When 9.7 gigabytes of Ashley Madison user data was leaked across the web last month, the immediate question for affected users boiled down to how they would explain themselves to their significant others. Some users even frantically posted requests for hackers on Craigslist and other message boards, and also confided in Troy Hunt, a security researcher, hoping to somehow expunge their record.
"Unfortunately that's simply not possible–once information has been sufficiently socialised and redistributed (which the Ashley Madison data has certainly been), the exposure is irretrievable," Hunt wrote in a blog post about the leak. "At this point it is better to focus on damage control–consider the impact of your Ashley Madison membership being known by everyone and what actions you might take in order to minimise the impact (i.e., discussing it with a spouse)."
For more digital forms of damage control, users have another option, if they can afford it: online reputation management.
As the principle of "right to be forgotten" has spread across Europe, reputation management firms have adopted the reverse approach to cleaning up one's online record: trying to drown out the negative stuff by flooding the internet with positive content.
It's not clear if Reputation.com or KBSD, two large reputation management firms, are assisting users affected by the Ashley Madison leak; neither company would say. But Rich Matta, general manager of the consumer division at Reputation.com, says his firm usually sees a surge of interest in online reputation management, or ORM, following any significant hack. In the past 24 months, he says, the firm has fielded inquiries surrounding data breaches carried out against Target, Anthem and the Office of Personnel Management, in addition to typical requests from individuals and small businesses seeking to improve their online reputations.
"As the volume of online attacks and data breaches has proliferated, there has been a similar surge of interest and growth in the ORM industry," says Matta.
The industry began around 2006 in the US, and has since mushroomed alongside a steady increase in hacks and leaks. Media consultant BIA/Kelsey expects that small and medium sized businesses, hoping to burnish their reputations on review-based websites like Yelp and TripAdvisor—will spend more than $5 billion on reputation management this year, up from $1.7 billion in 2011. (That number doesn't include larger companies and individuals seeking to improve their public image.) In the hospitality industry, online reputation management is now considered essential, and is even the subject of a track at Cornell's hotel management school.
"Assuming the leak is real, some people could face the death penalty"
Meanwhile, "personal branding" companies help individuals who are trying to hide embarrassing details. The New York-based startup BrandYourself offers a $100 per year reputation "alert" service, and, for $299 per month, a "concierge" who can help you craft positive blogs, websites and social media. Reputation.com, which claims to be the first and largest online reputation management company, says its rates are priced on an individual basis, but its top shelf service costs $15,000 annually, according to AdWeek.
But in the case of some leaks—like the Ashley Madison data—online reputation can be a life or death issue. "In addition to ruining relationships, it is important to remember that infidelity is adultery and is still prosecuted in some countries, and assuming the leak is real, some people could face the death penalty," says Isaac Phillips of KBSD, a Switzerland-based reputation management firm that works with corporations, governments, and high net-worth individuals. (In addition to adultery, being outed as gay could also mean death in certain countries.)
Matta, at Reputation.com, worries that present and future employers could conceivably execute a search of the Ashley Madison data to see if company emails were used in the violation of internal policy.
The revelations could also sway potential employers. It's estimated that 75 percent of HR executives research job applicants online, and 70 percent report having found something that's caused them to reject a candidate, according to studies by Harris Interactive and Cross-Tab Marketing.
"Another scenario which is possible, though less likely at scale: colleagues might search to see if anyone they know is on the list," says Matta. "And identity thieves will find the Ashley Madison information to be a rich and useful data source, as they do in all large hacks and data leaks."
How to Burnish (or Bury) a Damaged Reputation
If an Ashley Madison user contacted an online reputation manager asking for help, what exactly would they recommend?
Any good online reputation strategy is multi-pronged, says Matta, and not limited to the surface web or even the digital realm. First of all, it's useful to assume that if information is published on the Web, it is going to be found by a determined hacker or other interested party—if they're looking.
But Matta says that even with the leaked Ashley Madison data out in the digital ether, an individual can still benefit from privacy services after-the-fact. These, he says, help disassociate one's true identity from the hacked information.
For example, if an individual used a particular email address to sign up for Ashley Madison—or Target, for that matter—that email address is connected to a number of other elements of their identity. This web of identity connections involves dozens of people-search sites and data brokers who share people's personal information online.
