The recent hacking of the hugely popular website Ashley Madison raises uncomfortable questions about privacy and security in our digital lives. For those unfamiliar with AshleyMadison.com, it functions as a dating site specifically aimed at those seeking to “cheat” on their spouse or partner. Needless to say, the promise of discretion is a key element of the site’s success:
“Protection of personal information [is one of the site’s] critical success factors. I would hate to see our systems hacked and/or the leak of personal information.”
Avid Life Media CTO Trevor Sykes, in happier times
The group claiming to have hacked the site calls itself the “Impact Team” (inside help from a vendor is suspected). They threaten nothing less than the wholesale public release of names, payment details, online conversations, and even nude photos of a purported 33 million(!) users living mostly in the US and Canada. Their demand? Take the site offline completely, effectively putting Ashley Madison out of business.
So the stakes are quite high for the site’s parent company, which had sales of over $100 million last year. A planned IPO almost certainly is off the table now. Whether the company can recover and continue operating Ashley Madison is uncertain, but clearly it will suffer a tremendous financial blow and have difficulty retaining customers.
The stakes are even higher for those customers of course, who face the possibility of divorce, ruined relationships with their families, and public embarrassment.
So both Ashley Madison and its customers have suffered harm (or potential harm). But what is the proper libertarian perspective on all this?
For starters, consider that personal and business reputations might well become even more important in a libertarian society. Our reflexive aversion to cheats, liars, and secrecy is very much in accord with human nature, and there’s every reason to believe a private legal system would reflect this. In an uncertain world of scarce resources, a lack of trustworthiness in others creates huge transaction costs. This is especially true of our interactions with strangers, where we’re forced to create elaborate legal contracts before doing business-- a handshake no longer suffices.
But surely Ashley Madison’s owners and its users should not be able to sue the alleged hackers (if identified) for monetary damages owing to loss of reputation. The entire tort concept of defamation, including trade libel for businesses, is nonsense. As Murray Rothbard explained, one’s reputation consists of the thoughts, opinions, feelings, and perceptions of other people-- which of course cannot be owned.
Even under current US case law, “truth is a defense” in defamation cases. So provided the hackers released truthful (i.e. accurate, unaltered) data, neither a private nor a legislative legal system would appear to support an action for defamation by Ashley Madison users or its owners simply because hackers made certain unpleasant facts public.
But what about criminal liability? Are the hackers guilty of theft? Burglary?
The common law definition of burglary provides an inexact analogy. Burglary requires the breaking and entering of a dwelling with the intent to steal property within. In the pre-digital world, a criminal with the same motives as the Ashley Madison hackers might have broken into the brick and mortar offices of an adult dating service and physically removed customer information printed on actual paper.
Here we have no physical invasion of a physical space by the alleged criminals. Instead, we have individual sitting remotely (perhaps thousands of miles away) using a PC to obtain unauthorized access to the Ashley Madison server.
But it’s important to note that the hackers did not remove customer data, they copied it. By all accounts Ashley Madison still has an intact website and intact data on its server. Ashley Madison still possesses its “stolen” information.
What the hackers really took from Ashley Madison was the unfounded trust of its users, by exposing the site’s assurances of security as untrue.
Should this be a crime? Should it give rise to civil liability? Surely Ashley Madison did not “own” the income stream produced by the site prior to this incident.
Other questions arise. Are the hackers guilty of trespass? Blackmail and extortion? (see Block). Should they face civil liability for violating Ashley Madison’s trade secret in the form of its customer lists? (No, see Kinsella). Should it matter that the hackers took the data not to sell or use for financial gain, but rather to make a point? And should a libertarian legal system permit money damages for actions that evolved under common law like tortious interference with business or intentional infliction of emotional distress?
Not surprisingly, Ashley Madison CEO Noel Biderman wants the hackers to be punished criminally, under US cyber-terrorism or cyber-crime statutes. But one thing is clear: feeding the maw of the awful US criminal justice system and caging humans in supermax prisons at taxpayer expense is NOT the answer.