In the comments on the TPB torrent of the original leak people were debating the legality of downloading/having this information on their computer. Irony of that situation aside, if I was interested in studying these leaks how much legal danger would I be putting myself in by grabbing them? I'm US based.
Guess it depends if anyone is being paid to log the IPs in the swarm and do anything with them.
I'd imagine if you treat it like downloading a TV show or something and use a suitable VPN you'll be mostly fine. Probably just comes down to how much someone is willing to pay to go after people downloading it.
Otherwise I expect others to analyze the dump and publish their findings in less dodgy formats.
It's really hard to imagine that AM would go after the downloaders. That would be like pour oil on a fire. Imagine the extra amount of publicity their idiotic security would get.
Maybe I'm naive, but I'm hoping that the lawsuits from this will be the start of a push for data-breach insurance, and that the insurers, as Bruce Schneier has been advocating for many years, will force the security that the marketing VP doesn't see the need to pay for.
Maybe you are naive, but you are certainly not as naive as the marketing VP who didn't see the need to pay for security, and is today watching in horror as his business is getting hacked to hell.
Is this marketing VP a real person or just a hypothetical scenario? Because it doesn't make any sense to me that a marketing VP would have any decision making power about the need for security.
In my experience, non-technical stakeholders can have disproportionate authority over technical decisions. For example, if a security best practice results in slower logins, the development team could get immediate pushback to speed up the process, even at the risk of weaker security.
Risk can be difficult to quantify, and if the focus is on chasing the short-term, you might be told to damn the torpedoes and get the product launched.
In every programmer's experience, security can have a disproportionate amount of influence. For instance, they are unwilling to do any real development, yet have the authority to demand their stuff be used.
There is no reason any authentication process has to use more than a single request + single response (and a single request and immediate reply from the auth server). The usual concerns like replay attacks, allowing third parties to relay data for the auth server can all be solved using encryption. In 15 years of working as a developer, I have encountered one company that actually does this both correct and fast. Security departments demanding that user authentication happen over an LDAP+Kerberos connection, for example, are commonplace and this is stupid and very slow, for no good reason.
Hypothetical here, but I can very easily picture a world in which the Marketing VP decides whether the programming team spends [amount of time] hardening/reducing customer data storage, or implementing some new whiz-bang feature they can put on the homepage.
It seems weird that CIO type decisions would ever roll up to the Marketing VP.
Having worked on a company that sold multifactor auth software in the mid 2000's, I can tell you most companies won't pay for software until there is a breach.
This is not unlike home owners installing alarms until after a breakin has occured in the neighborhood.
Could be that I'm naive as well, but personally, I hope that people will finally get the message Snowden tried to pass and in the process sacrificed his future (and maybe even his life) for: We're about to abandon our privacy.
I'm not downvoting. I'm not pro-cheating either. People should have sexual freedom and be open about it with their partners, if they feel the need for it, to be happy.
I see the need for privacy at all level of our lives. Unless we all make a democratic and informed choice to drop this value. But since this requires enormous maturity, society might be ready for this in a couple of hundred years.
I think it's not a direct dig at AM but more at the attitude a lot of higher ups have had about these kinds of breaches[1]:
"It’s a valid business decision to accept the risk” said Jason Spaltro, who is now Sony Pictures' senior vice president of information security, in the interview. “I will not invest $10 million to avoid a possible $1 million loss."
I would imagine they'd come up with an algorithm to calculate the cost of lawsuits and lost business that would happen should an AM-magnitude leak occur.
19. ARBITRATION AND CLASS ACTION WAIVER
....
D. Class and Consolidated Claims Waiver
It is agreed that neither party shall have the right
to participate as a class representative or class
member with respect to any Disputes subject to
arbitration under this Agreement or any Dispute
between the parties. The parties also waive any
right to assert consolidated claims with respect to
any Disputes subject to arbitration under this
Agreement or any Dispute between the parties.
Such clauses are generally enforceable in the United States, as far as I can tell from a bit of Googling. It looks like in Canada, enforceability depends on whether the alleged misdeeds of the defendant arise from a violation of common law or a violation of specific consumer protection acts.
The "Disputes subject to arbitration under this Agreement" seem to be set out in 19.A, which is titled "Scope", and the TL;DR of that section would be "everything, except Ashley Madison can use the courts instead of arbitration if they wish to sue you over intellectual properties, confidential information, or illegal activity".
They do have one exception, given in 19.C, titled "Small Claims", which says:
Both parties retain the right to file any claim that
is not aggregated with the claim of any other
persons and whose amount in controversy is properly
within the jurisdiction of a court which is limited
to adjudicated small claims.
