In Ashley Madison hack, copyright “solution” is worse than no solution
Hackers stole troves of data from Ashley Madison but the online cheating site has yet to say how the breach will compromise its 37 million members, or even explain just how the hack happened in the first place. But the company did offer this non-action plan:
“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the…posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online,” Ashley Madison told CNBC.
Unfortunately, this “copyright law to the rescue” response is worse than useless. Not only will it fail to work, but it provides false assurances, distorts copyright law and is a distraction from the real issues.
To understand what Ashley Madison just tried to do, it’s helpful to know how the DMCA (the law cited by Ashley Madison above) is supposed to work in the first place. It’s a legal tool designed to help studios and other content owners remove unauthorized content that people have posted to websites like YouTube or Facebook: If Disney tells those sites to remove a pirate version of The Lion King, for instance, they have to comply or else risk a copyright lawsuit.
In the case of Ashley Madison, the company has apparently used a DMCA notice to scrub a site where the hackers posted the information about its adultery-seeking members. (Brian Krebs, a noted security researcher who first reported the breach, says the hackers sent him links to the data but he chose not to publish them so as not to be “party to their extortion”).
While the copyright takedown might sound like a solution, it’s a weak and short-lived one. For one thing, there’s nothing to stop the hackers simply uploading the files again, forcing Ashley Madison to send out DCMA notices over and over. And this assumes that the company even has a valid copyright it can enforce in the first place – an unlikely event since, in the case of members’ profiles, the copyright probably belongs to the users not Ashley Madison.
Very skeptical of @ashleymadison‘s claim that it used DMCA to take down hacked data: 1) its users don’t assign ©; 2) unlikely to work anyway
— Daniel Nazer (@danielnazer) July 20, 2015
Ashley Madison’s DMCA announcement is little more than a bluff, and it’s one we’ve seen before. Recall, how in the wake of the Sony hacks, the movie studio hired super-lawyer David Boies to send around trumped-up intellectual property threats in a failed attempt to keep media from reporting on the leaks. Or how Jennifer Lawrence, and other celebrities who had their Apple iCloud accounts hacked, tried to use copyright law to stop people distributing nude photos.
In all of these cases, the copyright claims in question were weak or non-existent, but the hacking targets invoked them anyways. Why? The best answer is that lawyers had to respond to frantic entreaties from their clients to do something, and copyright was the nearest legal cudgel. It’s easy to use, everyone’s heard of it, and it can come with nasty penalties.
You can also argue that the copyright claims are at least worth a try, even if the legal threats are empty. After all, the hacking attacks that befell Jennifer Lawrence and Sony and the Ashley Madison adulterers are criminal conduct, and victims can do everything in their power to stop it.
But there are two problems with using copyright law to repulse hackers. The first is that it’s simply not designed for the job. The purpose of copyright is to encourage the creation of songs, books and paintings – not to serve as a roving catch-all tool to punish anything inappropriate on the internet. When it’s used outside of its natural legal context, such as a tool to oppose hackers, the whole reason for copyright law becomes muddled, and can appear as just another means of censorship.
The DMCA isn’t even good at being copyright law. Trust me, it’s really lousy at being privacy law.
— Parker Higgins (@xor) July 20, 2015
The other reason using copyright to confront hacking is a poor idea is because it provides a false sense of a solution, and distracts from the real issue: Why the hacks occurred and what the company should have done to stop it. These are harder questions, and often embarrassing ones for companies, including Sony and Ashley Madison, that suffer a breach.
But answers are emerging. In a much-praised article about the Ashley Madison hack, writer and programmer Paul Ford asks why websites don’t rely available technological measures like hashing and database-level encryption to protect their customers:
“We could demand that large centralized services encrypt our stuff at the database level, and know that while there are still points of failure, one password won’t unlock tens of millions of others by default — which is how it works now.”
The Ashley Madison site also had another weakness that let anyone see if a given email had been used on the site.
This is what the debate should be about, not copyright law. But concepts like database-level encryption are hard to understand (I’m not sure I could explain it), so the discourse can devolve into more basic topics like “that’s copyrighted so you have to take it down.” By now, though, it’s time to move past this. When the next major hacking attack arrives, and it will come soon, let’s hope the company in question will skip the empty copyright gestures, and get right down to solving the problem.