On 24 August 2016, the Office of the Australian Information Commissioner released the findings of the joint investigation of Ashley Madison by the Privacy Commissioner of Canada, the Australian Privacy Commissioner and Acting Australian Information Commissioner.
Ashley Madison is an online dating website marketed at individuals looking to have an affair. The report is a timely reminder to all businesses that they must fulfil their obligations vis-à-vis privacy, regardless of how remote their commercial activities may be from the world of online dating. This article details the key findings from the joint investigation about how Ashley Madison collected, retained and secured its information, how these procedures did not satisfy the relevant Australian Privacy Principles (APPs) and the lessons that all businesses can learn from this example.
Avid Life Media Inc (ALM) is the Canadian company which operates Ashley Madison. Nonetheless, ALM had legal obligations under the Privacy Act 1988 (Cth) (The Act), which includes the APPs, because:
- It is an organisation that is not a small business or small business operator (Section 6C(1)(b)); and
- The organisation has an Australian link because it collects personal information in Australia (Section 5B(1A)).
As such, Section 15 of the Act prohibits ALM from engaging in an act or practice that breaches an APP. Also, Section 40 empowers the Australian Information Commissioner to investigate an act or practice if it may interfere with an individual’s privacy and considers it desirable to do so.
On 12 July 2015, the staff at Avid Life Media Inc (ALM), the company that operates Ashley Madison and three other dating websites, became aware of unusual behaviour in its database management system. The behaviour indicated that someone had obtained unauthorised access to their system. Although ALM immediately sought to terminate this access, it received notification the next day from The Impact Team that it had hacked ALM’s data. Further, unless the company shut down Ashley Madison and another website, it would publish all the data online. Following ALM’s refusal of this demand, the hackers published this data online on 18 and 20 August 2015. The information accessed included files from Ashley Madison’s database and ALM’s corporate network.
The hackers accessed the data of approximately thirty-six million users of Ashley Madison. The data was highly sensitive and highly personal. It included the physical characteristics and location of users as well as details of their sexual fantasies, preferences, limits and practices. The information also contained users’ real names, passwords, email addresses, security questions and answers and billing addresses. The hackers may also have accessed other information. The report notes that Ashley Madison’s forensic analysis could not determine the full extent of the hackers’ access to its data. Potentially, any information that a user provided through the website was accessed. For example, information such as photographs and users’ communications with each other.
Protecting Personal Information
APP 11.1 requires that all APP entities that hold personal information must take reasonable steps under the circumstances to protect the information from being misused, interfered with or lost. They must also protect it from unauthorised access, modification or disclosure. The Act defines personal information as being information or an opinion about an identified or reasonably identifiable individual, regardless of whether the information or opinion is:
- True or not; or
- Recorded in a material form or not.
The information retained by ALM constitutes ‘sensitive’ information under the Privacy Act because it concerns an individual’s sexual practices and orientation. Further, the lack of an appropriate and documented information security framework meant that ALM had not implemented procedures to ensure compliance with the APPs.
APP 1.2 requires that entities take reasonable steps to implement practices, procedures and systems relating to their functions that ensure the entity:
- Complies with the APPs and any applicable Code; and
- Can deal with inquiries or complaints from an individual about their compliance with the APPs or a relevant Code.
The report noted that ALM’s information security program specifically needed to consider the quantity and nature of the personal information it held at the time, and the foreseeable adverse impact it might have on users if the information became public.
The report found that ALM had not complied with its obligations for information security under the APPs and had contravened the provisions. The safeguards that were in place were not reasonable in the circumstances to protect the sensitive personal information it held.
The three most important failings of ALM information security framework at the time of breach included:
- No documented information security policies and practices; and
- No explicit risk management process; and
- Inadequate training of staff.
At the time of the breach, ALM had some physical, technological and organisational safeguards for its data.
Physically, ALM’s office servers were located and stored in a locked room accessible only by key cards. These cards were available only to authorised employees. ALM located its production servers in a cage at the hosting providers’ facilities. Employees could only access them via a biometric scan, access card photo ID and combination lock code.