"On its own, a hacked email address usually isn't sufficient to know who you are or compromise your identity," Matta says. "But when it can be used to look up all the rest of an individual's personal information online—addresses, phone numbers, relatives, and more—that individual becomes highly vulnerable.
"Privacy services," another term for online reputation management, "can significantly reduce this vulnerability by removing personal information from these various online sources, thereby disassociating the individual from the hacked information."
Phillips says that if KBSD were working for Ashley Madison clients, their actions would depend on the specific case. But, first of all, they would help users send takedown notices to every platform and publication that links to the data.
Next, Matta says, it would be wise for unmasked Ashley Madison users to amplify the rest of their online presence. This could mean anything from being more active on all major social media sites to creating a personal website that focuses on professional achievements. Regular blogging on neutral topics of personal interest is another useful option.
"Remember: we're already seeing instances where people have the same name as a user, or signed up using someone else's name, just were curious and exploring, and so on," Matta says. "These people especially should try to mitigate any fallout."
When the files were released on August 18, a Torrent was distributed from an .onion dark web node. At that point, Phillips says, it was already impossible to completely stop and delete. But if an Ashley Madison user had engaged KBSD on August 18, Phillips says the company might have considered creating fake or modified dumps of data, then distributing these links through Tor, as well as on social media, Reddit, 8chan and other platforms.
"Simultaneously, we might have begun working PR: getting experts to write opinions about how the data is fake, modified, or unreliable and then distributing these expert opinions to newspapers, blogs, and other sites," Phillips says. "We might even appeal with newspapers not to publish the data from a human rights perspective: individuals could be killed because of these leaks."
Phillips says KBSD can use software to locate mentions of their clients in search engines globally, across multiple languages, countries and platforms. This allows reputation managers to identify which search terms need more positive content, such as carefully tailored personal websites, blogs and social media accounts.
Going to the Dark Side
One central battleground in the reputation war is the first page of Google's search results. And one weapon in that battle that reputation managers aren't afraid to use are so-called "black hat SEO techniques"—publishing spam websites or using fake social media accounts to burnish someone's reputation. These strategies can be rather creative, going beyond the mere creation of positive content and optimization of searches. Phillips offers up an example of a John Doe afraid that his name will show up in the Ashley Madison Leaks. He may be worried about people searching for "John Doe" or "John Doe Ashley Madison and "John Doe Cheating."
"John could create some real blog posts and profiles and boost them by making sure everything is interlinked and optimized for search engines," Phillips explains. "In addition, he could create some fake accounts for another John Doe. Perhaps this John Doe goes for dates with his girlfriend Ashley on Madison Avenue? Or perhaps another John Doe cheats at poker?"
It's unclear how effective these techniques are, however, as Google continues to refine its search algorithms to weed out spammy webpages.
Another tactic might be to direct users to generate positive content in traditional media, to respond directly to accusations.
Improving a reputation online tends to be easier for "lower-profile individuals, ones not covered specifically in the news," Matta says, using professional profiles, social media activity, and blogging across various sites. The idea is to present what he calls a "more balanced picture of who a person really is," he says.
While ORM companies can submit Right To Forget requests for European users, Phillips says that alone will not solve a person's online reputation problems. Right to Forget laws won't deliver more immediate results like "drowning" bad news; and because, again, a multi-pronged strategy is preferred in the ORM game. "There's not a lot of transparency in this process," he says.
In addition to reputation management online, Matta recommends that compromised Ashley Madison users should have a strong offline reputation-fixing strategy too.
"Other than using online tools and services to your benefit, it's also considering the use of a more old-school approach: personal outreach to the people who matter to you," Matta adds. "If you've been active on a site that others would find distressing or distasteful, hearing about it from you personally and directly is likely better than discovering it on their own."
Phillip's echoes Matta, saying that digital or the usual online reputation management tactics should not be the sole approach to mitigating the Ashley Madison fallout. Another tactic might be to direct users to generate positive content in traditional media, to respond directly to accusations, write a letter to news publications, or hire a lawyer to see if any articles break laws on privacy, copyright, or libel.
"These events really bring home to people how vulnerable we are online and that no site is completely immune from attack," Matta says. "There is simply too much value in personal data—whether it's credit card info or social security numbers or just the fact of even being on a site to begin with—and that's a big incentive for hackers."