The hacker or hackers responsible for the Ashley Madison data breach could face a shopping cart of charges. But first the police must identify and arrest them.
In the meantime, adultery-promoting website AshleyMadison.com and parent company Avid Life Media are themselves the targets of legal action.
Much depends on what actually happened and will happen in the case, but for now the most probable charges include extortion, theft and mischief to property.
On Monday, Toronto police said two unconfirmed suicides are linked to the breach. Prominent criminal lawyer Michael Lacy says even if those deaths are confirmed, no charges in Canada against the so-called Impact Team hackers as a result of those possible suicides are likely.
The Canadian Criminal Code Section 241 covers the offence of counselling or aiding suicide, but Lacy says it requires actively encouraging or suggesting someone kill themselves, which doesn't seem to be the case in this situation.
"It requires more than simply putting something out there that causes someone to believe that they have no choice but to take their own life," he says.
- Ashley Madison hack: Q&A with the Toronto police investigator on the case
- Who is at risk in the Ashley Madison data dump?
Possible charges against the hackers
Lacy anticipates a long and complex investigation before police can get to the point of laying charges. Deciding which charges to lay, and where, may also be complicated.
Lacy says under Canadian law, the perpetrators could be charged with:
- Theft, because of the proprietary interest in the data;
- Mischief to property, which applies if someone "obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property," states the Criminal Code;
- Mischief in relation to computer data, a separate charge;
- Extortion, given the demand from Impact Team that Avid Life Media "take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails."
- Criminal harassment, "depending on the way in which it's been leaked or published," Lacy says;
Not only in Canada
Data has been released about alleged Ashley Madison members from around the world, so charges could be laid in almost any country, under that country's laws, which could include the above charges and others. It's possible some jurisdiction will have laws that could even apply in the alleged suicides.
American. prosecutors have taken a keen interest in the Ashley Madison case and in the U.S., Lacy says, "laws are likely more robust when it comes to offences arising from this kind of thing."
Karen Eltis, a University of Ottawa professor who specializes in internet law and privacy law, points out that it's not only federal law in the U.S. that matters, but especially state laws. She says that for financial crimes and extortion, states formulate their laws differently, so charges could depend on what state, and what country, victims are from.
Where the alleged offenders were when they carried out the alleged offences will also matter.
If the police ascertain the identity of the perpetrators, the police forces involved decide on the most appropriate jurisdiction for prosecution. Lacy says that will be based upon "the likely connection to the jurisdiction, the applicable law that would apply, and who has the most robust legal framework to prosecute an offence like this."
Both Lacy and Eltis say Canada is somewhat behind other countries when it comes to internet offences like the ones in this case.
Litigation against Ashley Madison
Eltis says that also applies to privacy law, and in Canada the privacy commissioner has fewer teeth and more of a watchdog role than some other jurisdictions.
She says that in the U.S., privacy law depends on the economic or social sector in which an alleged offence occurs and what the harms are. For example, California and other states require customers get notified about a data breach.
Based on what the company and the police have made public, neither Eltis nor Lacy say they see any basis for criminal charges against Ashley Madison and its owners. Lacy says although there's no suggestion of criminal wrongdoing, "If there was some suggestion that they tried to cover up the offence or something like that, that would lead down a different path," possibly concealment of an indictable offence.
Ashley Madison is already facing civil lawsuits brought by its customers, including a $760 million national class action led by Canadian firms Charney Lawyers and Sutts, Strosberg LLP.
Eltis say the emphasis on civil litigation against Ashley Madison largely results from the hackers' current anonymity, and from the website "priding itself on being airtight in terms of privacy." She says a guarantee of privacy will probably be a factor in any civil litigation because customers rely upon that guarantee, obligating a company to meet it.
Anonymity and class actions
A potential problem in these kinds of class actions, Eltis notes, is that "seeking justice requires a second privacy invasion" when the victims are identified as part of the legal process.
While some commentators say such class actions are rarely successful because individuals will be reticent to come forward, given the potential embarrassment, Eltis says a 2012 Supreme Court of Canada decision in a cyberbullying case could change that for Ashley Madison's customers.
In A.B. vs. Bragg Communications, the court granted anonymity in a case involving a fake and offensive Facebook profile of a 12-year-old Nova Scotia girl who was seeking the real identity of the profile author from an internet service provider owned by Bragg.
Recognizing the further harm caused to child victims who come forward in cyberbullying cases, which would normally reveal their identity, the court unanimously ruled that there was "sufficiently compelling" grounds for such victims to remain anonymous.
Although the 2012 ruling applies to children, Eltis says courts could extend that approach to cases like Ashley Madison, giving that the website targets married people seeking affairs. "The Supreme Court didn't rule out extending that logic," Eltis says.
For the website members who used their work email when joining, or used their workplace computers to access the website, there are also potential problems, depending on their employer's policies. The data dump by the hackers suggests both happened frequently.