Ashley Madison Continues To Use Dubious Legal Takedown Threats To Try To Disappear The Data It Failed To Protect
from the not-a-good-idea dept
We've written a few times now about how the parent company of Ashley Madison, Avid Life Media, has been committing perjury and issuing completely bogus copyright demands to try to hide the information that was leaked after its servers got hacked. Last month, that tactic (despite not complying with the law) apparently worked briefly, until the full data dump happened last week. But that hasn't stopped the company from continuing to try. EFF wrote a long blog post detailing how this was a clear abuse of the law, but Avid Life Media doesn't seem to care.After the leak came out, a few sites sprung up quickly to help people search the database. Whether or not you think it's appropriate to set up such a site (or to use it) is a separate issue, but what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons. There were two main sites that got the bulk of attention for setting up such a database, and one has already shut down and the other has received a takedown demand (though not a copyright one). I won't link to either site, but here's what's now posted on one of the sites:
Our firm is counsel to Avid Life Media, Inc. (“ALM”) with respect to its intellectual property and data privacy matters. As you may know, ALM is the parent company of the online dating and social networking service Ashley Madison. Because users entrust ALM with highly sensitive and intimate details (collectively the “Ashley Madison User Data”), the privacy of ALM’s users is of utmost importance. As a result, ALM proactively and arduously regulates any authorized (and unauthorized) use of Ashley Madison User Data.CloudFlare, in response, told the guy that it had forwarded the name of the actual hosting provider (a non-US company) to the lawyers at DLA Piper, and at last check, the guy claims that his hosting company, ColoCall out of Ukraine, has not done anything about it. That may change, but it's not clear what legal basis ALM has for the demand. It's nice to see that ALM is no longer making totally bullshit copyright claims, but these weird "privacy and personal data rights" claims don't have much legal basis either.
This letter is to inform CloudFlare, Inc., and all related entities (collectively, “You”) that, upon information and belief, CloudFlare, Inc.’s client (“Your Client”), has posted a searchable database of the Ashley Madison User Data to a website hosted on a domain name hosted by You. Specifically, Your Client has posted the Ashley Madison User Data at the following URL: https://ashley.cynic.al/ (the “URL”). Your Client’s publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information, and potentially expose millions of individuals around the world to identity theft.
Moreover, we believe that the website content hosted at the URL may violate the Your Terms of Use, located at: https://www.cloudflare.com/terms. Specifically, the website content hosted at the URL may violate the Terms of Use in that it likely infringes upon the privacy and personal data rights of the Ashley Madison users. Accordingly, ALM requests that You take action to remove and/or disable access to all content at the URL.
Please note that this letter is made without prejudice to any other rights or remedies that may be available to ALM. Nothing contained herein should be deemed a waiver, admission, or license by ALM, and ALM expressly reserves the right to assert any other factual or legal positions as additional facts come to light or as the circumstances warrant.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dmca, leaks, privacy, takedowns
Companies: ashley madison, avid life media, cloudflare
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ashley Madison you have it all wrong with the DMCA
You need to see the light and STOP using the DMCA to try to deal with this.
You should be using the new super dooper RTBF ! (Right To Be Forgotten)
The new RTBF has advantages over the outdated DMCA.
1. While the DMCA can only be used within worldwide jurisdiction, the RTBF can be used in even wider worldwide jurisdiction!
2. You can't use the DMCA to take down articles critical of DMCA requests, but you CAN use RTBF to take down articles critical of RTBF requests!
3. Coming Soon!... the ability to recursively take down all future articles about an RTBF request! (just try that with the puny DMCA.)
4. You don't have to be an actual copyright owner to use RTBF. (although it is doubtful that you need copyright ownership to use DMCA.)
[ link to this | view in chronology ]
Re: Ashley Madison you have it all wrong with the DMCA
- only affects searches originating in europe, me, a Canadian, can still find all rtbf links, because im not European, my searches are not filtered by that law
[ link to this | view in chronology ]
Re: Re: Ashley Madison you have it all wrong with the DMCA
[ link to this | view in chronology ]
Re: Re: Ashley Madison you have it all wrong with the DMCA
[ link to this | view in chronology ]
Re: Re: Ashley Madison you have it all wrong with the DMCA
[ link to this | view in chronology ]
Amateur: A minor nitpick
I'd suggest the synonym sophomoric which refers to the stupid mistakes we make when we're sophomores and think that we know things because we're no longer freshmen (pro-tip: we don't).
[ link to this | view in chronology ]
Posting PII IS a crime
[ link to this | view in chronology ]
Re: Posting PII IS a crime
" Your Client’s publication of the Ashley Madison User Data may constitute illegal disclosure of private personal information."
