By Raffaella Rullo, Mouna Hanna and Ben Flanagan
OVERVIEW
Netflix’s recent documentary, “Ashley Madison: Sex, Lies & Scandal”, brings us a chilling reminder that privacy and cybersecurity concerns that plagued organizations in 2015 remain just as relevant today.
Launched in 2002, Ashley Madison is an online dating service targeted towards married people looking to have affairs. In 2015/2016, it was the largest website owned and operated by Toronto-based company, Avid Life Media (“ALM”), which had global reach, with users in over 50 countries. Today, it boasts “more than 80 million sign-ups since 2002 and hundreds of thousands of new members monthly.” [1]
In July 2015, ALM was hacked by a person or group identifying itself as the “Impact Team” with a demand that ALM shut down Ashley Madison. After ALM refused, the Impact Team published information it claimed to have stolen from ALM, including the personal information of over 36 million Ashley Madison users.
Given the scale of the breach and the sensitive personal information involved, the Office of the Privacy Commissioner of Canada (the “OPC“) and the Office of the Australian Information Commissioner (together with the OPC, the “Commissioners“) jointly investigated ALM’s privacy practices, among other things. The joint investigation was conducted in accordance with the Australian Privacy Act 1988 (Australian Privacy Act) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The findings of the joint investigation were synthesized into a report which was published on August 22, 2016 (the “Report“).
Eight years later, the Report continues to provide valuable insight into what is considered reasonable security under PIPEDA and is an excellent reminder to companies doing business in Canada to ensure they are compliant.
BACKGROUND ON THE DATA BREACH
ALM was a private company incorporated in Canada with its headquarters in Toronto, Ontario. It operated several adult dating websites, the most visited of which was Ashley Madison. At the time of the breach, Ashley Madison hosted over 36 million users and earned more than $100 million in annual revenue.
On July 12, 2015, ALM’s information technology employees detected unusual behaviour in ALM’s database management system. The following day, a notice purportedly from the hacker, the Impact Team, appeared on computers used by ALM customer service employees. The notice stated that ALM had been hacked, and threatened to publish stolen data if Ashley Madison along with another ALM dating website were not shut down.
ALM did not give in to the Impact Team’s threat. As a result, on August 18 and 20, 2015, the hacker published a large number of ALM files containing highly sensitive profile information (user names, addresses, passwords, phone numbers, the types of experiences they were looking for on the site, gender, height, weight, ethnicity, body type); account information used to facilitate access to the Ashley Madison service (e-mail addresses, security questions, hashed passwords); and billing information (billing addresses and the last four digits of credit card numbers); in addition to ALM internal documents and the CEO’s private e-mail messages.
CANADIAN PRIVACY LEGISLATION
Canadian companies can be subject to several different privacy statutes. In the case of ALM, the applicable legislation was PIPEDA.
PIPEDA is the federal privacy legislation for private-sector organizations in Canada. It applies to the collection, use or disclosure of personal information in the course of commercial activity. Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. PIPEDA sets out 10 fair information principles to protect personal information, many of which are considered and discussed in the Report.
ALM LACKED REASONABLE SECURITY POLICIES AND SAFEGUARDS
The investigation found that ALM’s security framework was lacking in three key elements:
- Documented security policies or practices;
- Explicit risk management process (including period and proactive assessments of privacy threats and evaluation of security practices); and
-
- Adequate training of staff to ensure that privacy and security obligations were carried out appropriately. Given the nature of the personal information collected by ALM and the type of services it was offering, the level of security safeguards should have been “commensurately high” in accordance with PIPEDA’s Principle 4.7. The investigation concluded that ALM did not have appropriate safeguards in place considering the sensitivity of the personal information at play.
The Commissioners also found that the appropriate security practices, procedures and system were seriously lacking, in contravention of PIPEDA Principle 4.1.4., including the following:
- No documented information security policies or practices for managing network permissions;
- ALM had not implemented a number of commonly used detective countermeasures that could facilitate detection of attacks or identify anomalies indicative of security concerns (i.e. ALM failed to monitor unusual logins);
- ALM had not implemented an intrusion detection system or prevention system;
- No security information and event management system in place, or data loss prevention monitoring;
- Substandard monitoring of VPN logins that could detect unusual login behaviour; and
- No documented risk management framework guiding ALM on how it could determine what security measures would be appropriate for the heightened privacy risks.
The investigation identified specific weaknesses in ALM’s security measures including single-factor authentication and poor key and password management practices. For example, instances of storage of passwords as plain, clearly identifiable text in emails and text files were found on ALM’s systems. These weaknesses also individually and collectively constituted failures to “take reasonable steps to implement appropriate security safeguards in the specific circumstances”, according to the Report.
INDEFINITE RETENTION AND THE “HIGH BAR” FOR PAID DELETION OF USER ACCOUNTS
PIPEDA Principle 4.5 requires that information be retained only as long as necessary for the fulfillment of the purposes for which it was collected. The Report found that ALM was in contravention of PIPEDA by retaining personal information from deactivated accounts for an indefinite period of time. Similarly, ALM was in contravention of PIPEDA by failing to establish maximum retention periods for user information associated with inactive user accounts.
