Op-ed: Five unexpected lessons from the Ashley Madison breach

Publication Type: 
Other Writing
Publication Date: 
December 29, 2016

On December 14, 2016, the Federal Trade Commission settled a complaint with the company running the adult finder site Ashley Madison over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices.

This complaint and settlement is important, but not for the obvious reasons. Yes, the breach had an outsized reach, much like the Target and Home Depot breaches preceding it. Yes, the breach involved poor security practices and deceptive promises about the site’s privacy protections. The Ashley Madison complaint follows a long line of actions brought by the FTC to combat unfair and deceptive data protection practices. The site’s exploitation of users’ desperation, vulnerability, and desire for secrecy is exactly the sort of abuse of power the Federal Trade Commission was created to mitigate.

But there are five key lessons that should not be missed in discussions about the agency’s settlement of the case. This complaint and settlement are more than just business as usual—they reflect a modern and sustainable way to think about and enforce our privacy in the coming years.

Privacy is for everyone


The hackers who published Ashley Madison users’ personal information justified their actions on the grounds that cheaters enjoy no expectation of privacy. Their message was loud and clear: “cheating dirtbags...deserve no such discretion.” The online peanut gallery chimed in with Schadenfreude. One commenter said, "Anyone who signed up to this sick site deserves everything they have coming to them."

Not so fast. In pursuing this case, the FTC—in conjunction with thirteen state attorneys general and the Canadian government—made clear that everyone enjoys the right to privacy. This is true for nonconformists and conformists, the unpopular and popular. Just because the site’s users may not have endorsed mainstream values did not mean their privacy was any less worthy of protection. Privacy is owed to all consumers, no matter their interests, ideas, or identities.

Read the full piece at Ars Technica