One of the most famous cartoons from the dawn of the Internet age appeared in 1993 in The New Yorker Magazine. The drawing, by long-time cartoonist Peter Steiner, depicts two dogs. One, seated at a computer, says to his companion “On the Internet, nobody knows you’re a dog.”
That cartoon perfectly summed up the first decades of the Internet – a period during which billions of people went online and found it easy to create new lives: joining communities of like-minded individuals and crafting new identities for themselves. And they could do so without much concern – barring criminal activity – that their online life would intersect with their “real” life in any way.
Cartoon by Peter Steiner
As the release this week of 9 gigabytes of data from the extramarital hookup site Ashley Madison underscored, this is no longer the case.
The trove of customer and company data that was released this week is the product of a hack of Ashley Madison’s parent company, Avid Life Media (or ALM), by a shadowy group calling itself The Impact Team. The trove of data contains both personal and financial data on tens of millions of individuals, including credit card numbers, addresses and other associated account information for Ashley Madison’s paying customers. There is plenty of salacious data as well: sexual preferences like what the customer was “looking for” and what “turns me on,” not to mention their height, weight, eye color and ethnicity.
Impact Team's message from the Ashley Madison data dump.
If the early Internet was a place where “nobody knows you’re a dog,” today it’s a place where knowing that you’re a dog is the least of it.
Of course, ALM isn’t the first corporation to have its customer data pilfered. It’s not even the first online hookup site to do so. Adult Friend Finder, an online site catering to swingers, acknowledged in May that data on some 3.5 million of its members was stolen. And it’s also worth recalling the serial breaches at healthcare firms like Anthem and Premera, which revealed personally identifiable information and, in some cases, information on medications and medical diagnoses.
The truth is that the “anonymous” Internet of the 1990s was never really anonymous. And, in any case, the anonymity it did offer – a kind of ‘security through obscurity’ – ceased long ago. Companies from Target to Amazon and Google make a point of collecting and collating as much data about their customers and users they can – all the better to understand (and market to) their priorities and desires. Anyone who has ever searched for an egg timer, only to be haunted and hunted by kitchen appliance advertisements for months on end, understands this.
Beyond that, Edward Snowden’s leaks showed us that the same medium that has empowered individuals to challenge their government was also a fantastic medium with which government can monitor the doings of the citizenry.
Still, sites like Ashley Madison, Adult Friend Finder and the like traded on members’ faith in the anonymity that went along with that older, simpler Internet. Customers who willingly divulged their credit card data and sexual predilections to ALM did so, I’d guess, with the quaint idea that a throw-away e-mail address and assurances by ALM that it had its house in order would protect them from prying eyes. Needless to say: they were wrong.
The question is: what to do next? It’s worth noting that massive data breaches are nothing new – they’ve been a serial occurrence in the U.S. and elsewhere for much of the last decade. Still, lawmakers in Washington D.C. and elsewhere have been loath to address the problem with policies intended to improve data security in the private sector.
The hack of Ashley Madison as well as other firms should increase pressure on lawmakers in the U.S. to finally make good on promises to pass a substantive Federal data breach law that harmonizes some 40 separate state laws and imposes harsh penalties on companies that are careless with their customers’ personal and financial data.
Consumers also need to re-orient themselves to the modern Internet, finally letting go of outdated notions that going online provides you any real anonymity or – frankly – privacy. On the Internet of today, transparency – not anonymity – is the rule and data is a commodity to be traded in exchange for goods and services. Consumers need to be thoughtful about what kinds of data they wish to share and at what cost. They need to consider the potential ramifications when (and not if) the data they do volunteer is exposed for all the world to see, as it surely will be. Millions of Ashley Madison’s clients are reckoning with that as we speak. Hopefully, their experience will be a lesson to others.
Data Protection Vendor Evaluation Toolkit
The toolkit contains an RFI-RFP criteria template and a corresponding vendor evaluation scorecard.
Related ArticlesFriday Five: 1/05 Edition (Updated 2020)
Catch up on the week's infosec news with this recap!Transparency Trolling: The Problem with Dumping Public Records
Does former Florida governor and presidential hopeful Jeb Bush's release of e-mail constitute a data leak?New York Updates Data Breach Notification Law
The law, which updates data breach notification requirements in the state, was one of two forms of legislation signed last week to better protect New York residents against security breaches.