Regarding deleted accounts, the Report found that ALM was able to provide a clear purpose for retention (prevention of fraudulent chargebacks, which was a demonstrated issue for the company), and to connect their retention scheduled to this purpose. However, the Report also found that photos of deleted accounts were retained in error beyond the period of time specific by ALM, constituting a contravention of PIPEDA.
The Report found that ALM was charging fees to users for a “full delete” (at the time of the breach, ALM charged users C$19 for a complete delete of their accounts) of user profile information. While PIPEDA is silent on whether a fee can be charged for deletion, the Report suggests that there is a higher bar for the imposition of such a barrier to the exercise of an individual’s privacy rights.
ALM’S FAILURE TO VERIFY EMAIL ADDRESSES
The Commissioners also found that ALM failed to ensure that the personal information it had was accurate, complete and up-to-date as is necessary for the purposes for which it is to be used, in contravention of PIPEDA Principle 4.6. ALM confirmed that it did not verify email addresses provided by users in order to protect users’ anonymity vis-à-vis other users. After signing up, users received a welcome email to the address provided. The welcome email contained a note in the footer than an individual could contact ALM if the email had been sent to them erroneously. ALM explained that it would override inaccurate email addresses and deactivate the associated accounts if and when they were contacted by the real owner of the email address. ALM admitted, however, that it was aware that some users were submitting false email addresses.
The Report determined that the welcome email footer was an insufficient method to address accuracy concerns relating to email address of non-users being inaccurately associated with Ashley Madison. This approach placed the onus on the non-user to proactively respond to an unsolicited email, a practice which should be generally avoided.
Lastly, to reduce the inaccuracy of email addresses held by ALM, the Report suggested that the email address field during users sign up be made optional. According to the Commissioners, this would largely “reduce the incentive and likelihood for users to provide false information, thereby reducing the serious privacy risks for non-users.”
LACK OF TRANSPARENCY WITH USERS AND RESULTING CONSENT ISSUES
The investigation found that ALM made several false or misleading statements about its privacy practices. For example, ALM’s home page at the time displayed a fabricated trust-mark in the form of a “Trusted Security” icon. ALM’s Privacy Policy and Terms and conditions also included unclear and inconsistent terms regarding the deletion of user information. In this context, ALM did not meet its obligations under PIPEDA Principle 4.8.1 to be open about its policies and practices with respect to the management of personal information, and to make that information available in a form that is generally understandable.
ALM’s failure to be open about personal information handling practices also called into question the validity of consent it obtained from its users. Section 6.1 of PIPEDA states that consent is only valid if it is reasonable to expect that an individual would understand the nature, purposes and consequences of the collection, use or disclosure of personal information to which they are consenting. Principle 4.3.5 states that consent shall not be obtained through deception. The investigation ultimately concluded, for the reasons discussed above, that consent obtained by ALM was not valid and therefore contravened PIPEDA Section 6.1 and Principle 4.3.
TAKEAWAYS
The investigation articulated some broadly-applicable takeaways regarding PIPEDA and information governance requirements. Specifically, organizations should turn their attention to the following:
- Sensitivity of Data: Organizations need to be mindful of the sensitivity of the personal information they are collecting, using and disclosing, and the corresponding required level of safeguards under PIPEDA;
- Meaningful and Informed Consent: Organizations must ensure they are obtaining appropriate informed consent from individuals, which considers whether the individual truly understands the nature, purpose and consequence of the collection, use and disclosure of personal information to which they are consenting.
- Documented Information Security Frameworks: Organizations should adopt clear and appropriate processes, procedures and systems to handle information security risks;
- Explicit Risk Management Processes: Organizations should also conduct meaningful assessments of the required level of safeguards for any given personal information;
- Adequate Training: Organizations should administer role-specific data security training for all staff, among other training;
- Strong Security Measures: These include multi-factor authentication and robust key and password management practices, including not storing authentication materials on shared network drives and ensuring that internal systems with access to administrative functions are themselves sufficiently protected in situations where sensitive personal information is collected, used or disclosed;
- Reasonable Retention Practices: PIPEDA requires that personal information only be retained as long as necessary to fulfill the purpose for which it was collected. Personal information that is no longer required must be destroyed, erased or made anonymous. Organizations should be mindful of these requirement when developing guidelines that include minimum and maximum retention periods for personal information;
- Ensure the Accuracy of Information Collected: To be compliant with PIPEDA, organizations are required to verify the accuracy of information collected as is necessary for the purposes for which it is to be used; and
- Ensure the Veracity of Information Shared: False or misleading statements may impact the validity of a user’s consent to the sharing/disclosure of their personal information. As a result, organizations should guarantee the accuracy of any information shared regarding their security credentials.
For further information or advice on compliance with PIPEDA or other Canadian privacy laws, contact Whitelaw Twining’s Cyber, Privacy & Data Protection Group.