Last night’s basically unprecedented Ashley Madison data dump will probably drastically alter (read: fuck up) a bunch of lives. It will not, however, change the way we secure ourselves online.
Now, there are a number of ways to look at the mass exposure of the personal information of people who were allegedly signed up for an adultery site. But regardless of where you stand, it’s hard to find any way around the notion that, whether you signed up for work/as a gag/with consent from a spouse/to escape a loveless marriage/on behalf of somebody else as a prank/just to see what it was, the presence of your name on that list will be consequential for a significant number of humans. Which is to say that this hack perhaps makes the strongest case yet for thinking deeply and excruciatingly about every minute detail of one’s online footprint and adopting stringent guidelines for securing the constant, harried, and usually lazy activity that takes place across dozens of sign-in sites on a given day.
There’ve been plenty of other cautionary tales: ‘The Fappening’, the Sony hacks, the Snowden leaks, the Adobe data breach, J.P. Morgan’s hack, Target’s credit card data meltdown, the Heartbleed flaw. All took different forms, but landed at the same conclusion: online security is flimsy at best, and your deepest personal information is always under the threat of surveillance or seizure by anyone from your government to Canadian teenagers.
After each of these events, waves of ‘how-to protect yourself’ guides crashed onto the internet, claiming to help users to secure their information. After an initial flurry of password resets or maybe some scattered downloads of a password manager from a diligent few, the fear subsides. Many forget the constant specter of an online security threat and settle right back into their bad behaviors.
Like, really bad behaviors. Perhaps the best place to look for this is SplashData’s annual list of the most used passwords. For years, “password” was the world’s most popular, uh, password, only to be replaced in 2013 by the equally pathetic “123456.” Human beings have limited memories and convenience is very appealing, especially when the average 25- to 34-year old has 40 active online accounts — that’s a lot of information to guard vigilantly.
It’s not just about laziness, though. For some, lackadaisical security is a result of a certain breed of privilege — after all, the specter of some low-grade identity theft is only scary if you don’t have a cushion. For others, it’s a matter of pure ignorance: For anyone who hasn’t come of age in the time of bi-monthly high profile hacks and two-factor authentication or been informed by an enlightened friend/employer/internet article, doing anything more than setting up an easy-to-remember password is rightfully foreign.
And then there’s the — I’d guess — large swath of active internet humans who know better and look the other way (self included a good bit of the time!). There is, it seems, a deep sense when most people use the internet that bad things will happen to other people, but not them. That, the likelihood that, in all of the wide expanses of the internet, it is statistically pretty unlikely that their number will be called and their privacy invaded. That, for the most part the software that powers the internet is reasonably safe and secure, when really, it's built by humans and massive and of course it's deeply flawed. Or, at the very least, that there are simply too many holes to plug and so why do the hard work of filling any of them? It’s the same kind of thinking that prevents people from buying renters’ insurance or getting that weird mole checked out. It’s willful ignorance, and we are all guilty. Even those who report on cybersecurity understand that the infrastructure and nature of the current internet makes total online safety seem essentially futile, as Kashmir Hill notes in her piece on the Ashley Madison hack:
But, at the end of the day, what can you do? You just keep living, knowing that it’s impossible, in this day and age, not to create potentially incriminating data trails. And you hope the place where your most embarrassing data trail lives doesn’t become the target of hackers.
As Hill suggests, it’s hard to have a come-to-Jesus moment about security when getting hacked at some point in your life seems, at this moment, almost inevitable. After all, even an Ashley Madison user taking plenty of precautions could have been exposed by this hack. As leaked documents show, the company made millions guaranteeing their users the right to have their potential indiscretions forgotten.
Perhaps the only real way to change this is to change the way that we think about the internet at large — to recognize that the banking, shopping, dating, flirting, cheating, socializing done online is different but no less real than what happens in the physical world, and, often times, far easier to be used maliciously against you. This sounds obvious, but there’s still a meaningful disconnect between those who shred every physical piece of paper they receive from their bank those who sign up for a cheating site with their work email.
And in recognizing and accepting that the pain, loss, and reputation damage caused by the internet is equally, if not more, devastating and ruinous than all the pain, loss, and reputation damage in the real world, we can begin to demand from tech companies and the regulatory bodies that oversee them not only transparency but a more sophisticated way of protecting our data. As writer and programmer Paul Ford wrote last month when the initial news of the Ashley Madison hack broke, some reasonably simple security measures allow “for encrypting personal information inside of databases so that, even if someone downloads everything in your database, all they have is a big mess of encrypted data.” This, Ford argues, “would have made it far more difficult for hackers to extract tons and tons of sensitive information from the Ashley Madison database.”
As Ford writes, this particular hack is not the users’ fault — the system is broken. But a deeper understanding on our part of what constitutes our online footprint — that the choices we’ve made seemingly in private are never 100 percent off the record; the idea, as wrong or hard as it may be to stomach, that we must live, even privately, as though we’re being watched — might allow us to hold those who provide services and make products to a higher standard.
When these sorts of hacks appear, the greater internet has a way of talking about them as a strange bit of science fiction, glimpsed in the present. The event is described as dystopian — a vision of our future before it becomes reality. The worst case scenario. But to call it dystopian suggests there’s some kind of imagining going on, here. In actuality, there’s nothing dystopian about it. This is our reality. And for the foreseeable future, it’s unlikely to change.