Ashley Madison could face class-action suit after massive data breach

Several high-profile hacks, including the recent attack against Ashley Madison, awebsite for people looking to have an affair, have raised questions about whether online activity is ever truly private.

Ashley Madison is built around the notion ofsafeguarding its users' information reflected in its signature image of a woman's pursed lips making the 'shh' sign, seemingly meant to reassure would-be adulterers that their secrets are safe.

• Ashley Madisonsitetarget of data hack
• Spiestarget mobile phones, app stores to implant spyware

But now, hackers say 37 million accountshave been compromised.

The company's owner,Toronto-based Avid Life Media, said Monday it has "always had the confidentiality of our customers' information foremost in our minds"but was not able to assure its users that their information is safe.

A similar website, AdultFriendFinder, was also hacked in May.

'Level of risk'

Issecretinformation online from a sordid affair to an embarrassing Twilight fan-fictionblog ever really secure?

Any time you're using a computer or giving away information of any kind, there is the risk that can be misused.-Andrew Hilts, executive director at Open Effect

Likely not, security and privacy experts say.

"What people should think about is just acceptable risk. Any time you're using a computer or giving away information of any kind, there is the risk that can be misused," says Andrew Hilts, executive director at Open Effect, a Canadian non-profit that does research on privacy and security.

"It comes down to what level of risk you're comfortable with," says Hilts.

"When payment comes into play, often credit cards are used and that's pretty inexorably tied to an identity," he adds.

Brian Bourne, co-founder of SecTor, an IT security conference, says a motivated hacker can break into any site. He estimates, based on what the hackers posted online, the Ashley Madison attack took several months or even years.

"To do what they did generally requires more skill and effort and patience," says Bourne. "So it's not a drive-by and it's not a smash and grab."

Bourne adds that hackers having long-term access to networks is "embarrassingly common."

Difficult to delete

The Ashley Madison hackerstake issue with its reported$19 charge to usersfor deleting their information. The hackers say the company doesn't actually delete it, a claim the company disputes.

But a security expert saysit's difficult for any company tofully delete user information.

Robert Beggs, a manager for technical security at Pricewaterhousecoopers, says information on even a simple website's database can easily end up in multiple places, such as test and backup databases,or with marketers.

Compounding the issue is that many companies don't know where the information on their database goes, or even sometimes where it's stored.

"So when you say, 'Ashley Madison, remove this data,'it will exist in multiple forms," says Beggs.

Beggs says it's reasonable to expect that any profile information on a site like Ashley Madison would be removed, but a user's credit card information legally has to be kept on file for up to seven years, which can be linked to a person'sname.

Class-action lawsuit?

Privacy lawyer David Frasersayscompanies are not required to guarantee the safety of information they collect. But they do have to implement commensuratesafeguards.

"Canadian privacy laws are more principles-based than anything else how in fact they apply is sometimes a matter of opinion," he says.

Fraser expects a big fallout for Ashley Madison, though the possibility ofindividual lawsuits isn'tlikely to pay off for the user, he says.

"Courts haven't taken privacy breaches to be associated with a high level of damages. So unless you can point to financial loss, the damages a court would award for hurt feelings or anxiety are not particularly high and almost would never make it worth your while in light of legal fees," says Fraser.

• Internet users' privacy upheld by Canada's top court
• Personal data online: 5 of the biggest security breaches

He says a massive class-action lawsuit is more likely if hackers publicize users' information, because the damages would be higher if more people are affected.

"A large number of people probably find the Ashley Madison site personally repugnant and problematic, but I don't think the law would make that distinction," says Fraser. "Regardless of the morality, privacy is about individuals being able to make choices about how their information is collected, used or disclosed."

Fraser says it would be a different story if the site encouraged illegal activity, but affairs are wellwithin the confines of Canadian law.

He adds there is a precedent in Canadian law for protecting class-action participants' identities; so users of the sitewouldn't necessarily "out"themselves if they took part.

Simple precautions

Hilts, at Open Effect, saysif people want to keep their online behaviour away from prying eyes, there are certain steps they can take.

He suggests creating a throwaway email, using pseudonyms, and toavoidpaying online with a credit card. He also suggests using browsers in "incognito"mode or deleting internet search histories.

But at the end of the day, online activity can always be dragged into the bright light of day.

"With every decision you make, decide that if the site loses control of this information, would anyone have information that I'd be upset to have public?" says Hilts.