This is debatable in the US, but much more policed under privacy laws in the EU where the server is actually hosted.
[ link to this | view in chronology ]
Re: Re: Posting PII IS a crime
The Ukraine is in the EU? Or are you referring to Cloudflare and not the place the original page is hosted?
[ link to this | view in chronology ]
Re: Posting PII IS a crime
The route that ALM's lawyers are taking is to send heavily caveated, non-legally binding demand letters to someone that they hope doesn't have competent legal counsel, and will therefore comply because "lawyers saying scary sounding things."
Frankly, they'd probably get a better response if they sent a letter saying "look, there's no legal basis for us to ask this, so we're not going to threaten, but you'd be doing an awful lot of people a solid if you took this content down."
[ link to this | view in chronology ]
Re: Re: Posting PII IS a crime
Websites that allow an email lookup with no additional provision of PII will almost certainly be allowed to stay up, as past precedent has proven. Those websites that are wantonly slapping a bunch of personal names and addresses on their website for all to see should, as you suggest, by all means retain legal counsel, and that legal counsel, if it's worth its money, will almost certainly tell them that what they are doing is not only reckless and stupid, it's also illegal.
[ link to this | view in chronology ]
Re: Re: Re: Posting PII IS a crime
Federal Statute creating a general ban on possession of personally identifiable information (PII) in this context, please?
This is by all accounts a non-US hosting company (Ukraine is called out) and there's nothing to indicate a locality for the person publishing the website so there are likely jurisdictional issues here.
Past that, nowhere in the actual letter was PII referenced. It was certainly alluded to. But the lawyers reference "Private, personal, information".
To your other point about providing information? The website in its current form checks for the presence of a user-provided email address in the dataset, and returns a yes/no along with an explanation of why presence in in the database isn't an automatic indicator of being an active user.
[ link to this | view in chronology ]
Re: Re: Re: Re: Posting PII IS a crime
Sure. Here you go: https://www.law.cornell.edu/uscode/text/18/1028
Clause (a)7 would probably be the one that most applies, since this does violate several state laws, and would indeed constitute a felony in multiple states due to the volume of PII being provided.
Which certainly complicates things. But in international jurisdiction law, nations can invoke the passive personality principle if they feel that a foreign nation has willfully caused harm to one of its citizens. It's not a principle that's often invoked, but considering the FBI is now actively involved with the investigation of the initial hack and subsequent spread of the information, and considering some sixteen odd million Americans are having their data posted, it's not without the realm of possibility, were a foreign site to decide to openly post PII. Of course, as I said earlier, the cynic.al website is merely an email search tool, so at the moment it's probably safe from that.
Of course, they also never used the phrase DMCA, either. Nor is this even formatted as a DMCA letter. So my initial claim that this isn't a case of "dubious legal takedown" using DMCA still stands.
[ link to this | view in chronology ]
Re: Re: Re: Posting PII IS a crime
Techdirt is not fraudulently using any information. Where has Techdirt committed fraud?
[ link to this | view in chronology ]
Um, how exactly? Doesn't one need to know what one's searching for in order to formulate a search term that's most likely to fetch the relevant data? If one has that information, then one is probably the owner of it. Unless one happens to be one of the many who joined one of ALM's websites with fake details, in which case no individual's privacy is at risk. At least, that's how I'm seeing it.
[ link to this | view in chronology ]
Re:
Or the significant other of the person whose data is being searched for.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
ALM or SONY
[ link to this | view in chronology ]
Re: ALM or SONY
Second, some of the people in those news agencies are likely ALM Customers, and as such will have run afoul of the morality clauses in their employment agreements, and hence have a vested interest in ensuring the data never gets looked at too closely.
[ link to this | view in chronology ]
am i crazy?
So, if you're a company whose business model depends on protecting the privacy of your customers, and you suffer a massive data breach, why wouldn't you use every tool in your arsenal, bullshit or otherwise, to make it more difficult for third parties to access that data?
My guess is that AVM customers care more about limiting the violation of their privacy than the proper application of copyright law. I don't know, am I crazy?
[ link to this | view in chronology ]
Re: am i crazy?
Trying to limit access to data that has already been exfiltrated and posted on the Internet is like pouring a glass of water into the ocean, then demanding that those molecules be put back into the glass. At that point, it is not a matter of resources, but keeping up the illusion of "doing something about it".
Bottom line: If you think Avid Life is doing all these gyrations out of altruistic concern for their customers' privacy rather than just trying to protect their own collective naughty bits from hordes of rabid lawyers, then yes, you are crazy.
[ link to this | view in chronology ]
Re: Re: am i crazy?
Quite frankly, I think they're doing it out of panic.
[ link to this | view in chronology ]
"what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons" -- Who cares what the basis is?
