You probably remember the giant data breach of AshleyMadison.com, the pro-infidelity website offering a service for “discreet” hook-ups between cheaters.
News of the mega-hack, and subsequent exposure of the private profile information, including names, email addresses and sexual fantasies of nearly 40 million users, was everywhere in the media (including here at Naked Security).
The July 2015 data breach was a public relations disaster for Ashley Madison’s parent company, Avid Life Media (ALM), and a living nightmare for millions of philanderers, including some who were victims of extortion.
In the immediate aftermath of the Ashley Madison data dumps, ALM said it had put “stringent security measures in place.”
Well, it’s been about six months since the breach, so it feels like a good time to check on how Ashley Madison is doing.
To investigate, I signed up for an account under a pseudonym and using a throw-away email address. (In case you’re wondering, I’m happily married and have never used the site for its intended purpose).
What I discovered didn’t convince me that Ashley Madison is as “discreet” as it claims to be.
The first warning sign: I didn’t have to verify my email address (known as double opt-in) – I was able to log in right away, without getting a confirmation link via email, meaning I could have used someone else’s email address to sign up for an account.
I emailed Ashley Madison customer service to ask why they don’t require email verification and I got this response:
Dear Member,
Thank you for taking the time to email us.
Please note that we do not require email verification since the nature of site requires discretion.
If there is anything further we may assist you with, please do not hesitate to contact us.
Sincerely,
Customer Service
Absurdly, despite the “discretion” excuse for lack of double-opt in, I also received an automated email welcoming me to Ashley Madison, which included this message:
Welcome to AshleyMadison.com. With over 43 million members, we have thousands of women in your city who are in the exact same situation as you and looking to have a discreet affair.
Our service is 100% Secure, Anonymous and NOW GUARANTEED so you can meet women right now in absolute confidence. Remember, as a Guest Member it’s FREE to view profiles, share photos and send ‘winks’.
On top of the promise of “100% Secure” service (with “guaranteed” affairs), the welcome email claimed that Ashley Madison’s services are “certified zero risk.”
Bold statements.
How can the company make such claims?
Is it because of privacy enhancing “features,” like the one at sign-up allowing you to add a mask to your profile photo?
Some users might find comfort in this feature, but I sure wouldn’t count on it for protecting my identity.
I went looking for answers in Ashley Madison’s terms of service and privacy policy, as well as the FAQ under Help.
The FAQ includes the question “Will you give out my private info to marketing companies?” and offers this response:
We do NOT sell, rent or give away our member’s personal email addresses or other personal information to any third party company under any circumstance.
For more information about our Privacy Policy, please click on ‘Privacy Policy’ on the link provided at the bottom of any page.
Ashley Madison won’t sell my personal information? That’s a relief.
But when I checked out the privacy policy (which hasn’t been updated since 22 August 2011), I found out that Ashley Madison reserves the right to sell your personally identifiable information (PII) to third parties, unless you opt out:
Unless you opt out, we may share PII about our users sometimes in connection with Non-PII with service providers that may be associated with us to perform functions on our behalf. In addition, unless you opt out, from time to time we may share and/or sell PII about our users (such as your mailing or email addresses) with selected third parties, so they can offer goods and services that we believe may be of interest or benefit to our users. If you prefer not to receive messages from these third parties you may notify us by opting out at any time by going to the “Manage Profile” or “Message Center” sections of your Ad Profile as described more fully below. [emphasis mine]
Not only that, but the privacy policy says Ashley Madison may sell your PII in the event of a sale or merger of the company.
Getting a little bit more suspicious, I started reading through the lengthy terms of service agreement, and that’s where I found the answer.
The reason Ashley Madison can make claims that its service is “100% secure” and “certified zero risk” is because the company disclaims any guarantees or warranties that it otherwise makes, including those promises of security and discretion:
We do not warrant that (A) our service will meet your requirements; (B) our service will be uninterrupted, timely, secure, or error-free; (C) any information that you may obtain on our service will be accurate or reliable; (D) the quality or reliability of any products, services, information or other material purchased or obtained by you through our service will meet your expectations; (E) any information you provide or we will collect will not be disclosed to third parties; (F) any profile on our site is accurate, up to date or authentic; (G) any material or files that you can download from the internet will be free of viruses, worms, Trojan horses or other code that may have damaging [sic]; (H) third parties will not use your confidential information in an unauthorized manner; or (I) any errors in any data or software will be corrected.
Yikes!
If you want to pursue consensual affairs, that’s your business.
But if you want privacy and discretion while you’re doing it, Ashley Madison is probably not the place for you.
Now excuse me while I delete my account.
Oh…and even though it seems like a needless pain, please get in the habit of actually reading those Terms and Conditions.
Image of AshleyMadison.com courtesy of Ashley Madison and Avid Life Media.
Tom
“Our service is 100% Secure, Anonymous and…” maybe ALM is using some kind of alternate world version of the Internet. Every time I hear “100% secure” in reference to the Internet, I wonder if there’s a tech out there that has found the “secret sauce” for securing the Internet. To be fair, you can make a computer on the Internet pretty secure, but try phishing your staff and see how many will be more than happy to verify their username and password.
Werner Strydom
So, if they don’t do the double opt-in, a malicious user can enter the email address of a rival which in turn creates the impression of an affair and cause a whole lot of trouble. Did I understand that correctly? If so, it puts many folks at risk.
Paul Ducklin
It seems that if I put in your email address, you’re a member without any further confirmation needed.
If you don’t monitor your email, you won’t even know…and if or when you do realise, then what? How will you log in to opt out, considering you were not the one who opted in?
Julius
Good posting John and great highlights on security or lack of it even after a company has experienced severe security issues..Wonder how many other organizations follow the same approach.
Rachel McPherson (@TrustRach)
Seems like Ashley Madison needs to team up with an email service that allows users to create alias email accounts so their users don’t have to provide their “real email address” when signing up. (I might know of one) Then they could implement the extra layer of security by “opting-in”, otherwise this becomes a great way to extort people. Not very “anonymous and discreet” if you’re using your real email address.