Yeah, you certainly don't have to feel bad for the victims, but we should all question whether the hackers are producing an overall net positive effect.
Well, if you believe the hackers' motivation for doing this, I don't think it's about producing an overall net positive effect at all, just righting some perceived wrongs.
The perceived wrongs are not that AshleyMadison enabled married people to cheat on their spouses. What the hackers have said was their motivation is that AshleyMadison has lied to their users about the userbase, which is supposedly 90+% male, most of which have likely not engaged in an affair since most of the accounts they would interact with are supposedly fake. I don't think a net positive effect can come from this.
In security, there's often no choice but to rely on leaked data. There is generally no other source of things like password hashes reflecting real-world user passwords.
So the question then becomes "Is it ethically appropriate to perform security research that requires realistic data at all?". With the caveat that blackhats can and will do research and use the results privately no matter what the rest of us do.
IMHO, the ethics are similar to the use of data obtained by German/Japanese scientists during WWII: the violation is on the persons who directly acquire the information; but, once obtained, those who receive it indirectly aren't ethically liable.
While I won't be downloading the data to my own server, I have no issue with others analysing it nor with reading analyses by those folks. Especially ones like this one, which is essentially anonymous.
As long as the action stops at analysis, and doesn't provide tools for others to easily go further, then that seems fine to me.
There is an older discussion on HN on these topics. Think again what the site really was: probably 95% of visitors were men. That means that maybe 18 from 20 didn't find a "match"? Moreover, somebody mentioned that there were fake female profiles. Reduce the number of successful "matches." Most of the visitors probably didn't do anything. "But they intended!" can somebody say "and that is enough." Well then think again. How many weren't actually in relation but expected to get the "match" easier on the site where potential (not actual!) members aren't prepared to the long-term bind to the "matched" partner. Etc.
Do you still consider all these poor dastards as the big "sinners?" Which percentage of the persons on the lists "deserve" anybody's "wrath"? Do you really want to condemn everyone? Does that match your moral values? You can even ask how many of these hopeful to "do something" actually didn't do anything exactly because they tried to use the given site instead of, like, approach somebody who they knew in the physical world and who would respond, so maybe even the site existence was a "net positive" considering the happened and "intended" number of "immoral" acts?
I think saying "it's hard to feel bad for" is a far cry from "condemning everyone". This is a lot of words to try to absolve the members of a site explicitly about cheating on your partner of any wrongdoing.
Do you have any proof that even more than 50% "cheated"? I gave you arguments that it can be estimated that maybe one in 30 actually did cheat? Why do you want to condemn (edit: the more correct word were "accuse," I agree, but you did write that the given arguments don't "absolve" them, which implies that you've already found them "guilty") 29 of 30 people for actually doing nothing, most of them, according to their own data, not even being in relation?
All I said was that Ashley Madison explicitly markets itself as a site to cheat on your partners. You'll find plenty of people (myself included) who think engaging in a sexual relationship knowing that your partner is in a committed relationship is immoral alongside cheating on a partner.
just some post before (if they can't be absolved then they are, if I understand, already "guilty" in your view).
Do you want to accuse as "cheaters" 30 people on the list when only one of them cheated? When half of them weren't in the relation at all? Is that a moral thing to do?
I'm not accusing them of being cheaters, I'm accusing them of signing up for a website with the explicit goal of either cheating on your partner or entering a relationship with someone who is doing so. Whether or not that's moral is up the individual to decide (in my eyes, it's not, but that's pretty irrelevant to my point). Either way, leaking the data was NOT a moral thing to do.
> I'm accusing them of signing up for a website with the explicit goal of either cheating on your partner or entering a relationship with someone who is doing so.
Are they "guilty" even if that very action of them (signing in to the site and "just looking") effectively reduced the total number of cheats in the world? Is the site "guilty" if their "grand total" had the same effect?
No, it's not equivalent to cheating on your partner, but it's still wrong.
Much like drawing/distributing pictures of sexualized children is still wrong even if it's an outlet that (and you can't prove this, which is where the real problem with your logic lies) prevents a child from being abused.
The start of this discussion was the assumption that every person on the list made the actions that hurt others, validity of which I questioned (asking if even the majority did something that hurt anybody, giving the arguments that with the high probability most didn't actually hurt anybody and maybe even reduced the number of actual "cheats"). And you claim that you "don't condemn" everybody but still find everybody "guilty" for doing the "wrong" thing to the equivalence of an unproved but possible child abuse. O-K.
