FYI.

This story is over 5 years old.

Ashley Madison Targeted by Class-Action Lawsuit in Canada Over Privacy Breach

The hack has unleashed a voyeuristic spectacle and sparked public shaming, even as the potentially devastating consequences of exposing private details come into focus.
August 21, 2015, 6:50pm
Photo via Ashley Madison

A disabled widower from Canada's capital city has stepped forward to be the face of a class action lawsuit against AshleyMadison.com, as the fallout continues for the hacked online dating site that facilitates infidelity among married people.

Eliot Shore, an Ottawa resident who joined the website for a short time in search of companionship that he never found after his wife of 30 years died of breast cancer, is the plaintiff in a proposed $760-million suit filed this week in Ontario against Avid Life Media (ALM), Ashley Madison's parent company, and Avid Life Dating, a subsidiary that runs the website.

The legal action, which still requires certification, alleges that the privacy of many thousands of Canadians was breached in July when hackers infiltrated Ashley Madison and downloaded private information from the site, including personal names, emails, home addresses, and message history. The website, which bills itself as "the most famous name in infidelity and married dating", purports to have some 39 million members worldwide, although there's no telling how many of those are bogus accounts.

Related: The Hacked Ashley Madison Data Is Now Public and Apparently Legitimate

Hactivists identifying themselves as the Impact Team posted nearly 10 gigabytes of users' information online on Tuesday, including partial credit card numbers and transaction details, passwords, and physical descriptions, which was followed by another data dump on Thursday.

The hackers said that the break-in was motivated by ALM's dubious privacy policies and questionable business practices. They released a manifesto threatening to release the info if the site wasn't taken down. The Impact Team called the company's "full delete" feature a profitable scam, accusing the company of keeping the purchase details, names, and addresses of customers after they had paid $19 to have their information completely erased.

"Full Delete netted ALM $1.7 million in revenue in 2014," the manifesto read. "It's also a complete lie."

"I haven't been on the site in a long, long time," an Ontario man who lives in Mississauga told the Toronto Sun after hackers released his info in July to show that the material it had was genuine. He claimed that he never actually used it to cheat on his wife of 20 years, and said that he had paid to have his personal data erased from the site. It appeared that the company had evidently kept his information in some form despite his having paid for the full delete service.

The hack has unleashed a voyeuristic spectacle and sparked public shaming, even as the potentially devastating consequences of exposing extremely private details about sexual preferences comes into focus.

"Numerous former users of AshleyMadison.com have approached the law firms to inquire about their privacy rights under Canadian law," the law firms Charney Lawyers and Sutts, Strosberg LLP said in a statement. "They are outraged that AshleyMadison.com failed to protect its users' information. In many cases, the users paid an additional fee for the website to remove all of their user data, only to discover that the information was left intact and exposed."

The lawyer Ted Charney told VICE News that roughly 100 people have expressed interest in joining the class action, although only Shore, who said he never met anyone in person from the website, has agreed to be named. Charney said this is the sort of case where the violation is so "egregious" that everyone wants to join, though they don't want to be "outed."

He noted that anyone who registers with the class action — which is limited to Canadian customers — will remain anonymous.

Related: How the Ashley Madison Hack Could Threaten People's Lives

The Impact Team has not been sued. "We've got bigger fish to fry and other priorities at this stage," said Charney.

On Thursday, a cyber-security company that is investigating the Ashley Madison hack told the Canadian Press that the massive data breach can't be used to prove the infidelity of its customers, noting that it doesn't check email addresses in order to ensure that no account can be conclusively linked with a specific person. The company also said that Ashley Madison does not collect phone numbers or store full credit-card numbers.

"Regardless of the nature of the content, our customers, this company, and its employees are all exercising their legal and individual rights, and all deserve the ability to do so unhindered by outside interference, vigilantism, selective moralizing and judgment," ALM said in a Thursday statement sent to VICE News. "The individual or individuals who are responsible for this straightforward case of theft should be held accountable to the fullest extent of international law," it said, adding that it's working with the FBI, the Royal Canadian Mounted Police, the Ontario Provincial Police, and the Toronto Police to nab the culprits.

Charney said that if Ashley Madison thinks its clients cannot be identified, "they're dreaming in Technicolor."

The question will be whether or not a court thinks Ashley Madison did enough to protect its customers.

"This sort of stuff is among the most sensitive information that we have," David Fraser, an internet, technology, and privacy lawyer based in Halifax, told VICE News. "If my doctor were to leave my medical file on a park bench, I would be less upset than if I was a customer of Ashley Madison — which, for the record, I am not."

Still, he believes the class action faces "a bit of a challenge," since the online dating site put terms of use for their service in place that he described as "decidedly consumer unfriendly," and which "completely covered their butt."

The marital cheating site's promotional image of a woman raising a neatly manicured finger to her lips might suggest discretion, but according to Fraser, Ashley Madison's fine print essentially says, "We're not making any promises that we're going to keep your information safe."

"There is no such thing as perfect security," he remarked. "You cannot operate an online service with 100 percent certainty that nothing will go wrong. Did they take reasonable measures in the circumstance to protect their customer data? It may well be that they did everything that your bank does, hit the standard — and a little above it."

There may even be legal wrangling over whether or not this can be a class action at all, he added, because Ashley Madison's terms also preclude customers from filing such suits. Consumer protection legislation in Ontario, however, protects the ability of people to do so.

Then there are other practical considerations. "The rumblings are going to be whether Ashley Madison is really worth the billion dollars they claim to be worth," said Charney. "We're significantly concerned about their ability to compensate the class."

The matter of Ashley Madison's legal liability in the disclosure of this information is just getting into gear. The Associated Press reported that another lawsuit seeking class action status was filed in the United States by a woman in St. Louis, Missouri, days after the breach became public. She said she had also paid the website a $19 fee to permanently delete her information.

Follow Natalie Alcoba on Twitter: @nataliealcoba