Monday morning could've been a very, very awkward one for the 37 million members of Ashley Madison, a website that helps married people cheat.
Late Sunday night, the site was hacked by a group calling themselves “The Impact Team.” The hackers claim to have gained access to reams of user data beyond any voyeur's wildest dreams: “customers' secret sexual fantasies,” “nude pictures and conversations,” “credit card transactions” with real names and addresses.
In the near future, the Impact Team promised, they'd post all that dirt online. But the fact that hackers got access to this information is far less scary than their proclaimed reason for going after Ashley Madison: In a manifesto reported by Krebs on Security, Impact Team alleges the site stored compromising, personal data on its users even after charging them to delete their accounts. (A spokesperson for Ashley Madison declined to comment.)
That, more than anything, would seem to prove the immortality of our online sins: There's no erasing the digital past. It can only – precariously – be reined in.
Here, for reference, is how Ashley Madison's “Full Delete” feature worked. Suppose you thought about stepping out on your spouse, started up an Ashley Madison profile and then promptly regretted it. Ashley Madison gives you three ways to act on your regret: (1) to hide your profile from search, meaning users you don't already know will struggle to find it; (2) to hide the profile entirely, which will make it invisible but still allow you to reactive it; and (3) the big one: the “Full Delete,” which promises to nuke every message you'd ever sent or received, all your browsing history and any other evidence that you'd ever so much as heard of Ashley Madison/dreamt about cheating.
Ashley Madison charges $19 for this service, and, according to Ars Technica, from 8,000 to 18,000 people take them up on it in the average month. That means the company nets upwards of $1 million on “Full Delete” annually.
“We've developed a product where we'll go back in time and remove photos and conversations that you've had,” chief executive Noel Biderman told Ars last year. He went on to explain that $20 is a small price to pay for that privilege.
Real talk? He's right. While it might seem unfair, even extortionate, to charge people to delete their accounts, most sites – dating and otherwise – don't give you any options for completely erasing your data and past account behavior. Even if you think you've left Dating Site X, your name and messages and mortifying pictures could very well survive on their (apparently hackable) servers
Both Facebook and OkCupid let you delete your profiles, for instance, but they don't let you wipe the messages you've sent or received. Match and Chemistry.com profiles can't truly be deleted. eHarmony requires you to request the deletion of your personal info from their servers – by e-mail.
In fact, according to JustDelete.me, a service that tracks the difficulty of account deletion across several hundred Web sites, precious few promise to relinquish all your personal data after you've left their sites. A number of companies provide no way to delete your accounts at all: among them, Netflix, YouTube, Pinterest, Kik, WordPress and Wikipedia.
Ashley Madison, for its part, has said that its site has since been secured; a statement from parent company Avid Life Media apologized for the “unprovoked and criminal intrusion” and promised even more stringent security measures in the future.
“The current business world has proven to be one in which no company's online assets are safe from cyber-vandalism,” it said.
Forget “cyber-vandalism” for a minute, though: Most companies can't even save us from themselves. – Washington Post