Is it ethical to write about hacked Ashley Madison users?

August 21, 2015
Photo: AP

On Thursday morning, the hosts of an Australian radio show invited listeners to call in if they suspected their partners of cheating. The hosts would then search for the supposed cheaters’ names in the membership rolls of Ashley Madison, a dating Web site that appeals to married adults with the slogan, “Life is short, have an affair.” The site was hacked in July, and earlier this week, the personal details of tens of millions of users were leaked to the Web.

A female caller griped about her husband for a moment, and then the hosts of the Fitzy and Wippa Show typed in his email address.

“Yeah, he’s actually on the site,” Fitzy said.

“Are you serious?” the woman asked, clearly rattled, despite her earlier suspicions. “Are you freaking kidding me?” She sounded like she was going to cry, and hung up abruptly.

“I don’t know if we should have done that,” Wippa said after the caller was gone. “That hasn’t left me with a good feeling.”

That ethical queasiness has—or should have—afflicted journalists everywhere writing about the data dump, which involves the stolen personal data of almost 32 million Ashley Madison users going back to 2007, including names, birth dates, and partial credit card numbers. 

Sign up for CJR's daily email

The so-called “cheating site” marketed itself as a discreet dating site for married adults seeking extramarital affairs or other unconventional arrangements, though not all users met that description. While certainly not a household name before the hack, the site boasts a staggering 39 million “anonymous members” on its home page. 

Within hours of the data being posted on the Tor network, there was an easy way to search any email address online to see if it showed up in the Ashley Madison client database. A slew of articles followed. Gawker outed Josh Duggar, the star of 19 Kids and Counting, and supposed model family man. The Times-Picayune in New Orleans outed a GOP executive director who claims he started an account for research. The Washington Post wrote about patterns in the aggregate data, like how people lie about their birthdays, for example. The Associated Press used Internet Protocol addresses to identify users in the White House who logged in from their work computers, though not necessarily with their work emails.

Without judging the merits of each individual case, it’s clear that reporting on the private data of millions of ordinary Americans that has been stolen by unknown hackers raises serious ethical questions. Reporters are digging through people’s personal email addresses, home addresses, physical descriptions, and preferences, sexual or otherwise. Is this ‘Gawker Christmas’ as one Twitter user put it, a treasure trove of data just asking to be shared? Or should journalists honor users’ privacy, regardless of their questionable morality or naivete? 

“I don’t know if we even know the right questions to ask,” says Monica Guzman, vice-chair of ethics at the Society of Professional Journalists. “This is unprecedented in journalism, the frequency with which information that previously would not have been disclosed is being revealed.” 

The hacked data is not entirely reliable. Ashley Madison did not require users to confirm their email address, so anyone could have signed up using someone else’s information. In addition, an online user account does not prove that somebody cheated.

The hackers, who call themselves the Impact Team, said after the initial breach that they hacked Ashley Madison because it was both immoral and fraudulent. They alleged that many of the female profiles on the site were fake, and that the $19 ‘Full Delete’ option to erase a profile amounted to extortion. The hackers threatened to release the stolen client data if Avid Life Media, Ashley Madison’s parent company, didn’t take it and several related properties offline.

“We have explained to you the fraud, deceit and stupidity of ALM and its users,” the hackers wrote this week. “Now everyone gets to see their data.”

For some journalists, the argument is simple: there’s no putting the genie back in the bottle. The data is out there, and as long as we apply the journalistic standards of newsworthiness, public interest, and minimizing harm, why not treat it like any other information?

Guzman dismisses that argument. “Public is not the same as published,” she says. “If you’re a journalist, you are assuming responsibility for what you publish.” 

“We’re looking at these hacks like forces of nature. These are crimes, not tornados,” Guzman says. “Somebody made that happen. We should know who they are.”

In this case, the source of the information could undermine the credibility of the reporting, said Sean Sposito, a reporter and data specialist at the Atlanta Journal-Constitution. The data “came from folks who stole it, then it went into a black box, and then we don’t know what happened to it,” Sposito says. “Could they have added names?” 

He argues that even downloading and searching the data is questionable, regardless of whether it will be published. “From an ethical standpoint, do you want to have credit card numbers on your machine? Even partial credit card numbers, dates of birth?” This is especially true since the data contains information that can be used to identify someone even without a first and last name. “By downloading this, we’re violating their privacy,” Sposito says.

Mona Chalabi, a writer at FiveThirtyEight, said the editorial decision in her newsroom was not to use the data: “It’s just unfair to people. It’s unethical for us to use the data without their consent.” That might even be the case if you anonymized the data, because it’s highly unreliable, Chalabi says. People lie in online profiles all the time.

An AP journalist took a more sophisticated approach to mining the data. Instead of using the email addresses, he cross-referenced IP addresses of Ashley Madison users with internet registration records and found federal government employees who’d been using the site from their work computers at the White House and other government facilities. They include two assistant U.S. attorneys, a technology administrator in the Executive Office of the President, and a hacker for the Department of Homeland Security. The AP released the positions but not the names of the Ashley Madison users “because they are not elected officials or accused of a crime.” 

Guzman says that instead of focusing solely on the results of the hack, journalists should be focusing on the perpetrators. So far, there have been few repercussions—for companies or hackers—despite high profile leaks at places like Target, Home Depot, and Sony.

“Usually, journalism is about questioning those in power. And these hackers have a shit ton of power,” Guzman says, “I would love to see a story about that.”

Chava Gourarie is a freelance writer based in New York and a former CJR Delacorte Fellow. Follow her on Twitter at @ChavaRisa