The Ashley Madison Hack: Why is a Website for Cheating Spouses Sending Out Dubious DMCA Notices?

Stephen Carlisle July 23, 2015

The days of whispering on the phone and the “no-tell motel” seem to be over. The internet has taken over the job of connecting people who wish to cheat on their spouses. But, as with all things secret, sometimes they get found out.

On June 19, 2015, online reporter Brian Krebs broke the story that the online service for cheating spouses, Ashley Madison, had been hacked. ¹ The hackers demanded the parent company, Avid Dating Life ²:

“take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.” ³

Not exactly the thing a cheating spouse wants to hear, especially one that is sneaking around an online “cheating service.” Yet, this is not the first time this has happened. A similar company, Adult Friend Finder was hacked only two months before, ⁴ with Krebs reporting that the Wall Street Journal published an article which predicted trouble for Ashley Madison as a result of AFF hack. ⁵ Adult Friend Finder is more of a “hook-up” site for swingers, as opposed to Ashley Madison, which openly caters to cheating spouses and has the audacity to have a Federal Trademark on the slogan “Life Is Short. Have An Affair.”

Ashley Madison also claims to have 37 million users, though one of the complaints leveled at AM is that many of the female profiles are fake. ⁶ Still, that would lead to a lot of nervous customers who don’t want to be found out.

Yet, the hackers’ main beef with ADL is not the morally dubious nature of the site, but rather is due to a “service” that will remove all of a client’s information from their database – for a price. ⁷

“According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.” ⁸

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.” ⁹

So far, ADL has combatted those leaks which do appear by sending DMCA notices to the offending sites.

“’Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed all posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online,’ said Ashley Madison parent company Avid Life Media in a statement. ‘We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.’” ¹⁰

Predictably, the Electronic Frontier Foundation howled with outrage, ¹¹ but in this case I happen to agree with them. Along with the opinions offered by other pro-artist voices such as Ellen Siedler’s Vox Indie ¹² and Jonathan Bailey over at Plagiarism Today, ¹³ this is a very dubious use, if not an outright abuse of the DMCA takedown system.

The problem here is that there does not seem to be any copyright that ALM or Ashley Madison might hold that they can lawfully assert via a DMCA notice.

This blog has detailed before the use of the DMCA to assist in the takedown of the hacked nude photographs of various celebrities. ¹⁴ However, this is predicated on the fact that somebody (presumably the picture taker if the picture is a “selfie”), has a valid copyright in the photograph. Certainly, one can have a copyright in a compilation or a database. This is predicated on the author’s arrangement and selection of the various facts included. ¹⁵

However, this is not the case here. The facts aggregated by ADL are purely the result of who signs up for the service, and who has removed themselves from the database by deleting their account. In other words, the facts have self-selected themselves. Says the Supreme Court of the United States:

“one who discovers a fact is not its “maker” or “originator.” [citation omitted] “The discoverer merely finds and records.” Nimmer [on Copyright] § 2.03[E]. Census takers, for example, do not “create” the population figures that emerge from their efforts; in a sense, they copy these figures  from the world around them” …  [c]ensus data therefore do not trigger copyright because these data are not “original” in the constitutional sense.” ¹⁶

The case for ADL gets worse when one considers that only a small portion of the database has been made public. ¹⁷ Even if ADL could claim a copyright in the entire database, this does not necessarily attach to the individual sets of facts within that database.

So what about the photographs and profile descriptions? They would qualify if ALM became the copyright owner or an exclusive license holder by its Terms of Service. It does not appear that this has happened. According to Ashley Madison’s Terms of Service:

“USER CONTENT

1. By submitting any content (including, without limitation, your photograph and profile and other information) to our Site, you represent and warrant to us that the content, including your photograph, is posted by you and that you are the exclusive author of the content, including your photograph, and use of your content by us will not infringe or violate the intellectual property or other rights of any third party… By submitting any content (including, without limitation, your photograph and profile) to our Site, you automatically grant, and you represent and warrant that you have the right to grant, to us, and our licensees, parent, subsidiaries, affiliates and successors, an unlimited, perpetual, worldwide, non-exclusive, royalty-free irrevocable, transferable right and license to use, reproduce, display, broadcast, publish, quote, re-post, reproduce, bundle, distribute, create derivative works of, adapt, translate, transmit, arrange, sub-license, export, outsource, loan, lease, rent, share, assign and modify such content or incorporate into other works such content, and to grant and to authorize sub-licenses and other transfers of the foregoing.”
2. You are solely responsible for any content that you submit, post or transmit via our Service. ¹⁸

And further on down:

1.                 “COPYRIGHT POLICY

The Service contains information, which is proprietary to us, our partners and our users. We assert full copyright protection in the Service. Information posted by us, our partners or users of the Service may be protected whether or not it is identified as proprietary to us or to them. You may not post, distribute, or reproduce in any way any copyrighted material, trademarks, or other proprietary information without obtaining the prior written consent of the owner of such proprietary rights.” ¹⁹

This does not get ALM where they want to go. In order to send a DMCA notice, they need to be “authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.” ²⁰ ALM does not hold exclusive rights, only non-exclusive rights, and there seems to be no language in the TOS to make them the authorized agent of any particular user.

This perhaps is the final nail in the coffin of their ability to send out DMCA notices:

1.                 “Privacy & Use of Information

Use of the Service is also governed by our Privacy Policy. You agree that by registering a Profile or using our Service you have agreed to our Privacy Statement. You acknowledge that although we strive to maintain the necessary safeguards to protect your personal data, we cannot ensure the security or privacy of information you provide through the Internet and your email messages. … You agree to release us, our parent, subsidiaries and affiliated entities and ours and their shareholders, officers, directors, employees and agents, successors and assigns from all claims, demands, damages, losses, liabilities of every kind, know [sic] and unknown, direct and contingent, disclosed and undisclosed, arising out of or in any way related to the release or use of such information by third parties.  If you are a California resident, you waive California Civil Code Section 1542, which says: ‘A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor.’ ²¹

So why send out DMCA notices, and in particular, why have they been (so far) effective? It relates to the nature of the information released and how it was obtained.

First off, no individual is going to file a DMCA takedown request in which they will reveal that they have been posting on a website dedicated to infidelity. (N.B. rather risibly, AM states in its FAQ’s that it does not “encourage infidelity”). ²²

And by the same token, in order to have the hacked material put back up, the hacker would have to file a counter-notice, which would require the disclosure of the hacker ‘s true name and address as well as a consent to the jurisdiction of the Federal District Court where they reside. ²³

For its part, Avid Dating Life says it has a pretty good idea who the hacker is.

“’We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,’ Biderman said. ‘I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.’” ²⁴

So does ADL have a cause of action against the hacker? Sure. Illegal access to a computer, misappropriation of trade secrets, intentional interference with a favorable business relationship, to name a few.

Just not copyright infringement.