Ashley Madison: The Information Economy’s Love Canal?
The hack of married person “hookup” site Ashley Madison is just the latest evidence that we need to reconsider the rewards and the risks of data in our information economy.
Say the words “Love Canal” and readers of a certain vintage – and maybe hailing from a certain geography (the Northeast) will have an image flash before their eyes: a suburban subdivision, exposed drums of toxic waste, a child’s playground. Love Canal, of course, refers to the neighborhood in Niagara Falls, New York where, from the mid 1950s to the mid 1970s, families lived, loved and played atop a large toxic waste dump – and a leaking one at that.
The consequences of that were severe: women suffered a high rate of miscarriage and generations of children suffered from birth defects and health problems resulting from exposure to toxic chemicals, including cancer-causing dioxins. When the truth finally came out, in the late 1970s, New York declared the area a state emergency and ordered it evacuated.
Love Canal wasn’t the first, the largest or even the worst instance of environmental contamination in the United States. But it was a milestone: one of those events that sticks in the mind of the public because it perfectly embodies larger and more complex notions.
In the 1970s, the Love Canal scandal perfectly encapsulated the fear and outrage that the public felt after a century’s worth of environmental pollution and degradation. These were decades during which industry had free reign to use the surrounding environment as they pleased, so long as it was good for business. Industrial waste was dumped in rivers, pumped into the atmosphere or, in the case of Love Canal, buried in the ground, and the consequences of doing so were conveniently ignored.
Why talk about Love Canal or the Times Beach? There are parallels between incidents like those and the headlines we read today about the wreckage caused by hacks at firms like Ashley Madison or – in the public sector – the Office of Personnel Management. If Love Canal was the bitter consequence of the United States’ headlong rush into industrialization, we can look at Ashley Madison, OPM and – for that matter – Anthem and Target as the bitter consequences of our headlong rush into an information economy.
“Data is a lot like toxic waste,” Eugene Kuznetsov, the founder of the security firm Abine, told me in an interview this week. “The more you accumulate, the greater the risk.”
Just as Hooker Chemical Company, which was responsible for the Love Canal waste, failed to consider the long term costs of the byproducts of its industrial processes, “data based” businesses like Avid Life Media – Ashley Madison’s parent firm – have failed to account for the hidden risks and costs of the data they have compiled on their customers.
That failure was in full display in the hack of ALM, which has been attributed to a hacking group that calls itself the Impact Team (though; the company has stated publicly that the hack may have been the work of an insider). The data on customers, many presumably married men and women in search of extramarital relationships, will hit as close to home as the toxic waste at Love Canal, bubbling up in school yards and basements. Among other revelations of the hack are accusations that ALM, while charging former customers a fee for deleting their details, failed to purge their data as promised. Like the noxious chemicals collected by Hooker Chemical over the decades, the data on ALM’s customers is far easier to collect than to dispose of.
What is the solution? At this late date, massive breaches have affected companies across the economy – from retailers like Target and Home Depot to healthcare firms like Anthem. The unmistakable conclusion of those incidents is that companies need to rethink their relationship to the data they hold. If the mantra of the last decade has been “collect now and monetize later,” the new mantra should be “monetize now, delete later.”
Kuznetsov at Abine, which helps consumers to protect their identity, believes that companies need to reduce data collection, while regulators and insurers need to start looking hard at what data companies are collecting and why. “Regulators need to realize that data isn’t an asset, but a liability,” Kuznetsov said.
In other words: companies need to recognize that wholesale data collection poses risks to their organization. Insofar as they collect any data, it should be with a view to using it immediately and for a clearly defined purpose. Merely warehousing data with vague notions about how it might later be used is a recipe for disaster, as the hacks of Ashley Madison and OPM reveal.
Paul F. Roberts is the Editor in Chief of The Security Ledger.