Ashley Madison: don't let dead data sleep around

It was a dirty, cheating hack designed to play straight to the internet’s gossipy, prurient, finger-pointing heart. Samples of account data and internal documents appeared online, purportedly from Avid Life Media, a Canadian company that runs a variety of dating services. In particular, the hacker or hackers - “The Impact Team” - concentrated on, a site that boasts 40 million users looking for an illicit affair.

The Impact Team threatened to spill all the beans.

Avid Life says that there was one individual involved, who wasn’t an employee but did have access at one point to the company systems. The internet - well, all but 40 million - laughed to see such fun, saying, “Serves the scumbag lying snakes right”, thus proving once again that in matters of morality the internet has less humanity than a blobfish.

Whatever the real motives for The Impact Team’s actions, it did make one solid claim: that Avid Life charged users for “full deletion” of their account data when they left - and that this was frequently not full deletion at all. Whether or not these accusations are correct for Avid Life, it’s worth thinking how it would look if they were aimed at your company. You might not have a collection of adulterers the size of Canada on your system, but size and sexual mores don’t count. Personal data is dynamite.

The first issue is: If your business model depends on extra charges for what many see as a reasonable expectation for their personal security, you will be at extra risk.

It doesn’t matter how good you think your legal argument is. Perceptions of unfairness influence your reputation and what regulators think, and the more sensitive the information the more carefully you should step.

This counts double in the second and more important aspect: making sure your technical procedures are effective. User data deletion is particularly vulnerable to bad implementation, for multiple reasons.

User data is valuable, and there’ll be commercial pressures to keep that value. Deletion is - normally - invisible outside the company; as long as they don’t appear in external searches, who’s to know what zombies dwell in the database? And then there’s the thorny question of backups. You have legal and compliance requirements to keep backups, not to say a responsibility to the company for disaster recovery and the like. What do you do about deleted user data in the backups? That has no one correct answer, but if you haven’t had the discussion you haven’t done it right yet. More risk.

It can be expensive and complex to completely erase data, and it can be practically impossible if you have a poor or haphazard set of databases with ad-hoc links and multiple processes.

The answer, as so often, is to design for the requirement from the start - and where as so often that isn’t possible, to set up rules and processes to introduce the requirement as soon as practicable at redesign or migration. The canonical rule is to keep the information in as few places as possible, and furthermore to have a bulletproof way to remove it.

A good approach, and one that lends itself to simplifying the backup problem, is to encrypt all user data with a per-user key. You have to enforce the discipline that unencrypted copies must not be persistent, but that done you can remove the data wherever it is by merely deleting the key. Key management isn’t easy to do properly - but if you’re having troubles there you really shouldn’t be in this business - and it is easier to lock down than a set of sprawling databases whose internal workings are as mucky as Bill Clinton’s carpet. It also makes the main user data set less vulnerable to a wandering contactor with a USB key.

Take deletion seriously. Anything less is cheating - and if you cheat, don’t get caught. Ask Ashley.


« Comparing internet development around the globe


New York & the ever so trendy march of Silicon Alley »
Rupert Goodwins

Rupert Goodwins expected to be an engineer, but journalism happened. As an engineer, he worked in defence, for Sinclair Research and Amstrad, in startups and for himself. First appearing in print in 1982 and online in 1984,  he's written about all aspects of technology in business for most of the UK nationals and tech magazines, and was most recently editor of ZDNet UK. Tries to solve more problems... See More

  • twt
  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?