Quite the edit there. The start of the discussion was someone saying he found it hard to feel bad for those outed by the leak and then you writing some paragraphs about how he was condemning those individuals. All I was trying to add was a little nuance.
> Are they "guilty" even if that very action of them (signing in to the site and "just looking") effectively reduced the total number of cheats in the world?
This is what I was talking about, it's a classic defense of cartoon depictions of child pornography, which I find immoral. Go to a therapist if you're struggling with the temptation to cheat on your significant other, not a dating site for cheaters.
1. Not all users of the site were married/in a relationship.
2. Signing up for a site like this isn't an admission of wanting to commit adultery.
3. There is/was no email verification, so anyone can sign up using any email address they choose.
4. Not all users of this site were in monogamous relationships i.e. swingers.
I don't condone AM's business model, but there are many details that aren't known that simply having ones email in the database doesn't equate to actually hurting others.
You don't have to feel bad for the victims - what they did was immoral, after all. But it wasn't illegal. And if we start cheering for moral brigades to leak data about perfectly legal actions, things get dark quickly.
Imagine a patient list for an abortion clinic. Now, I don't think abortion is immoral. But plenty of people do. And you can bet they'd absolutely leak that information, which could also ruin lives.
Do you still consider all these poor dastards as the big "sinners?"
This is exactly the problem - maybe I think they are. Maybe you don't. Maybe someone else thinks anyone that did so much as load up the web site deserves to go to hell. But that's why making judgements about leaking based on your personal morals is bad, bad, bad.
Adultery is a crime and/or a tort in many jurisdictions worldwide. And I'm not just talking about places like Saudi Arabia - it's a crime in 21 US states, including New York and Massachusetts. Did Ashley Madison take any efforts to prevent access from jurisdictions where adultery is illegal? I doubt it.
I'm not defending the data leak. It is criminal, and two wrongs don't make a right. But you can't compare an abortion clinic, operating in a jurisdiction in which abortion is completely legal, to an organisation seeking to facilitate what is criminal and/or tortious behaviour in many of the jurisdictions in which it chooses to operate.
Mr. Felder, who is also a former federal prosecutor, said the criminal ban on adultery has no practical significance. “It’s a celebration of hypocrisy, with a nod of the head to religion over reality,” he said.
I think it's fair to say that - within the US at least - laws against adultery are leftover relics from another time. Apparently there is still a $25 fine for flirting in public on the NY books. As the article states:
About a dozen people have been charged with adultery since the early 1970s, most of them upstate. (Most of the charges were dismissed, or apparently were dropped after the defendants pleaded guilty to other charges.)
Adultery is very much illegal, and actively prosecuted, in the US military. According to news articles, their customer database included thousands of .mil email addresses.
They didn't even make a token effort to deny access to email addresses belonging to a TLD whose controller criminalizes adultery.
If a law is on the books, and has not been found unconstitutional, then it is sitting there waiting for a prosecutor to use it. In 2004, divorce attorney John R. Bushey Jr. was criminally prosecuted for adultery in Virginia. The prosecution dropped the charges after he agreed to do 20 hours of community service - I understand primarily because the ACLU wanted to pursue the constitutionality of the law, and the prosecution didn't want the risk and expense of that. No conviction was recorded, but I'm sure it was a stressful experience for him, and the prosecution probably thought the stress well-deserved. Why wouldn't they do the same in the future?
No one knows whether laws against adultery are constitutional in the US. Some argue on the basis of Lawrence v. Texas they are not, but the US Supreme Court has never addressed that precise issue, and it could rule either way if it was ever presented with it.
Is an internationally-available Internet service running legally in its source jurisdiction obligated to prevent people from using it to break their local laws either legally or ethically?
Ethically, that depends on whose ethics you are talking about. Some people say we are ethically obliged (within reason) to obey the law, even if the behaviour the law prohibits is not in itself unethical - those people would likely say "Yes", at least in some cases. Other people deny that there is any ethical obligation to obey the law, except when the law's demands happen to be the same as those of ethics, so those people might answer "No".
Legally, the answer can be yes. If I commit a crime in country A, and you in country B help me, then you've likely committed a crime (as an accessory) under the laws of A too - even if B doesn't recognise my or your behaviour as criminal. Now, B will probably refuse extradition, but if you ever voluntarily come to A, you would be at the mercy of A's legal system.
Are there really any court sentences in the US, in, let's say, the last 20 years, for "helping somebody committing adultery?" How much a "helper" can get?
I don't believe so. But on the other hand, it's not like laws stop working if you don't use them.
