Protecting private data from online theft is not the same as protecting copyrighted content
Update 8/20/15-The hackers have released the hacked data after Ashley Madison’s parent company did not comply with their demand that the site be closed. It appears, once again, Avid Media’s lawyers are misusing the DMCA in order to prevent the hacked (private) data from being widely disseminated. The post below explores why the DCMA is not the solution.
Original story from 7/21/15: In news first reported by investigative journalist/blogger Brian Krebs, hackers broke into a database containing customer data for web hook-up site Ashley Madison and threatened to post it online. Stealing customer or employee private data is always a bad thing, but what makes this particular hack particularly notable is that Ashley Madison’s business is based on promoting and enabling infidelity among couples. The company’s mantra is “Life is short. Have an affair,” and in order for customers to fool around on their mates without repercussions, anonymity is clearly key. I imagine there are more than a few Ashley Madison clients who are sweating big-time right about now.
Ashley Madison’s clientele are not the only ones at risk of having their online escapades outed. The hackers, who identify as The Impact Team, actually targeted the entire database for the site’s parent company, Toronto-based Avid Life Media (ALM). ALM also operates two other online hook-up sites, CougarLife.com and EstablishedMen.com.
According to Krebs, the hackers were motivated by the websites’ failure to comply with its $19 “full delete” feature, whereby a customer’s information is (supposedly) scrubbed from its database upon request. As Krebs reports:
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Desperate to protect brand, lawyers fight Ashley Madison hackers with dubious use of DMCA law
What’s notable about this hack, beyond the target itself, is how ALM is fighting back. ALM says its legal team is turning to the DMCA (Digital Millennium Copyright Act) to prevent further release of hacked client data. So far, the effort seems to have successfully kept most of the information offline. From CNBC:
ALM confirmed that the hack took place and told CNBC it has managed to take down all the personal information that hackers posted online.
“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the…posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online,” ALM said in an emailed statement.
Is the DMCA really the right (and legal) way to fight the Ashley Madison hackers? The DMCA was designed to give creators a means to safeguard their copyrighted creations from online thieves in the digital age but does it extend to hacked data too?
When Jennifer Lawrence’s personal photographs were stolen by a hacker and posted online her lawyers used the DMCA to block their spread since technically, she (and other women who were victimized by the photo theft) owned the copyright for the stolen pictures. In the case of the Ashley Madison hackers, company lawyers claim that ALM “owns” their customers’ content and thus have legal grounds to send DMCA takedown notices to prevent it being published online. Although I’m not legal expert, it seems like a stretch.
The DMCA, old and broken as it is, is the only tool creators have to protect their work. When ALM lawyers send takedown notices in situations like this only serves to muddy the waters and give critics of the law ammunition to attack it.
The DMCA is not a band-aid to be applied in every case of online theft
One can understand why ALM is moving quickly to protect their business model, but shouldn’t the DMCA be reserved for clear instances of real copyright infringement? Can the operators of Ashley Madison really claim to own the photographs and biographical material of its clients?
I suppose the issue will eventually end up in a court of law but in the meantime why doesn’t Congress to step up to the plate and tackle issues surrounding digital hacking, cyber abuse and privacy? No matter what does or does not happen on Capitol Hill, it’s clear that companies (and governments) ultimately need to do a better job encrypting databases to protect them from determined hackers.
Using the DMCA is a dubious solution to a vexing problem. As
Copyright law is supposed to protect creative works in a marketplace so that creating and selling these works can be profitable. Protecting these intimate expressions as goods in a marketplace fails to address what’s wrong about wrongfully publishing them. It’s wrong because it’s an invasion of privacy and a violation of trust, not because it threatens someone’s profits.
Let’s hope someone in Washington is listening.