Every day for nearly two weeks, Troy Hunt, an Australian Internet security expert, has opened up his computer to find a plea for help from someone on the edge.
“I have contemplated suicide daily for the past week,” one person recently told Mr. Hunt. “My two beautiful children and my wife are keeping me alive. I am very worried that her family and others will find out, making it extremely difficult for her to stay with me.” Another wrote, “I imagine my grown kids finding out, my neighbors, friends, co-workers, and sometimes I just want to end it all before facing something like that.”
Mr. Hunt runs Have I Been Pwned?, a site that lets people determine if their data has been compromised in one of the online security breaches that have made headlines over the last few years. For the victims, most of those breaches resulted in little more than minor frustrations — changing a password, say, or getting a new credit card.
But the theft and disclosure of more than 30 million accounts from Ashley Madison, a site that advertises itself as a place for married people to discreetly set up extramarital affairs, is different. After the hacking, many victims have been plunged into the depths of despair. In addition to those contemplating suicide, dozens have told Mr. Hunt that they feared losing their jobs and families, and they expected to be humiliated among friends and co-workers.
There has been a tendency in the tech commentariat to minimize the Ashley Madison breach. The site has always seemed like a joke and possibly a scheme, and those who fell for it a testament to the Internet’s endless capacity to separate fools from their money.
But the victims of the Ashley Madison hacking deserve our sympathy and aid because, with slightly different luck, you or I could just as easily find ourselves in a similarly sorry situation. This breach stands as a monument to the blind trust many of us have placed in our computers — and how powerless we all are to evade the disasters that may befall us when the trust turns out to be misplaced.
“I feel reticent to blame people for ignorance or the consequences of their actions when they’re simply sitting there at home doing something perfectly reasonable in an environment where there was an expectation set for privacy,” Mr. Hunt told me. “I think what this does is demonstrate that everything you put online may become public.”
There are several steps to take to minimize future damage from hackings like this one. But first, we could all become a bit more tolerant of online lapses; maybe the way to solve the problem of rampant disclosure of private stuff is to strive to look away from the stuff when it leaks — and to give those who’ve been harmed the benefit of the doubt.
Second, we should all learn a little “opsec” — hackers’ jargon for “operational security,” or a guide for conducting yourself online to minimize the possibility of your secrets getting spilled. It wouldn’t hurt the tech industry to help us in that endeavor, building warnings and guidelines into the same machines that are leaking our secrets. Perhaps we should even start teaching opsec in schools.
So, Step 1: Even though it may be difficult, try to give people caught up in this breach the benefit of the doubt. Sure, some Ashley Madison users may have been unsavory, but some were not — and who among us doesn’t have something to hide?
“It’s easy to be snarky about Ashley Madison, but just because it’s unpopular or even immoral, it doesn’t mean this sort of activity shouldn’t be protected,” said Scott L. Vernick, a lawyer who specializes in digital privacy issues at the firm Fox Rothschild. “This gets at fundamental issues like freedom of speech and freedom of association — today it’s Ashley Madison, tomorrow it could be some other group that deserves protection.”
Everyone has some data — probably a lot of it — buried in their vast digital record that they would rather not disclose publicly. That problem will grow; in the last couple of decades, computers have come to function less as office tools than as friends and therapists. The digital world has become a place to offload your deepest fears and desires, to seek discreet counsel and surreptitious amusement under the veil of privacy offered by an LCD screen.
But much of that privacy is an illusion. If hackers can get at our fetishes on Ashley Madison, they can get at anything else — your nude selfies (don’t deny them), your embarrassing taste in music (Nickelback’s early stuff was great), your health records or whatever else you would prefer remained secret.
Given that inevitability, it might be best to approach disclosures like this one by consulting the Golden Rule. When you hear of some new breach, don’t sniff around the pilfered documents for other people’s secrets if you wouldn’t want others to dig into yours. Mr. Hunt’s website, Have I Been Pwned?, abides by this policy; he requires that people verify they own a particular email address before searching his Ashley Madison database.
Many other search sites are not as scrupulous, which Mr. Hunt said has inspired an army of busybodies to search for everyone they know. But he pointed out that the snoops might not have considered mitigating factors in this hacking. Ashley Madison did not ask users to verify email addresses, which means anyone could have signed up with someone else’s email address. Others may have logged on just once, because they were curious, joking, intoxicated or being ironic. In other words, a positive hit in the Ashley Madison database doesn’t tell the full story. And, anyway, the full story may be none of your business.
“Some people need to get a life,” Mr. Hunt said.
Of course, some people won’t get a life; they’ll want to search for you. That brings us to Step 2 in the plan for better privacy: When you’re online, act as if everything you do is public. If you’re engaging in anything that may one day come back to haunt you, take precautions: Create a fake name, fake email address, perhaps use a different device, and try to separate your underground identity from your true identity.
This is easier than it sounds. A person who goes by the handle thegrugq, the author of a blog called Hacker OPSEC (and whose real identity is, of course, a secret), has published several practical guides that explain how to protect your information online. If we, collectively, were to begin to take online security more seriously, such guides could be taught in schools — imagine a kind of home ec for computer security. It would be even better if our computers somehow warned us when we were violating these practices — say, a pop-up warning if your machine detected you were typing a work address on an adult site.
Still, thegrugq counseled in an email, these precautions are not foolproof. “Security is a trade-off against efficiency, and that can be very painful,” thegrugq said. “Few people will reduce the ease with which they can do something just because it might have a future benefit (just ask economists)!”
But maybe the dangers will prompt us all to remain vigilant. “True online security is not just defending against compromise, it’s operating under the assumption that compromise will happen,” SwiftOnSecurity, a security expert who assumes the online persona of a security-minded version of the pop star Taylor Swift as a kind of Twitter-based performance art, told me in a private chat. She added: “Your online life will extend across 60+ years. Imagine the changes. Imagine the disasters. Imagine what the world shouldn’t know about you that someday it will.”