ALM’s technological protections included network segmentation, firewalls and the encryption of all web communication between ALM and its users. ALM sent all credit card data to a third party payment processor. External access to its network was logged, and this access was via VPN requiring authorisation on a per user basis through a shared secret. ALM had anti-virus and anti-malware software, and the company encrypted especially sensitive information. ALM logged and monitored access to this data.
Shortly before the breach, ALM had begun training staff on privacy and security. In early 2015, ALM appointed a Director of Information Security. The company instituted a bug bounty program at the beginning of 2015 and undertook a code review process before changing its software.
Insufficiency of Measures in Place
However, the report found that ALM adopted these measures without sufficient consideration of the particular risks facing the company. Further, the absence of any documented security governance framework meant that there was no management structure to ensure that appropriate practices were consistently understood and effectively implemented. As a result, the company had no clear way to assure itself that it was properly managing the risks to its information security.
At the time of the attack, ALM had no documented security policies or practices to manage permissions to its network. While the company had appointed a Director of Information Security tasked with this job, it was still in process in July 2015. Further, the policies ALM had instituted had serious shortcomings. Its security policies were not preventive and detective. In July 2015, ALM did not have common detective countermeasures in place to detect attacks or anomalies. The detection and monitoring that it did undertake focussed mainly on system performance and unusual employee requests. ALM also did not have an intrusion detection system or prevention system or data loss prevention monitoring. While it tracked and reviewed VPN logins, unusual login behaviour was not monitored.
Further, ALM had no documented risk management framework. While remote access to its system via VPN required three pieces of information, this information provided only a single factor of authentication. Multi-factor authentication is a common and recommended industry practice to control remote access. The report considered ALM’s lack of multi-factor authentication a significant shortcoming. While ALM had begun training staff on matters of security and privacy, only 25% had received the training at the time of the breach. Also, the company poorly implemented other important security measures such as those to manage passwords and keys.
Retaining and Deleting User Accounts
APP 11.2 requires that if an entity holds personal information about an individual, it must take reasonable steps to destroy or de-identify the information when:
- The entity no longer needs that information for any purpose for which it can legally use or disclose the information;
- The information does not appear on a Commonwealth Record; and
- The entity need not retain the information under an Australian law or an order of a court or tribunal;
In July 2015, users of Ashley Madison could close their account in two ways:
- Basic Deactivation; or
- Full Delete.
Interestingly, the report found that APP 11.2 permitted ALM’s policy of retaining the information from deleted files for twelve months so as to address the issue of user fraud. ALM’s retention, use and possible disclosure of the information to prevent fraud was a secondary use of the data permissible under Section 16A of the Privacy Act 1988 (Cth). However, the report noted any period of secondary use of information must always be limited to what is reasonably necessary.
Accuracy of Email Addresses
APP 10 requires entities take reasonable steps to ensure that the personal information collected is accurate, up-to-date and complete. Further, they must take all steps as are reasonable in the circumstances to ensure that the information they use or disclose, having regard to the purpose of use or disclosure, is accurate, up-to-date, complete and relevant. In this instance, the email addresses were personal information because many allowed identification of an individual. Further, where an email address did not identify a person, other information could still identify them when associated with the email address.
At the time of the breach, ALM required all users of Ashley Madison to provide an email address when they created an account. A user could not use any of the site’s services without providing an email address. However, as a matter of policy, ALM did not verify these addresses to afford users anonymity. ALM was aware that some users did not provide their real email addresses. A person mistakenly sent a welcome email from Ashley Madison could correct the situation using information provided in the footer of the welcome email. However, the links only allowed these ‘users’ to unsubscribe from email notifications or delete the account. At that time, deleting the account required payment of a fee. When the hackers published the data taken from Ashley Madison, the email addresses published included addresses of individuals who had never used the site.
The Commissioners noted that APP 10 requires organisations to take steps that are reasonable in the circumstances when collecting, using or disclosing data. This element of reasonableness also applies to an assessment of the accuracy of data and the purpose of the data being used or disclosed. The report found that the welcome email footer was insufficient to address accuracy concerns for those individuals whose email addresses were inaccurately associated with Ashley Madison. Even with due consideration of the circumstances of Ashley Madison, ALM’s processes to assure the accuracy of email addresses with new user accounts did not satisfy the company’s legal obligations.
