A 1990s anti-piracy law is why you haven't seen the hacked list of Ashley Madison customers

On Sunday night, Ashley Madison, the premier dating site for adulterers, was hacked by a group calling itself the Impact Team. The hackers say they have the financial records for all of the site’s 37 million users and that they will release more and more data every day, unless the Ashley Madison site is taken down. The Internet is feasting on the news, with many gleeful about the opportunity to see cheaters put in the digital pillory.

But it hasn’t happened yet. The leak has been more widely reported than seen, thanks to Ashley Madison’s use of a legal tool from the 1990s that was created to help the entertainment industry combat piracy.

Brian Krebs, the prominent security blogger who first reported about the Ashley Madison leak on Sunday, said the hacked material quickly disappeared. “In the short span of 30 minutes between [a brief interview with Ashley Madison’s CEO] and the publication of this story, several of the Impact Team’s Web links were no longer responding,” wrote Krebs. In other words, Ashley Madison had killed the Impact Team’s initial leak before Krebs even got his story up about the leak’s existence.

“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed all posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online,” said Ashley Madison parent company Avid Life Media in a statement. “We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.”

The DMCA was originally passed in 1998 to help movie studios and music makers who were increasingly seeing their products show up online, posted and monetized by “copyright pirates.” But recently, the DMCA has taken on new life as a way for hacking victims to get their stolen material taken offline. Jennifer Lawrence used DMCA takedown notices, for example, to get Google to stop linking to her stolen nude photos.

Ashley Madison is using the same tactic, but more controversially, because there’s a big question about whether it actually has a copyright on its users’ information.

Parker Higgins, director of copyright activism at the Electronic Frontier Foundation, says Ashley Madison’s using the DMCA is “fraudulent.” “They don’t have a copyright on what they’re sending notices about,” said Higgins. In an inquiry to Ashley Madison about what the site has copyright on in the stolen information, a spokesperson said she could only point to the official statements that have been made thus far.

While the DMCA may be working right now for Ashley Madison to get websites to take its information down, “it underscores other concerns about the DMCA as an existing censorship tool,” said Higgins.

The DMCA has long been a controversial legal tool because it is tilted so heavily in favor of copyright holders. When a site gets a DMCA takedown notice, it must immediately comply or risk liability for posting of the copyrighted materials — which means that even valid fair-use creations (such as a Buffy-Twilight mash-up video) can wind up getting taken down.

Using the DMCA in the past to deal with leaks got at least one company in trouble, said Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society. In 2003, a hacker broke into the servers of Diebold, Inc. and stole emails and files related to security flaws in the company’s voting machines. When graduate students reposted the files, Diebold served them with DMCA takedown notices. The students countersued the company for serving false notices, claiming Diebold didn’t actually have copyright over the material. Diebold lost the case, with a judge saying the company “materially misrepresented that Plaintiffs infringed Diebold’s copyright interest.”

After a hack, most companies send “nasty letters that mention copyright” rather than DMCA takedown notices to the websites hosting the material, said Higgins. After Sony Pictures was hacked, for example, its lawyer sent a letter to media publications asking them not to use the stolen information saying that the files were Sony Pictures’ “intellectual property” — more gently invoking copyright concerns.

Sony Pictures’ hacked information, though, was released via torrents, meaning there was no central website to which the lawyers could send a takedown notice. If the distribution of Ashley Madison’s files becomes decentralized like that, a DMCA notice will no longer work as a way to stop the distribution.

“In terms of effectiveness, the DMCA makes it momentarily harder to get access to the leaked information, but Ashley Madison won’t be able to DMCA every copy of this on the internet,” said Higgins. “Ashley Madison is in cornered-animal mode, and they are using every tool they can.”

Related: Hackers are threatening to out millions of users of Ashley Madison, the dating site for married cheaters
Ashley Madison users’ identities were exposed before the site was hacked