Over the past few months, Mark has gotten fairly intimate with the feeling of paranoia.
On August 18, his name appeared among millions of others outed as members of the adultery dating website Ashley Madison. Four months later, his wife still has no clue. He worries almost every day that his secret will catch up with him. His inbox is deluged with unnerving e-mails from bitcoin-hungry blackmailers. He finds himself constantly Googling, searching for news of any life-shattering threat.
“I have still never told anyone about my involvement with Ashley,” Mark* wrote me last month via e-mail. “I still am looking over my shoulder, and know that it will never go away.”
In order to fully grasp the effect of the one of the largest, most personally-damaging information exposures ever, I've been corresponding for months with more than 100 people impacted by the Ashley Madison leak. I wanted to understand the power that 30 gigabytes of poorly guarded code can have to destroy. I've exchanged over 100 e-mails with Mark alone. My inbox became his confessional, a singular safe place for him to confide.
“I thought of myself as a good guy. Maybe I was wrong,” he wrote me, recently. "I'm not proud of what I did. I have something missing in my character. I know that. I have cheated and taken what wasn't mine most of my life."
A New Jersey resident, Mark met his wife when he was just 19. Over decades of marriage, he came to feel as though something were wanting. He signed up for Ashley Madison, where he met a few women and even fell hard for one. Because he used a burner e-mail address and a pre-paid gift card to sign up, it makes his presence among the data dump difficult to discover, but he has been tempted to confess to his wife. He told me he has no interest in divorce, but even after the hack, he remains on Ashley Madison, now with a new account.
“The hackers had no right to do what they did," he wrote me the week of Thanksgiving. "What did they accomplish? Ashley Madison is doing fine. Even more people have signed up for it. Cheating spouses confessed and got divorced. And a few months later, it’s all but forgotten.”
In the lengthy manifesto published alongside the stolen data, the hacking group the Impact Team implied they were motivated by the values that Ashley Madison promotes, as well as its lagging privacy and security. Users like Mark were merely casualties of the cause.
“It was ALM that failed you and lied to you,” the Impact Team advised them. “Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
But many victims of the hack will never get over it.
Georgetown law professor Paul Ohm coined the phrase “database of ruin” to describe the trails of data that we all leave online. Ohm suggested that buried among that vast digital dossiers companies compile on us as we browse the web is at least one lethal secret.
“This might be a secret about a medical condition, family history, or personal preference,” he wrote in 2012 . “It is a secret that, if revealed, would cause more than embarrassment or shame; it would lead to serious, concrete, devastating harm."
In Ohm’s thinking, the database of ruin emerges as companies combine their treasure troves of data to create one database so complex and colossal that it cannot ever be destroyed — a sort of Big Data Singularity. But as any member of Ashley Madison can tell you, databases of ruin have already arrived.
Among the rubble of the Ashley Madison hack, I've counted at least three suicides, two toppled family values evangelists, one ousted small-town mayor, a disgraced state prosecutor and countless stories of extortion and divorce. The blast radius of a database dump, it seems, is very large indeed.
Tom*, a 65-year-old user in Nebraska told me that he paid off blackmailers after receiving one of the many e-mails threatening to out users to their spouse.
"Hello, I am blackmailing you," his first blackmail e-mail began. "If you want to keep your cheating and lies secret from your significant other, your family, your friends and employer then pay very close attention. As what we demand is non-negotiable and life ruining serious."
Tom had met three women in real life, but never actually gone further than lunch.
“I love my wife,” Tom told me. “But I’m not in love with my wife. It’s comfortable and enjoyable and good, but I needed more.”
The e-mail demanded three bitcoins, though Tom barely knew what a bitcoin was. He wound up paying his blackmailer five bitcoins (over $1,000 at the time), for the promise that it would help stave off future blackmail attempts. He still receives blackmail e-mails almost weekly, as do many other users of the site.
An East Coast woman who had found her husband in the leak and considered divorcing him said that the hack ultimately helped repair a long-widening chasm in their marriage that neither of them had addressed. He told her he signed up before they got married and never bought the credits necessary to send messages to women, a claim I was able to help her verify in looking at his transaction records.
One person I talked to found their father in the hack, affirming long-held suspicions that he was a cheater. Another user said that after contemplating suicide, he decided to come clean to his wife, and that she forgave him. Yet another, who has lost 13 pounds since the hack due to stress, was now hopeful after his wife agreed to marriage counseling.
Other suspected post-hack outcomes, like the Pentagon cracking down on members of the military who used the site given adultery being a crime, never materialized. But, unlike the leak itself, most of the aftermath unfolded behind closed bedroom doors. Its full effect is difficult to discern.
In the U.S., at least, the worst of the fallout seemed to happen in the south, where small community websites and blogs published the names of locals who used the site. Sometimes they were organized by zip code, making cheating neighbors especially easy to find. In Alabama, Mississippi and Louisiana, conservative Southern politics, religion and the nature of close-knit rural culture turned the internet into a small-town pillory.
In Hartselle, Alabama, Mayor Don Hall was forced to resign despite denying ever having used the site. The names of many public officials (like President Barack Obama, for one) appeared in the leak even though they weren't users, because Ashley Madison didn't require that users verify e-mail addresses before creating an account.
Roger Shuler, a Missouri blogger, used his site, Legal Schnauzer, to out a prominent attorney and a local journalist in his former home state of Alabama, as well as the names of local companies who had executives with names on the list.
“It’s of interest to the public,” he told me, assuring me he would never print the name of “just some guy who runs an auto parts store.”
While people use Ashley Madison for all kinds of reasons—in open relationships, for example, or to mentally escape abusive ones—Shuler had a hard time accepting that people might use the site for any reason other than a lack of moral character.