By not taking reasonable steps to ensure the accuracy of its email addresses and not ensuring the email addresses it used or disclosed were accurate for the purpose they were handled, ALM had contravened APP 10. The report noted that some reasonable options were available to ALM to reduce the inaccuracy of its email addresses and thus reduce the risk that the public would mistakenly identify non-users with the website. For example, ALM could have made the email field optional or introduced measures to reduce inaccuracy such as through an automated process.
Transparency with Users
However, in contrast to the Canadian Personal Information Protection and Electronic Documents Act, the Privacy Act 1988 (Cth) and the APP do not oblige APP entities to explain to individuals in detail their security measures to protect information. Nor do APP entities have to provide information to individuals about how to close their user accounts. As such, while the report considers ALM’s policies in this context, its discussion of the legalities of ALM’s processes in this regard is limited to the Canadian context. In that jurisdiction, ALM did not meet its obligations.
The report into Ashley Madison and ALM is instructive for all businesses that collect and manage personal data. It is tempting to differentiate the entire episode and its implications on account of the kind of service Ashley Madison provided: facilitating affairs. Nonetheless, the report clearly shows that the reasons why ALM did not meet its obligations under privacy laws in Australia and Canada are not uncommon. Any other kind of commercial entity could easily replicate these failings. As such, all businesses (and all APP entities) need to take on board the lessons from the Ashley Madison breach.
Context is important – the steps to collect, manage and retain data are only ever reasonable in the circumstances. That fact means that a business’ policies and procedures for its information must be tailored to the threats it faces and the sensitivity of the data itself. ALM failed to meet its legal obligation vis-à-vis securing information in part because its safeguards were inappropriate to the acutely sensitive nature of its data. Similarly, its lack of documented security policies and training meant that there was no structure to ensure that security remained appropriate to the potential threats to its data.
APP entities must also ensure that their policies are clear. As the report emphasises, ALM’s policies and terms and conditions were at best unclear. Users of Ashley Madison could not know that unless they paid to delete their account, ALM kept their data indefinitely. Similarly, providing a fabricated trust mark to instil user confidence sent a distorted message to users of the site when their Terms and Conditions specifically discounted liability for data disclosure.
Businesses need to take the time to pay attention to the accuracy of their information. ALM knew that a subset of its email addresses was fake. However, the company did little to correct the situation or institute measures to minimise its occurrence in the future. This resulted in the disclosure of the email addresses of individuals who had not used the Ashley Madison site but nonetheless suffered resulting damage to their reputation. Paying attention to data accuracy also means that businesses fulfil their obligations to protect individuals who do not use their services but whose information has nonetheless become a part of its data store.
APP entities should also consider the effects that data breaches can have and institute and document practices to minimise the risk of this occurring. Some individuals named in the Ashley Madison leak were subsequently subject to extortion. ALM’s failure to have policies and governance to ensure that its security remained targeted and appropriate was a critical factor in the breach.
All APP entities have legal obligations to protect the data they collect, use, disclose and retain. In its Guide to Securing Personal Information, the Office of the Australian Information Commissioner recommends that APP entities consider limiting the information they collect to that reasonably needed to function and carry out their activities. Entities should also handle privacy ‘by design’ – integrating privacy into the business’ overall risk management strategies and conducting a privacy impact assessment to document policies to minimise risks to data. This needs to take due account of context. Any information that an organisation does collect should be managed openly and transparently. Businesses must by law take reasonable steps to implement policies and practices to comply with the APP. This includes assessing risks and appropriately safeguarding data. When a business no longer requires some of its information, it must destroy or de-identify it.
Any determination of whether a business has taken reasonable steps to comply with their privacy obligations will involve the consideration of:
- The nature of the entity (its size and resources);
- The quantity and sensitivity of its data;
- The likely consequences of disclosure;
- The practicality of implementing a security practice; and
- Whether a measure is itself invasive of privacy.