The recent scandal of the data theft suffered by Canadian extramarital dating website Ashley Madison astonished and continues to create consequences; nearly 10 GBs of data stolen by a hacker group and containing highly sensitive information about the private life of the users involved, whose lives have been however inevitably affected only for being part of that list.
All comments on the resounding episode underline the same concept: it is nothing but the umpteenth event that reinforces the public perception of the insecurity of information sent via the web, bringing the debate on Privacy at the centre of public attention again.
Staying on a technical level, three major elements of personal data breaches by Ashley Madison immediately catch the eye in this whole affair:
- lack of procedures for verification of data (e.g., e-mails) sent by users;
- following users’ request, cancellation of their data only after payment of an amount equal to 15 £;
- missed notification to the competent authorities following the threat of dissemination of data by hackers, after the data theft in the month of July 2015.
Such violations can be related to Articles no. 5, 17 and 31 of the draft European General Data Protection Regulation, in addition to the implicit reference to the lack of security of processing (Art. 30), in the light of the data theft suffered. Furthermore, two class actions against the Canadian website have already been launched, for a value of almost 600 M€.
I don’t think the conclusion to be drawn is that data placed on the web are necessarily insecure; but I do believe we can say without fear of contradiction that in a fully interconnected world it is increasingly necessary to work hard for spreading culture and awareness on issues related to Privacy.
The European regulation goes, not surprisingly, in this direction, defining in general a holistic approach to Privacy, to be implemented by organizations through structured processes (see Privacy Impact Assessment, Privacy by design, Privacy by default), hopefully addressed by future directions of European bodies that will help standardize the methods of management at the EU level.
If Ashley Madison’s Canada has taken an important step forward on Privacy only two months ago (see this post), the effort that Europe is performing with the work on the Regulation is to be appreciated even more: it supports the belief that our continent can actually be the forerunner of a job that appears increasingly necessary to standardize languages and approaches on a much wider geographical horizon.
thanks very interesting. I have twitted here: https://twitter.com/U3L4/status/639377959124643840
Can you explain point 2 above?
Thank you Alessandro. About point 2, the problem was (and maybe still is) that if Ashley Madison’s users wanted their data to be permanently deleted, they were answered that this is possible only after paying 15 Pounds. You can find more about this at the following link: http://arstechnica.com/business/2015/07/cheaters-hook-up-site-ashley-madison-makes-account-deletion-confusing/
This is clearly contrary to Article no. 17 (Right to erasure and “to be forgotten”) of the Draft GEDP Regulation; here I quote its beginning to give an idea: “1. The (…) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a
child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; […]”.