“I’ve been married for 26 years and I treat marriage seriously," he said. "I’m just amazed that in this country where people seem to trumpet their Christian values we treat christian marriage so shabbily. A lot of people on the Alabama list are people who make judgments about us all the time, so it’s relevant to expose what kind of judgement they use themselves.”
Christi Gibson lost her husband, a New Orleans pastor, after his name was released in the leak. John Gibson had long struggled with sex addiction and depression. She only discovered her husband’s presence on the site upon reading the note she found along with his body. In it, he confessed his feelings of deep shame and remorse.
After her husband’s suicide, Gibson agreed to interviews with nearly every media outlet that called. She was on a mission to prevent secrets from having the power to destroy people's lives. If her husband had been honest, she reasoned, he would probably still be alive.
“My life was shattered by secrecy and lies — not by the hack," she wrote me via e-mail.
In her view, the problem isn’t so much that hackers unleashed stores of sensitive information, but that any of us keep secrets from one another in the first place.
💻 💻 💻
The Ashley Madison hack was distinctive because it revealed such private, intimate details about regular people. There were prominent names in there, to be sure, but its main victims were not movie studio execs or Hollywood starlets.
It’s tempting to think of it as a one-off tragedy, the kind of thing that happens to people who join a site with a singular purposed of enabling extramarital flings. But a one-off it was not. In a world where the intimate details of our lives are stored on our phones and in the cloud and in the metadata of everything we post to social media, the Ashley Madison hack was a harbinger of hacks to come.
For all of us, there is some data set out there capable of wreaking havoc should it ever be unleashed. We keep our e-mails in the cloud, along with our lists of contacts and calendars. If you use a fitness tracker like Jawbone, your health data is in there, too. Uber knows where you've been and when. Our Amazon purchases and Google searches reveal an alarming amount of detail about what we do and think. There is no light bright enough to shine into all of the infinite cracks and crevices where the intimate digital portraits of our lives are stored.
“Too often the public conversation about online vulnerability is about things like identity theft and credit card fraud,” Ben Wizner, director of the ACLU’s Speech, Privacy & Technology Project, told me. “For most people, though, credit card fraud actually has minimal impact. But what if there was a database that knew where your phone had been everyday between 3 a.m. and 5 a.m.? Functionally that database would be a proxy for who you were sleeping with. Well, there is that database, because you have a phone. There isn’t anybody out there who should feel smugly secure.”
As the writer Walter Kirn so succinctly summed it up: if you live in our hyper-connected, data-rich world and you’re not paranoid, the only other option is that you’re crazy.
Security expert Bruce Schneier told me that there’s really no technical reason why more, ultra-personal hacks like Ashley Madison haven’t already happened. Online, attack is so much easier than defense. The only thing standing between most online data and a hacker is the desire to obtain it. Political motives, Schneier said, are making hacks like Sony and Ashley Madison increasingly attractive.
“I think it’s just in the water,” he told me. “As more of it happens, people realize how effective it is. I think it’s going to happen more and more.”
A popular misconception is that you need to be targeted to be hacked. You don’t. Like Ashley Madison’s users, you might just wind up a casualty of the war. And while the Impact Team implored its casualties to just move on, it’s seemed easier for Ashley Madison to do that than the people that used the site.
After the leak, the company reported hundreds of thousands of new users. (Ashley Madison did not respond to any of many requests for comment.) Curious as to how the site was faring, after the hack I made my own account, disclosing to anyone I corresponded with that I was a journalist. It appears to be thriving still judging from the dozens of people who sent me messages through the site. A good number of those I interviewed who had been outed in the leak are, like Mark, surprisingly, still using the site. They knew about the hack, but didn't really seem to care.
We're quick to determine whether a hack was "wrong" based on whomever is the target of the hacking. But Schneier told me that this approach is wrong. As a society, instead, we need to decide how we feel about hacking.
“You do it to Don Trump's e-mail? I’m all in favor,” he said. “But you do it to Ashley Madison and most of us feel that these people deserve their privacy. We tend to look at the tactic through who the victim is. The question, though, is what is the validity of it. Is this tactic something we are opposed to?”
But how do you stop the database of ruin, how do we keep the hack of the future from destroying our lives?
Wizner suggested to me that maybe it’s time to think differently about the liabilities of companies and individuals in possession of our data. Some of the many class-action lawsuits unfolding against Ashley Madison are hoping to do that. Many of them seek to hold the company liable for its false promises of discretion and security. One aims to make stolen data legally toxic, hoping to make such leaks harder to spread. Legal protections that exist for people who create buggy software are intended to prevent the stymying of innovation. But maybe it's time that we prioritize security over innovation. Maybe it's time we prioritize our own privacy instead.
Wanting privacy for our text messages or Amazon orders or Uber rides doesn’t necessarily mean that we have something to hide. The reasons one might take an incriminating 3 a.m. cab ride or even sign up for a site like Ashley Madison are so often incredibly nuanced and complex or sometimes just hard to explain. Often, our private lives lack necessary context when exposed to the world against our will. Privacy is about being able to control how we present ourselves, both to the world and online.
Preserving the line between public and private is necessary to protect the private, individual self, whether you're cheating on your spouse or just have an embarrassing habit of making three a.m. burrito runs. All of that data is out there, waiting to expose our private selves to the public world. The line between our public and private selves is in danger of disappearing.
For Mark, even in still living in the safe haven of anonymity, his private self seems lost to the online world. His new Ashley Madison account contains absolutely no truthful details. He's been forced to adopt an alter ego, to exchange his private self for a made up one.
Many of the e-mails Mark sends me end with some version of the same line: "I know my info is out there and I will never be comfortable again."
It's not just that he worries his wife will know he's cheating. He worries that his true self will be found out.
*These names have been changed to protect the anonymity and privacy of users of Ashley Madison.