[ link to this | view in chronology ]
Re: "what hopefully everyone can agree on is that such a site should not be taken down for copyright reasons" -- Who cares what the basis is?
I do. It's important.
And what exactly are the Marines going to do? Blow up some data center because "geez, people might be embarrassed?"
When your only tool is a hammer, every problem becomes a nail.
[ link to this | view in chronology ]
Do no harm.
And that requires due process.
[ link to this | view in chronology ]
Re: Do no harm.
[ link to this | view in chronology ]
Re: Re: Do no harm.
[ link to this | view in chronology ]
Re: Re: Re: Do no harm.
Nobody questions that there is no copyright claim. That only works for copyright and ONLY in the US.
In this case neither of those things are so.
What is so is that a network was broken into and data stolen, threats of extortion were made, and now individuals are being threatened and extorted.
[ link to this | view in chronology ]
Blackmail for instance.
You'll still need to present a case for harm done by those who have the data, rather than the harm done by those who obtained the data.
[ link to this | view in chronology ]
Re: Blackmail for instance.
Has that been used as a defence in court yet. Not in a copyright case, but in stealing data for extortion case?
"Yes I have it, your honour, but they still have it too. Yes I know that it was their's, but it still is - it's just kinda ours now".
[ link to this | view in chronology ]
It would be a poor defense.
[ link to this | view in chronology ]
Re: It would be a poor defense.
I mean in the context that you used it.
[ link to this | view in chronology ]
Stealing.
We say that such sensitive (incriminating) material was stolen.
Never mind that it was incriminating.
So yeah, there's a really sucky law against copying information that isn't yours from computers, and it's used to put away people that inform the public when the government does criminal stuff.
So I personally don't take that law seriously at all, since I know it as a way to get revenge against well-meaning whistleblowers. It may have some good uses somewhere, but it's doing more bad than good right now.
[ link to this | view in chronology ]
Re: Stealing.
[ link to this | view in chronology ]
Obsessive?
I told you my position.
And regardless I have no confidence in the US Justice System anyway, so I wouldn't even hazard a guess as to what my defense would be.
Feel free to read whatever the heck you like in that. I am rapidly ceasing to care what you think.
[ link to this | view in chronology ]
Re: Re: Blackmail for instance.
> "Yes I have it, your honour, but they still have it too.
> Yes I know that it was their's, but it still is - it's just kinda ours now".
That is EXACTLY how copying works. Whether authorized or not, once I have a copy of something, the copy is mine, and the original is still theirs. My neighbor gave me a copy of his cookie recipe. Guess what? He still has it. And I have it. Exactly as you are saying in your argument. Yes, it's still his, but it's also mine too, and not kinda.
You could argue the copy was unauthorized. But maybe I obtained my copy innocently, possibly without understanding the implications, from some website that offered it for download. (As in the copyright case: you should be going after the download site, not the downloader, not Google.) Some people could argue that once disclosed, this data is of public interest (eg, reporters, researchers, politicians running against an Ashley member for the same political office).
The extortion argument is so much simpler and clear.
[ link to this | view in chronology ]
Re: Do no harm.
Also, don't forget general (though not absolute) prohibitions against prior restraint.
In the US, at least.
[ link to this | view in chronology ]
Prior Restraint
The only exception I know of is national security.
[ link to this | view in chronology ]
Kill the hackers
[ link to this | view in chronology ]
Re: Kill the hackers
[ link to this | view in chronology ]
Re: Re: Kill the hackers
[ link to this | view in chronology ]
I'm not very good at this.
Sometimes I can't tell. Which I think is the point of Poe.
[ link to this | view in chronology ]
Re: I'm not very good at this.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
THAT is the problem - incorrect use of law.
[ link to this | view in chronology ]
I believe the answer to that is yes.
I'm pretty sure we like it that way, given it protects whistleblowers who which to drop private data of a more incriminating sort than bathroom pics. Your attempt to suppress the pic will only assure that it gets Streissanded everywhere.
I say this as a three-felonies-a-day sort of criminal, who doesn't really do anything particularly scandalous or heinous, and who is less pervy (probably) than the average person on the (San Francisco) sidewalk.
If I were pervier and in a county that was less tolerant than the queerest of my bedroom activities, I might want laws to prevent me from being outed. As it is, it's a total social faux pas to out someone (as gay, a BDSM participant, a zoophile) as it is to dox them, but it's not yet illegal.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
When Steam was hacked
But it was salted and so far there's been no indication that anyone has figured out how to decrypt it.
So...far more can be done than what AM did to keep details safe.
And it's really hard to find something in one's Steam account that is disreputable.
[ link to this | view in chronology ]
[ link to this | view in chronology ]