Maybe I'm naive, but I'm hoping that the lawsuits from this will be the start of a push for data-breach insurance, and that the insurers, as Bruce Schneier has been advocating for many years, will force the security that the marketing VP doesn't see the need to pay for.
19. ARBITRATION AND CLASS ACTION WAIVER
....
D. Class and Consolidated Claims Waiver
It is agreed that neither party shall have the right
to participate as a class representative or class
member with respect to any Disputes subject to
arbitration under this Agreement or any Dispute
between the parties. The parties also waive any
right to assert consolidated claims with respect to
any Disputes subject to arbitration under this
Agreement or any Dispute between the parties.
Such clauses are generally enforceable in the United States, as far as I can tell from a bit of Googling. It looks like in Canada, enforceability depends on whether the alleged misdeeds of the defendant arise from a violation of common law or a violation of specific consumer protection acts.
The "Disputes subject to arbitration under this Agreement" seem to be set out in 19.A, which is titled "Scope", and the TL;DR of that section would be "everything, except Ashley Madison can use the courts instead of arbitration if they wish to sue you over intellectual properties, confidential information, or illegal activity".
They do have one exception, given in 19.C, titled "Small Claims", which says:
Both parties retain the right to file any claim that
is not aggregated with the claim of any other
persons and whose amount in controversy is properly
within the jurisdiction of a court which is limited
to adjudicated small claims.
Could be that I'm naive as well, but personally, I hope that people will finally get the message Snowden tried to pass and in the process sacrificed his future (and maybe even his life) for: We're about to abandon our privacy.
Maybe you are naive, but you are certainly not as naive as the marketing VP who didn't see the need to pay for security, and is today watching in horror as his business is getting hacked to hell.
When this happened to SONY, they went dark immediately and rebuilt from the ground up... Seems to the be the "right" approach, as opposed to business as usual from ALM. You have to wonder if they aren't still infiltrated.
In the comments on the TPB torrent of the original leak people were debating the legality of downloading/having this information on their computer. Irony of that situation aside, if I was interested in studying these leaks how much legal danger would I be putting myself in by grabbing them? I'm US based.
Guess it depends if anyone is being paid to log the IPs in the swarm and do anything with them.
I'd imagine if you treat it like downloading a TV show or something and use a suitable VPN you'll be mostly fine. Probably just comes down to how much someone is willing to pay to go after people downloading it.
Otherwise I expect others to analyze the dump and publish their findings in less dodgy formats.
It's really hard to imagine that AM would go after the downloaders. That would be like pour oil on a fire. Imagine the extra amount of publicity their idiotic security would get.
I'm surprised - though perhaps not really - to see that this new data contains the CEO's e-mail. If the aim was to punish Ashley Madison (as the leak team have suggested), why not leak that first, before customer details and credit card transactions?
Attention. Get people to pay attention because the leak of customer data is personal (it'll probably affect you or someone you know), and then release the really damaging data once the press cycle has started and everybody's looking for more information.
The Snowden leak had a similar structure: it started out with PRISM (which affected every American, and caused widespread indignation), then Snowden claimed responsibility (trying to get out ahead of official government investigations, putting a human face on the leaker and controlling the messaging), and then they followed up with a number of even more damaging leaks (eg. MUSCULAR, the Merkel cables, etc.) once they had the world's attention.
There is an older discussion on HN on these topics. Think again what the site really was: probably 95% of visitors were men. That means that maybe 18 from 20 didn't find a "match"? Moreover, somebody mentioned that there were fake female profiles. Reduce the number of successful "matches." Most of the visitors probably didn't do anything. "But they intended!" can somebody say "and that is enough." Well then think again. How many weren't actually in relation but expected to get the "match" easier on the site where potential (not actual!) members aren't prepared to the long-term bind to the "matched" partner. Etc.
Do you still consider all these poor dastards as the big "sinners?" Which percentage of the persons on the lists "deserve" anybody's "wrath"? Do you really want to condemn everyone? Does that match your moral values? You can even ask how many of these hopeful to "do something" actually didn't do anything exactly because they tried to use the given site instead of, like, approach somebody who they knew in the physical world and who would respond, so maybe even the site existence was a "net positive" considering the happened and "intended" number of "immoral" acts?
1. Not all users of the site were married/in a relationship.
2. Signing up for a site like this isn't an admission of wanting to commit adultery.
3. There is/was no email verification, so anyone can sign up using any email address they choose.
4. Not all users of this site were in monogamous relationships i.e. swingers.
I don't condone AM's business model, but there are many details that aren't known that simply having ones email in the database doesn't equate to actually hurting others.
> Its hard to feel too bad for the victims of these attacks
That's only if you assume the victims are people with membership on the site. Think about the people that might have moved on, reconciled, or otherwise have already dealt with it. The people that might only be related.
