with the money?
The FTC recovers money in fraud cases to return to victims, and has discretion to decide if refunds directly to victims are practical or not. If the FTC does not give money back to victims the money goes to the U.S. Treasury. The FTC keeps none of it.
What does the order require Ashley Madison to do?
The Ashley Madison court order prohibits the deceptive claims charged in the complaint to U.S. individuals, and also prohibits the company from misrepresenting the actual number of users it has, and in particular the actual number of women users. The order also addresses “engager” profiles and whether profiles were created by the company. The order also requires that the company have detailed and comprehensive security measures in place.
As most other FTC data security cases, the order requires Ashley Madison to hire a third party to perform an initial security assessment and then to do so again every two years for twenty years, and submit those reports to the FTC. These assessments can be quite costly. Finally, Ashley Madison must keep appropriate records and file reports to the FTC demonstrating that it is complying with the order.
Violations of a permanent injunction are contempt of court, which can be handled either as civil contempt (to bring someone into compliance with an Order) or as criminal contempt (punishment for violating a court order).
Consumer Lessons for Dating Companies
- When you operate in many states and countries you are subject to legal action in each of these.
- Data Security is increasingly important
- Don’t lie about how many members you have
- Don’t use fake profiles or bots to urge people to sign up for paid memberships
- Hiding key information in terms and conditions is not going to prevent legal action. Be sure people actually know key information
- Make sure people know how long they are signing up for, and that they understand auto renewals
- Make sure people know how to cancel and that doing so is not difficult
- If you use third party seals make sure they are real
- Do read complaints from members
- Do your utmost to keep romance scammers off your sites
FTC press release
Canadian Privacy Commissioner press release
Report of Privacy Commissioners
Canada compliance agreement
Australia undertaking (legal order)