Can’t [ESC] the Fine Print: Internet Privacy Inconsistencies In Relation to the Ashley Madison Scandal As Viewed Under Both United States and European Legal Frameworks [1]

BY NIKKI RIGL – “Life is short. Have an affair.”[2] is an online dating site for married persons: men are charged for each contact with a woman with whom they engage in deleterious infidelity.[3] Ashley Madison has recently received a considerable amount of media scrutiny as a list of more than 30 million users made its way to the internet, which was easily accessed, via name or email, on several websites.[4] The hack revealed customer names, credit card data, sexual preferences, and physical addresses, all of which simplify the process of  “hunt[ing] someone down.”[5] All current users, and even past users who are no longer active on the site, were at risk of having their data breached and publicly leaked.[6]

The United States has little recourse to protect the privacy of Ashley Madison breach victims. Because users act on their own volition to share their personal information to the site, and because Ashley Madison publicly makes aware that it “cannot ensure the security or privacy of information [one provides] through the internet,” all leaked confidential information is not entitled to fundamental privacy protection.[7]

Section 230 of the Communications Decency Act of 1996 (“CDA”) provides that “‘interactive computer services’ shall not be treated as the publisher or speaker of information created by third parties,” and, accordingly, the injunctive orders that courts would need to issue to remove such information from the internet could not stand: the CDA creates immunity from such injunctive orders for those sites.[8] The websites that host Ashley Madison’s leaked data merely publicize information already shared, and are thus inculpable of violating privacy of the initial information providers: the overly-trustworthy and unsuspecting cheaters on Ashley Madison. Our First Amendment “protects companies [and websites] that publish true information lawfully obtained.”[9]

The framework relied upon by most countries in Europe differs stridently from that of the United States and is known as the right to be forgotten.[10] While American courts generally limit the ability to retract information that is voluntarily made available to others, the laws of Western Europe have trended toward a more aggressive protection of privacy, regardless of the way in which the information is made public.[11] The right to be forgotten provides that a person possesses the right to erase personal data:

(1) when the data is no longer needed for the original purposes justifying its collection or processing; (2) when the data subject has given consent to the use of the data but later withdraws that consent; (3) when the data subject objects to the data processing because the data processor does not have a legitimate interest or if the data subject’s “fundamental rights and freedoms” override the processor’s interests; and (4) when the “processing of the data does not comply with this Regulation for other reasons.[12]

The names and information of users leaked from the Ashley Madison site seem to fall under the third category: cheaters on the site are being publicly outed and that reputation will precede them and be publicly available to any person who searches merely their name or other simple identifying information. Such a perversion of dignity would not likely stand under the right to be forgotten framework, and the websites hosting the names of breached users would likely be asked to remove such information from their publicly-accessible sites.[13]

While the right to be forgotten seems to provide better protection in an age where the internet is an ever-present, ever-accessible medium, its intricacies may not complement the constitutional underpinnings of the United States, especially as they relate to the First and Fourth Amendments.[14] Perhaps there is some other less restrictive framework, similar enough to the right to be forgotten, but more aligned with our existing privacy protections.

One might look to Finland as a model because its privacy standards look more to the way that private information is used and behaviorally approached by others, as opposed to the way in which private information is controlled and disseminated. In Finland, for example, there are laws “forbidding potential or current employers from using digital means to acquire information on an employee, absent their notification and consent.”[15] The Ashley Madison scandal would not have achieved a significant benefit from such a statutory modification. However, revising the code to the aforementioned standard would be a positive inroad: instead of trying to constrain the ubiquitous entity that is the internet, the better strategy may be to alter the application and use of any and all information that is disseminated therefrom.


[1] Jessica Ronay, Adults Post the Darndest Things: [CTRL + SHIFT] Freedom of Speech to [ESC] Our Past, 46 U. Tol. L. Rev. 73, 73 (2014) (using and inspiring the use in this article title of computer jargon in brackets as a part of the title).

[2] Online Cheating Site AshleyMadison Hacked, Krebs On Security (July 15, 2015), (quoting’s slogan).

[3] Adam Tanner, Even in the Tinder Era, Adultery Site Ashley Madison Keeps Making Money Hand Over Fist, Forbes (Jan. 21, 2015, 10:26 AM),

[4] See Flaws Found in Ashley Madison Password Protection, BBC News (September 11, 2015),; see also CNN Wire, Ashley Madison Cheaters List Now Searchable by Name and Email, WGNO (Aug. 20, 2015, 5:28 PM),

[5] WGNO, supra note 4.

[6] Krebs, supra note 3 (“For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.”).

[7] WGNO, supra note 4.

[8] Karl S. Kronenberger, The Tension Between Principles of “Sunshine Laws” and “The Right to be Forgotten”: Trends in the Treatment of Personal Information on the Internet, in Understanding Developments in Cyberspace Law 1, 3 (Aug. 2014), available at 2014 WL 3810646 (citing the Communications Decency Act of 1996, 47 U.S.C. § 230).

[9] Andrew R. W. Hughes, Does the United States Have an Answer to the European Right to be Forgotten?, 7 No. 1 Landslide 18 , 19 (Sept./Oct/, 2014).

[10] Robert Lee Bolton III, The Right to be Forgotten: Forced Amnesia in a Technological Age, 31 J. Info. Tech. & Privacy L. 133, 134 (2014).

[11] Id. at 136.

[12] Ronay, supra note 1, at 79-80.

[13] See Jeffrey Rosen, The Deciders: The Future of Privacy and Free Speech in the Age of Facebook and Google, 80 Fordham L. Rev. 1525, 1531 (2012) (explaining how dignity protects the norms of social respect that we expect and give to one another and the variance in treatment and interpretation of dignity by country).

[14] See Bolton, supra note 10, at 144.

[15] Id. at 134-135.

Leave a Reply

Your email address will not be published. Required fields are marked *