Under Utah law, adultery is a class B misdemeanor (Utah Code 76-7-103), so conspiracy to commit adultery is a class C misdemeanour (Utah Code 76-4-202). So I think if a married person in Utah used the Ashley Madison website to arrange an affair, a Utah district attorney could justifiably charge Ashley Madison and/or its employees with conspiracy to commit adultery. Now, a class C misdemeanor, the maximum punishment is 90 days in jail (Utah Code 76-3-204), and a maximum fine of $750 for a natural person (Utah Code 76-3-301) and $1000 for a corporation (Utah Code 76-3-302) - so a DA might well decide it is not worthwhile. But, if they wanted to prove a point, I can't see why they couldn't bring the charges. Maybe if they had some personal connection to the affair; or maybe they might think the publicity would help their re-election campaign. Since Ashley Madison is based in Canada, I doubt Canada would agree to extradition - but if its employees or owners venture into the US, their extradition to Utah could be sought - intra-state extradition in the US is legally available even for misdemeanours. Now, if it all got this far, and further, the Supreme Court might decide laws against adultery are unconstitutional, but then again they might not decide that (or might refuse to hear the appeal). While I agree the story I'm telling here is somewhat unlikely to actually happen, I don't think there is anything legally impossible about it, and I'd call it somewhat unlikely rather than highly improbable.
Evidence obtained illegally is only inadmissible if the illegal act was committed by a government agent. Evidence obtained through the illegal act of a private party is perfectly admissible. See Burdeau v. McDowell: https://supreme.justia.com/cases/federal/us/256/465/case.htm...
There's a great business model: a private company that hacks for the prosecutor in deserving cases. Probably make some good money, and do a public good!
In a scenario in which a private actor, of its own volition and for its own reasons, decides to conduct a search, and then chooses to reveal the results of the search to the government, it is clear from Burdeau v. McDowell that evidence should not be excluded. But if a company's primary business was performing warantless searches for the government, paid for by the government and at its direction, I think it is very likely a court would find that private actor to be a government agent, and thus evidence collected should be excluded. If an arrangement exists for the primary purpose of evading the Fourth Amendment, many judges would disapprove of that and try to shut it down. But to my limited knowledge, this scenario has never been presented to a court.
Soooo, the funding has to come from somewhere else, I get it. How about a sort of kickstarter for hacking deserving people/organizations? Just brainstorming here.
> Its hard to feel too bad for the victims of these attacks
That's only if you assume the victims are people with membership on the site. Think about the people that might have moved on, reconciled, or otherwise have already dealt with it. The people that might only be related.
Imagine being the wife or husband of someone on this site, and having already dealt with this in private. Now suddenly it's out there for everyone to see. Your privacy has now been violated. Now you have to deal with this all over again.
Imagine being the child of one of these members. Now you have to deal with the stigma of that hanging over your head. Being teased and mocked.
I can't imagine not feeling bad for the victims of this attack, and I hope the perpetrators are caught. Their actions were reckless, and will hurt a lot of people who were not even involved.
When this happened to SONY, they went dark immediately and rebuilt from the ground up... Seems to the be the "right" approach, as opposed to business as usual from ALM. You have to wonder if they aren't still infiltrated.
I'm surprised - though perhaps not really - to see that this new data contains the CEO's e-mail. If the aim was to punish Ashley Madison (as the leak team have suggested), why not leak that first, before customer details and credit card transactions?
Attention. Get people to pay attention because the leak of customer data is personal (it'll probably affect you or someone you know), and then release the really damaging data once the press cycle has started and everybody's looking for more information.
The Snowden leak had a similar structure: it started out with PRISM (which affected every American, and caused widespread indignation), then Snowden claimed responsibility (trying to get out ahead of official government investigations, putting a human face on the leaker and controlling the messaging), and then they followed up with a number of even more damaging leaks (eg. MUSCULAR, the Merkel cables, etc.) once they had the world's attention.
>Attention. Get people to pay attention because the leak of customer data is personal (it'll probably affect you or someone you know), and then release the really damaging data once the press cycle has started and everybody's looking for more information.
Then they probably should have released the first data dump on Monday and the second dump on Tuesday. By the time the media dig through the CEO's emails it'll be Friday and lose a lot of steam over the weekend.
I think they did - the first Reddit post on it [1] is dated 4 days ago, and the torrent [2] was datestamped for just after midnight on Sunday morning.
My guess is that the timing didn't go according to plan - they picked an obscure subreddit to post on, and the first press coverage didn't happen until Tuesday night (having apparently heard about it on Tuesday morning). And then it's generally a good idea to let at least 2 days pass between press releases, otherwise the public doesn't have a chance to absorb the first media cycle. They probably hoped it would be noticed on Sunday night, hit the press first thing Monday morning, and then they could follow up with the CEO dump on Wednesday.
