Ashley Madison may very well be screwed.
The notorious site where married people seek extramarital liaisons was the target of a major hack, and this week the hackers dumped some of the data supposedly stolen from the site. For users, the fallout doesn't look good. The first dump appears to include the logins of some users, and details of their payments to Ashley Madison. The site did not have an email verification process, so it's unclear if the personal information is real, but identifying information tied to credit card transactions appears to be legit.
The hackers released an even bigger batch of data Thursday, including what appears to be internal emails from Noel Biderman, CEO of Avid Life Media, which owns Ashley Madison. (That file was corrupted, but a new version was released again today.)
Ashley Madison—and its users (and their spouses)—can't be happy. But the company is facing more than the wrath of exposed users.
The hackers say one reason they targeted the site is because they believe it is "a scam." The site had significantly more male users than female, they say, and even went so far as to create fake female profiles to support its blatant promise that Ashley Madison was a place to meet young, attractive women. The hackers also accused the site of falsely promising to keep users' information secret, demanding payment for deleting users' profiles then failing to follow through.
Based on the data they've posted so far, the hackers' claims aren't too far off base.
The site may not be a scam. But if the hackers' claims are even partially true, Ashley Madison isn't much of a business. As the "most recognized and reputable extramarital affair company," it had two jobs: help married men and women connect, and keep those assignations secret. The company doesn't appear to have created a good system for doing either of those things. And for a company that said it planned to raise $200 million for an IPO, its business begins to look no more steady than a house of cards.
According to two analyses of the hacked data, users of the site overwhelmingly were men. Robert Graham, CEO of Errata Security, says the breakdown of self-selected genders appears to be 28 million men versus 5 million women. A separate analysis of the same raw data by online private investigation site Trustify came up with a similar result: just 14 percent of users on the site appeared to be women.
On its own, that imbalance might not seem to be a problem—it's simply who uses the site. But Biderman has repeatedly claimed Ashley Madison's users were half men and half women in its key demographic. If that ratio was way off, then Ashley Madison couldn't offer what its marketing seemed to promise, at least not at scale: easy assignations for both men and women. (Avid Life Media did not respond to WIRED's specific questions about Ashley Madison's practices.)
And that's before you consider reports that Ashley Madison created fake profiles of young women to encourage people to join. A former employee filed a lawsuit against the company claiming damages for wrist injuries caused while creating "1,000 fake female" profiles for the site's launch in Brazil. (The suit ultimately was dismissed.) Some users also have claimed they were chatting with women who, they say, turned out to be fake.
It’s unclear, of course, how many female profiles are fake—and it’s possible, if not probable, some of male users were fake too. People curious about the site likely created dummy accounts (like me!) to see what it was all about. And, despite these claims, men and women report having had affairs thanks to the site (like this, this, this, and this).
All of which means, whatever the site's claims, its apparent gender imbalances probably isn't enough to call it a scam. "In the law, there's this idea of puffery. Salespeople, and that's what they are, are allowed to exaggerate," says Hofstra University law professor Miriam Albert.
"A saleslady at Lord and Taylor says, 'That dress looks awesome on you,' when in reality, you're packed like a 10-pound sausage into a 5-pound casing. She's allowed to say that and you can't sue her for it because you're not relying on her to make the purchase."
Similarly, there were some women on the site, so even if there weren't as many as Biderman publicly claimed, the difference may not be enough to deem it fraud. "If what they're really saying is 'It's evenly split,' and someone went into it with that basis, I bet you could get your money back," Albert says. "I'm just not sure it rises to the level of actionable fraud. It's the cusp between puffery and fraud. It's a slippery slope."
If a lot of women on the site were fake, on the other hand, especially because men had to buy credits to message women, that could begin looking more suspicious, says Eric Goldman, a law professor at Santa Clara University. In fact, federal regulators reached a settlement with a British dating company last year agreeing that it could not use fake profiles to trick users into upgrading to paid memberships.
Whatever the promises of gender balance Ashley Madison made, the hacked data also suggests the company may also have played fast and loose with its privacy promises. Ashley Madison promises users it will delete their personal information for $19.
Yet some users who paid the fee appear to have had their information revealed in the hack. According to Trustify, the first leak provided two databases: one with all of the email addresses for people who logged onto the site, and a second with the company’s payment and transaction information.
"Ashley Madison’s deletion service was $19, and nothing else costs that exact amount. In the payment database, we see users who spent $19," a Trustify spokesperson told WIRED. "They don’t show up in the account list, but these were obviously former active users. Why else would they have spent $19 on Ashley Madison’s website?"
The company disagrees about what its service promised. "The 'paid-delete' option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity," the company said in a statement Thursday. "The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes." In other words, the company did not promise to remove transaction data from its payments database.
Prior to the hack, Biderman touted the security of his service. “It’s not lipstick on our collars anymore getting us caught," he told the Calgary Herald earlier this year. "It’s digital lipstick. Voice mails you leave behind, text messages you leave behind—so I focus on that ... We’ll go back in time. We’ll take back every message you ever shared. We’ll make like you’re a ghost—you never were here.”
But as the hack suggests, identifying details tied to credit card transactions may be exactly the kind of electronic lipstick on the collar that could compromise the site's users. Keeping affairs a secret is your primary job if you're in the business of arranging affairs.
So was Ashley Madison bad at providing the services many users expected it to provide? Probably. But it probably wasn't deliberately trying to scam users.
A former employee who asked to remain anonymous told WIRED the company could not have developed so enormous a user base without truly helping at least some married men and women have affairs. While many users might not have had success, anecdotal evidence suggests the company did facilitate some hookups.
Yet the site could be at risk for legal action over its failure to protect the private information of its users—especially those who paid $19 to erase all trace of their connection to the site.
"This is going to be a big legal mess because, putting aside the morality of it, they promised to keep this information safe, and what the lawsuits are going to look at is, did they do enough?" says Albert. "No court is going to require them to guarantee strict liability that no one could ever get to it. It's really going to come down to what they did, and did they do enough."
And it may depend on what a reasonable person would expect from the delete service. Dalia Topelson Ritvo, the assistant director of Harvard Law School's cyberlaw clinic, says the legal question boils down to whether Ashley Madison did what it promised. But what that promise really is promising may be difficult to parse these days.
"'What does it mean to delete?'," she says. "It's a really interesting question, especially in the age of big data."
