Infidelity has consequences. For Avid Life Media, owner of the recently-hacked Ashley Madison extra-marital dating site, there were 115 million consequences in 2014, each of them a dollar. Clearly, cash trumps ethics at ALM. But an unintended consequence has just been revealed - perhaps the first example of social data protection hacktivism.
The back story is a good example of just how much money there is to be made out of big data-driven Web 2.0 services these days. Ashley Madison had 30 million registered users, with men paying to contact women (who get the service for free) on the site, despite the availability of other, free hook-up apps and sites.
The money-making didn’t stop there, however. ALM had the genius idea of charging $19 for users to have a full deletion of their profile, including all of the messages, fantasies and photos they might have shared. Privacy as a market is a very American concept, yet the company made $1.7 million last year from this service alone.
Which is where its troubles really began. Like most dating websites have been, Ashley Madison was hacked, but instead of just the usual dark web sale of personal and financial information, this time the hackers got political. They discovered that information was still being stored on users who had paid for the full deletion. In other words, users had paid for privacy, but not been given it.
Now, you could argue that expecting an infidelity website to behave ethically is like expecting correct change from a drug dealer. But, equally, the hackers’ demand that the site be taken down is simple commercial blackmail, however you look at it. Leaking some users’ details to make your point makes it even more obvious that two wrongs are not making a right. Ashley Madison may now be a smoking ruin in commercial terms, but so is any claim by the hackers to be acting as white hats.
The lesson in all of this for regular businesses? It’s not that charging to delete personal information is a great idea, attractive as that might seem. Instead, this story should have had every company which stores data on its customers - which is to say every company - rushing to check out its data retention policy.
One of the most breached principles of the Data Protection Act is that data should be stored only for as long as the legitimate purpose for which it was originally collected. So when did you last delete anything? Probably never because, across business, there is a perception that the purpose is ongoing and something may come up which demands access to that data. (This gets really complex when you consider the “right to be forgotten” and retaining data for suppression.)
If you can reasonably argue that the data is necessary and believe you are in full compliance, so much the better. But do your customers hold the same view about retention of what is, after all, their information? Probably not. They may never find out just how much you know about them and how long you hold it for, of course. So you can either take another look at the data retention policy and see whether you can start to delete some, or just keep your fingers crossed that your company is not the next target of social data protection hacktivism.