Was it ethical for Wired to provide a link to the leaked AshleyMadison data? originally appeared on Quora: The best answer to any question.
Answer by Adrián Lamo, threat analyst & [so-called] "top 10" hacker, on Quora:
It wasn't unethical.
Laura Hale's answer argues "Is (sic) the contents inside the leak newsworthy? The answer is no." I have to disagree. High-profile Ashley Madison members have been identified from numerous walks of life, notably including Josh Duggar.
There are also many members who signed up from official USG .gov and .mil email addresses. In the case of members of the military, the Uniform Code of Military Justice (UCMJ) criminalizes adultery, making the data significant evidence of possible criminal conduct on a widespread scale - even if the law might be considered archaic. DoD is certainly taking the matter seriously.
A comment noted that a link that Wired provided - Has your data been compromised? - doesn't differentiate between verified and unverified email addresses. I have tweeted to Kim Zetter, author of one of the Wired articles, suggesting that Wired note the distinction. It's worth noting that neither link provides unfettered access to the raw dump, but instead require a user to manually enter an email address to check.
Nor is this the first time Wired has been involved in a story with potential to put someone in the crosshairs of the law. In 2006, Wired reporter Kevin Poulsen wrote an article based on his use of a program he'd written which used the sex offender registry to scrape MySpace for registered sex offenders. At least one person went to prison as a result. I don't recall much public outcry over that. (I lambasted him about it at the time, as I felt it overstepped his role as a journalist, but no one at Wired is handing AM members over to military authorities.)
Nor is Wired the only publication to be linking to these sites, despite having been singled out in this question. Respected newspaper Seattle Post-Intelligencer ran the same pair of links I've listed above on their news blog.
In another answer, Archie D'Cruz states:
- There is no way to know -- at this moment at least -- whether all the email addresses in that database actually belonged to Ashley Madison users. According to news reports, Ashley Madison does not send verification emails, so addresses might not belong to actual users of the site. As such, there are going to be a lot of innocent victims.
That isn't strictly accurate. While it's true that AM didn't require email verification, the database differentiates between emails which were verified and emails which weren't. So if an email shows up and wasn't verified, there's a decent chance that the user wasn't the person who signed up.
And I have a certain amount of standing to say so. I happen to hold the email address adrian@aol.com* - I've had it since the 90's. Due to the ... technical aptitude, of some AOL users, it gets mistakenly used for the damnedest things. I receive child support notifications, bank statements, credit card bills, phone bills, and everything in between. And, unsurprisingly, it's also in the AM database - unverified, naturally. Of course, I would say that, wouldn't I?
If the AM data dump weren't widely available, it could be argued that Wired had overstepped its bounds by linking to the information. But literally no one who might want to find it, except perhaps your Amish grandmother, is going to be deterred from doing so by the absence of a link in a Wired article. The data is out there. It will always be out there. Short of global thermonuclear war, nothing on the Internet ever goes away.
It's also for this very reason that, in the position of the hackers involved, I would have done things differently during my network intrusion days. I obtained vast amounts of sensitive information by illegally compromising companies such as Microsoft, AOL, MCI Worldcom, SBC, Yahoo, Google, Cingular, The New York Times, LexisNexis, and others - and helping them fix their security holes free of charge.
But while I made knowledge of the intrusions public, I never released the data I acquired. It wouldn't have sat right with me, and it wouldn't have been right. It would have harmed people who didn't deserve to be harmed. Still, if I had released the data, I could hardly have blamed the media for using or linking to it - after all, I'd have released it, not them.
Still, astute readers will note that while I said I didn't think the link was unethical, I didn't exactly say it was ethical, either. I agree that part of the glee with which folks accept the proliferation of this data is the quest for "a little schadenfreude to brighten their day."
It's easy to look at this incident and say "Oh, they're just adulterers, who gives a flying frack?" It's easy to see the members as scum, and not consider how many might be trapped in loveless marriages, or how many may have partners who know about and accept their extramarital activities.
Stories like this one are crowd-pleasers because they often make us feel better about ourselves. They let us say "I would never cheat," or "I may have cheated, but at least I didn't join a cheating site," or even "I would never get caught like those losers!" We know next to nothing about the people involved except that they cheat or want to cheat, and that makes it particularly easy to dismiss anything that happens to them as justified. The victims are un-nuanced, dehumanized. They're barely people to many observers.
A lot about this situation is sad. As someone whose former marriage was repeatedly marked by adultery, I can grok it to some extent. But I tried to go a different route. Rather than defining them by one act, I've forgiven and become friends with some of the people my spouse cheated on me with. It's a shame that most Ashley Madison members are unlikely to have a shot at that sort of reconciliation.
*Just don't try to contact me here - I check it like, twice a year.