Ashley Madison could face class-action suit after massive data breach

When it comes to information online that people might want to keep private — anything from a sordid affair to an embarrassing Twilight fan-fiction blog — nothing is ever 100 per cent secure, experts say.

Online privacy can't be guaranteed, say experts, but would-be adulterers could quietly sue

Hackers claim to have compromised the information of 37 million users on, a website for people looking to have affairs. (Lee Jin-man/The Associated Press)

Several high-profile hacks, including the recent attack against Ashley Madison, a website for people looking to have an affair, have raised questions about whether online activity is ever truly private.

Ashley Madison is built around the notion of safeguarding its users' information — reflected in its signature image of a woman's pursed lips making the 'shh' sign, seemingly meant to reassure would-be adulterers that their secrets are safe.

But now, hackers say 37 million accounts have been compromised.

The company's owner, Toronto-based Avid Life Media, said Monday it has "always had the confidentiality of our customers' information foremost in our minds" but was not able to assure its users that their information is safe.

A similar website, Adult FriendFinder, was also hacked in May.

'Level of risk'

Is secret information online — from a sordid affair to an embarrassing Twilight fan-fiction blog — ever really secure?

Any time you're using a computer or giving away information of any kind, there is the risk that can be misused.-  Andrew Hilts, executive director at Open Effect

Likely not, security and privacy experts say.

"What people should think about is just acceptable risk. Any time you're using a computer or giving away information of any kind, there is the risk that can be misused," says Andrew Hilts, executive director at Open Effect, a Canadian non-profit that does research on privacy and security.

"It comes down to what level of risk you're comfortable with," says Hilts.

"When payment comes into play, often credit cards are used and that's pretty inexorably tied to an identity," he adds.

Brian Bourne, co-founder of SecTor, an IT security conference, says a motivated hacker can break into any site. He estimates, based on what the hackers posted online, the Ashley Madison attack took several months or even years.

"To do what they did generally requires more skill and effort and patience," says Bourne. "So it's not a drive-by and it's not a smash and grab."

Bourne adds that hackers having long-term access to networks is "embarrassingly common."

Difficult to delete 

The Ashley Madison hackers take issue with its reported $19 charge to users for deleting their information. The hackers say the company doesn't actually delete it, a claim the company disputes.

But a security expert says it's difficult for any company to fully delete user information.

Robert Beggs, a manager for technical security at Pricewaterhousecoopers, says information on even a simple website's database can easily end up in multiple places, such as test and backup databases, or with marketers.

Compounding the issue is that many companies don't know where the information on their database goes, or even sometimes where it's stored.

"So when you say, 'Ashley Madison, remove this data,' it will exist in multiple forms," says Beggs.

Beggs says it's reasonable to expect that any profile information on a site like Ashley Madison would be removed, but a user's credit card information legally has to be kept on file for up to seven years, which can be linked to a person's name.

Class-action lawsuit?

Privacy lawyer David Fraser says companies are not required to guarantee the safety of information they collect. But they do have to implement commensurate safeguards. 

"Canadian privacy laws are more principles-based than anything else — how in fact they apply is sometimes a matter of opinion," he says.

Fraser expects a big fallout for Ashley Madison, though the possibility of individual lawsuits isn't likely to pay off for the user, he says.

"Courts haven't taken privacy breaches to be associated with a high level of damages. So unless you can point to financial loss, the damages a court would award for hurt feelings or anxiety are not particularly high and almost would never make it worth your while in light of legal fees," says Fraser.

He says a massive class-action lawsuit is more likely if hackers publicize users' information, because the damages would be higher if more people are affected.

"A large number of people probably find the Ashley Madison site personally repugnant and problematic, but I don't think the law would make that distinction," says Fraser. "Regardless of the morality, privacy is about individuals being able to make choices about how their information is collected, used or disclosed."

Fraser says it would be a different story if the site encouraged illegal activity, but affairs are well within the confines of Canadian law.

He adds there is a precedent in Canadian law for protecting class-action participants' identities; so users of the site wouldn't necessarily "out" themselves if they took part.

Simple precautions

Hilts, at Open Effect, says if people want to keep their online behaviour away from prying eyes, there are certain steps they can take.

He suggests creating a throwaway email, using pseudonyms, and to avoid paying online with a credit card. He also suggests using browsers in "incognito" mode or deleting internet search histories.

But at the end of the day, online activity can always be dragged into the bright light of day.

"With every decision you make, decide that if the site loses control of this information, would anyone have information that I'd be upset to have public?" says Hilts.

With files from Canadian Press