Imagine being the wife or husband of someone on this site, and having already dealt with this in private. Now suddenly it's out there for everyone to see. Your privacy has now been violated. Now you have to deal with this all over again.
Imagine being the child of one of these members. Now you have to deal with the stigma of that hanging over your head. Being teased and mocked.
I can't imagine not feeling bad for the victims of this attack, and I hope the perpetrators are caught. Their actions were reckless, and will hurt a lot of people who were not even involved.
Yeah, you certainly don't have to feel bad for the victims, but we should all question whether the hackers are producing an overall net positive effect.
You don't have to feel bad for the victims - what they did was immoral, after all. But it wasn't illegal. And if we start cheering for moral brigades to leak data about perfectly legal actions, things get dark quickly.
Imagine a patient list for an abortion clinic. Now, I don't think abortion is immoral. But plenty of people do. And you can bet they'd absolutely leak that information, which could also ruin lives.
[+] [-] wanderfowl|10 years ago|reply
[+] [-] tzs|10 years ago|reply
From their [terms and conditions](https://www.ashleymadison.com/app/public/tandc.p?c=1) that you have to agree to:
Such clauses are generally enforceable in the United States, as far as I can tell from a bit of Googling. It looks like in Canada, enforceability depends on whether the alleged misdeeds of the defendant arise from a violation of common law or a violation of specific consumer protection acts.The "Disputes subject to arbitration under this Agreement" seem to be set out in 19.A, which is titled "Scope", and the TL;DR of that section would be "everything, except Ashley Madison can use the courts instead of arbitration if they wish to sue you over intellectual properties, confidential information, or illegal activity".
They do have one exception, given in 19.C, titled "Small Claims", which says:
[+] [-] nota_bene|10 years ago|reply
[+] [-] xlm1717|10 years ago|reply
[+] [-] rayiner|10 years ago|reply
[+] [-] victor9000|10 years ago|reply
[+] [-] skhatri11|10 years ago|reply
[+] [-] matheweis|10 years ago|reply
[+] [-] nickysielicki|10 years ago|reply
[+] [-] soylentcola|10 years ago|reply
I'd imagine if you treat it like downloading a TV show or something and use a suitable VPN you'll be mostly fine. Probably just comes down to how much someone is willing to pay to go after people downloading it.
Otherwise I expect others to analyze the dump and publish their findings in less dodgy formats.
[+] [-] e40|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] fweespeech|10 years ago|reply
[+] [-] untog|10 years ago|reply
[+] [-] nostrademons|10 years ago|reply
The Snowden leak had a similar structure: it started out with PRISM (which affected every American, and caused widespread indignation), then Snowden claimed responsibility (trying to get out ahead of official government investigations, putting a human face on the leaker and controlling the messaging), and then they followed up with a number of even more damaging leaks (eg. MUSCULAR, the Merkel cables, etc.) once they had the world's attention.
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] rjurney|10 years ago|reply
[+] [-] acqq|10 years ago|reply
Do you still consider all these poor dastards as the big "sinners?" Which percentage of the persons on the lists "deserve" anybody's "wrath"? Do you really want to condemn everyone? Does that match your moral values? You can even ask how many of these hopeful to "do something" actually didn't do anything exactly because they tried to use the given site instead of, like, approach somebody who they knew in the physical world and who would respond, so maybe even the site existence was a "net positive" considering the happened and "intended" number of "immoral" acts?
[+] [-] balls187|10 years ago|reply
1. Not all users of the site were married/in a relationship.
2. Signing up for a site like this isn't an admission of wanting to commit adultery.
3. There is/was no email verification, so anyone can sign up using any email address they choose.
4. Not all users of this site were in monogamous relationships i.e. swingers.
I don't condone AM's business model, but there are many details that aren't known that simply having ones email in the database doesn't equate to actually hurting others.
[+] [-] jasonlotito|10 years ago|reply
That's only if you assume the victims are people with membership on the site. Think about the people that might have moved on, reconciled, or otherwise have already dealt with it. The people that might only be related.
Imagine being the wife or husband of someone on this site, and having already dealt with this in private. Now suddenly it's out there for everyone to see. Your privacy has now been violated. Now you have to deal with this all over again.
Imagine being the child of one of these members. Now you have to deal with the stigma of that hanging over your head. Being teased and mocked.
I can't imagine not feeling bad for the victims of this attack, and I hope the perpetrators are caught. Their actions were reckless, and will hurt a lot of people who were not even involved.
[+] [-] meritt|10 years ago|reply
[+] [-] cli|10 years ago|reply
[+] [-] DarkTree|10 years ago|reply
[+] [-] untog|10 years ago|reply
Imagine a patient list for an abortion clinic. Now, I don't think abortion is immoral. But plenty of people do. And you can bet they'd absolutely leak that information, which could also ruin lives.
Basically, this is not a great precedent to set.