Part 3 – Lessons from the Ashley Madison Privacy Investigation

In Part 1 and Part 2 of these updates, we have explored a number of Privacy Act related issues that were identified by the Acting Australian Information Commissioner and Privacy Commissioner of Canada (Privacy Commissioners) during their investigation of the Ashley Madison data breach. A lot of discussion about the Ashley Madison hack has focused on privacy compliance issues and the data breach itself.

In our last update on the Ashley Madison Privacy Investigation, we will discuss the issue of misleading or deceptive conduct in the context of the data security claims made by Ashley Madison. While this issue was not directly addressed in the Privacy Commissioners’ report, we thought it would be worthwhile to briefly look at the issue.

Ashley Madison’s security claims

The Ashley Madison website included a series of security trust-marks on its front page prior to the data breach.

The trust-marks found on the Ashley Madison website are set out in Figure 1.

Figure 1: Trust-marks¹

The trust-marks were also used with a statement that the website offered a ‘100% discreet service’.

The Privacy Commissioners considered the use of the trust-marks and the statement by ALM on its website conveyed a general impression to individuals that the site held a high standard of security and discretion and that an individual could rely on these assurances. The Privacy Commissioners concluded that ALM’s representations about the level of security of the Ashley Madison website could have been material to a person’s decision of whether or not to use the site.

As it turned out, the ‘trusted security award’ trust mark was ALM’s own fabricated award, designed to ‘deliberately foster a false general impression among prospective users’ that ALM’s information security practices were deemed high quality by an independent third party.² Since the data breach, ALM has removed the ‘trusted security award’ and ‘100% discrete service’ trust mark from the Ashley Madison website.

Misleading or deceptive conduct

The Privacy Commissioners’ findings about ALM’s use of the trust-marks and service statement raise interesting and broader consumer law issues.

The investigation report did not consider whether the use of the trust-marks and service statement by ALM constituted misleading or deceptive conduct. However, as there was a finding that one of the trust-marks used by ALM was fabricated and intended to mislead users and the online service provided by ALM arguably fell well short of a ‘100% discrete service’ it is arguable that ALM also engaged in misleading or deceptive conduct and contravened section 18 of the Australian Consumer Law.

ALM included a statement in its Terms of Service that security or privacy information could not be guaranteed, and if users accessed or transmitted any content through the use of the Ashley Madison services, they did so at their own discretion and at their sole risk. The Privacy Commissioners took the view that this type of statement cannot absolve ALM of its legal obligations under the Privacy Act. A similar view is likely to be taken by the Australian Competition and Consumer Commission in the context of non-compliance with the Australian Consumer Law.

It is worth noting that many provisions of the Australian Consumer Law (including the misleading and deceptive conduct provisions) are likely to apply to conduct by overseas companies that supply services to Australian customers, including where those services are supplied on-line.

It is interesting to note ALM is reportedly facing investigation by the United States Federal Trade Commission (FTA). However, reports suggest FTA ‘s investigation is focused on ALM’s use of bots (sometimes known as fembots) that are computer programs used to impersonate real women to strike up conversations with paying male customers. It remains to be seen whether the investigation will focus on the misleading security statements made by ALM on its website.

Overall conclusions

The investigation report released by the Privacy Commissioners concerning the Ashley Madison data breach highlights the importance and benefits to organisations of proactive Privacy Act compliance.

Proactive privacy compliance is especially important for organisations that hold sensitive information that, if compromised and disclosed in an unauthorised manner, could have severe and harmful impacts on affected individuals.

¹Image taken from the Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner and Acting Australian Information Commissioner, p 13.
²Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner and Acting Australian Information Commissioner, p 39.