[BreachExchange] Breaking Up With Ashley Madison: Limits on Retaining Information About Past Users

Fri Dec 2 15:22:38 EST 2016

http://www.lexology.com/library/detail.aspx?g=5045e593-29cb-4afe-9521-
bbac0a6404ec

When a person deactivates, deletes or disengages with his or her profile on
an online service, what happens to that person’s personal information? When
a person leaves, does personal information stay?

In 2015 Ashley Madison, an online dating website known for connecting users
to explore or engage in extramarital affairs, was hacked and the personal
information of 36 million users was publically exposed. The data breach
prompted a joint investigation by the Canadian and Australian privacy
regulators. While the investigation focused primarily on the adequacy of
Ashley Madison’s information security practices, it also considered the
website’s practice of retaining personal information of users whose
profiles had been deactivated, deleted, or become inactive.

An Escape Route for Users

Before the data breach, if a user was no longer interested in using the
Ashley Madison service, the website offered two formal options for cutting
ties. A basic deactivation removed the user’s profile from search results,
but profile information and messages sent to other users prior to
deactivation remained visible to those other users. A full delete, for a
fee of C$19, removed all traces of the user’s profile from the website. In
the case of deactivation, Ashley Madison retained information associated
with the account indefinitely, on the basis that many users return to the
website, and when they do, they want their original profile to be available
to them. Information associated with inactive accounts was also retained
indefinitely, for the same reason. In the case of a full delete, Ashley
Madison retained information associated with the account for 12 months, in
order to protect against the possibility that departing users may
fraudulently attempt to make a credit card ‘chargeback’.

A Right to be Forgotten?

Under Canada’s Personal Information Protection and Electronic Documents Act
(PIPEDA), personal information may only be retained for as long as
necessary to fulfil the purpose for which it was collected. Under the
Australian Privacy Act, personal information may only be retained for so
long as it may be used or disclosed for a purpose permitted by the
Australian Privacy Principles. In both cases, the information must be
retained as long as otherwise required by law. When it may no longer be
retained, it must be destroyed or de-identified.

The joint investigation found that with respect to deactivated and inactive
accounts, after a prolonged period of inactivity it becomes reasonable to
infer that the user is unlikely to return, and therefore the personal
information is no longer required for the purpose for which it was
collected (to provide the online dating service). In fact, it was found
that 99.9% of users who reactivated their accounts did so within just 29
days. Therefore, the indefinite retention of personal information was
excessive in this case, and contravened Canadian and Australian privacy
laws. The investigation also found that the prevention of fraud was a
reasonable basis for retaining information for a limited period after a
full delete.

When it comes to the retention of personal information about past users,
the business needs of an organization must be balanced with the privacy
rights of individual users. Online service providers should establish
maximum retention periods for all personal information which they collect,
but particularly for information that identifies past users. The Ashley
Madison breach made it clear that in a particularly sensitive context, the
public release of a user’s name alone can have devastating consequences for
his or her personal life. In general, a person who decides to log-out of an
online service for the last time, should have the right to re-take control
of his or her past. A person should have the right to be forgotten.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161202/4d4c0fbd/attachment.html>