Sharing personal data online: a risky affair?

The internet is becoming an increasingly popular forum for social interactions, but how much personal information should we share online and how do we know it won’t fall into the wrong hands?

These are the questions on many people’s lips following the revelation this week that personal data belonging to over 37 million ‘anonymous’ users of the internet dating site Ashley Madison, 1 million of whom are UK based, has been stolen by a group calling themselves “The Impact Team”.

For many people, the theft and potential distribution of their personal data would be nerve-racking, but for many users of Ashley Madison, there is cause for extreme concern. Unlike other dating sites, Ashley Madison specialises in facilitating infidelity, its tagline being “Life is short. Have an affair.” The Impact Team has demanded that Ashley Madison, owned by Avid Life Media, be shut down or they will release “all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”

The demand was largely fuelled by Ashley Madison’s £15 fee to delete a user’s profile, which was in place until yesterday. However, according to The Impact Team, this is a “complete lie” as user’s payment details, including names and address were retained even after a  user has paid for a ‘full delete’. They claim that the personal data of people who registered with the site years ago and paid to be permanently removed from its records are still being processed by Ashley Madison.

Ashley Madison’s Privacy Policy states that the personal data of its users is retained “for as long as your Ad Profile stays active or hidden or is allowed by applicable local law” and that “deleting your information through the ‘Manage Profile’ or ‘Message Center’ section of the system […] will only change or delete the data in our database for the purpose of future activities and communications. These changes and deletions will not change or delete information or emails that are queued to be sent or have already been sent.” Therefore the deletion of a profile does not appear to delete the personal information they have already collected. Under English law, personal data must not be retained by the data controller for any longer than is necessary for the purpose or purposes for which it was collected, but how many of us read the privacy policies of the companies to which we give our personal data?

There has also been some speculation as to how this data was stolen. Yesterday, Ashley Madison’s chief executive and founder, Noel Biderman, seemed certain that, rather than a cyber attack, the data was stolen by someone working with the company, who “had touched our technical services“. This is a stark warning to all companies that hold or process personal data. However vigilant your cyber security, a disgruntled employee or contractor is likely to have far easier access to your records than a hacker.