82 comments
[ 2.0 ms ] story [ 160 ms ] threadI'd imagine if you treat it like downloading a TV show or something and use a suitable VPN you'll be mostly fine. Probably just comes down to how much someone is willing to pay to go after people downloading it.
Otherwise I expect others to analyze the dump and publish their findings in less dodgy formats.
(side note: every time I hear "AM", I think "Aggressive Menace", which sounds about right)
Risk can be difficult to quantify, and if the focus is on chasing the short-term, you might be told to damn the torpedoes and get the product launched.
There is no reason any authentication process has to use more than a single request + single response (and a single request and immediate reply from the auth server). The usual concerns like replay attacks, allowing third parties to relay data for the auth server can all be solved using encryption. In 15 years of working as a developer, I have encountered one company that actually does this both correct and fast. Security departments demanding that user authentication happen over an LDAP+Kerberos connection, for example, are commonplace and this is stupid and very slow, for no good reason.
Who is this marketing VP who covers data breach insurance with their marketing budget? Now they're the ones making product decisions?
Having worked on a company that sold multifactor auth software in the mid 2000's, I can tell you most companies won't pay for software until there is a breach.
This is not unlike home owners installing alarms until after a breakin has occured in the neighborhood.
I see the need for privacy at all level of our lives. Unless we all make a democratic and informed choice to drop this value. But since this requires enormous maturity, society might be ready for this in a couple of hundred years.
From their [terms and conditions](https://www.ashleymadison.com/app/public/tandc.p?c=1) that you have to agree to:
Such clauses are generally enforceable in the United States, as far as I can tell from a bit of Googling. It looks like in Canada, enforceability depends on whether the alleged misdeeds of the defendant arise from a violation of common law or a violation of specific consumer protection acts.The "Disputes subject to arbitration under this Agreement" seem to be set out in 19.A, which is titled "Scope", and the TL;DR of that section would be "everything, except Ashley Madison can use the courts instead of arbitration if they wish to sue you over intellectual properties, confidential information, or illegal activity".
They do have one exception, given in 19.C, titled "Small Claims", which says:
The perceived wrongs are not that AshleyMadison enabled married people to cheat on their spouses. What the hackers have said was their motivation is that AshleyMadison has lied to their users about the userbase, which is supposedly 90+% male, most of which have likely not engaged in an affair since most of the accounts they would interact with are supposedly fake. I don't think a net positive effect can come from this.
Do you think it's ethically appropriate to analyze the leaked data, and publish those analyses for personal gain (which is what this site did afaict)
Do you think it's ethically appropriate to read about analyses performed on the leaked data by the above?
I honestly don't know how I feel myself! Very curious what other people think about this.
So the question then becomes "Is it ethically appropriate to perform security research that requires realistic data at all?". With the caveat that blackhats can and will do research and use the results privately no matter what the rest of us do.
What do you think?
As long as the action stops at analysis, and doesn't provide tools for others to easily go further, then that seems fine to me.
Do you still consider all these poor dastards as the big "sinners?" Which percentage of the persons on the lists "deserve" anybody's "wrath"? Do you really want to condemn everyone? Does that match your moral values? You can even ask how many of these hopeful to "do something" actually didn't do anything exactly because they tried to use the given site instead of, like, approach somebody who they knew in the physical world and who would respond, so maybe even the site existence was a "net positive" considering the happened and "intended" number of "immoral" acts?
"It's hard to feel bad for" =/= Condemnation
All I said was that Ashley Madison explicitly markets itself as a site to cheat on your partners. You'll find plenty of people (myself included) who think engaging in a sexual relationship knowing that your partner is in a committed relationship is immoral alongside cheating on a partner.
> This is a lot of words to try to absolve
just some post before (if they can't be absolved then they are, if I understand, already "guilty" in your view).
Do you want to accuse as "cheaters" 30 people on the list when only one of them cheated? When half of them weren't in the relation at all? Is that a moral thing to do?
Are they "guilty" even if that very action of them (signing in to the site and "just looking") effectively reduced the total number of cheats in the world? Is the site "guilty" if their "grand total" had the same effect?
No, it's not equivalent to cheating on your partner, but it's still wrong.
Much like drawing/distributing pictures of sexualized children is still wrong even if it's an outlet that (and you can't prove this, which is where the real problem with your logic lies) prevents a child from being abused.
The start of this discussion was the assumption that every person on the list made the actions that hurt others, validity of which I questioned (asking if even the majority did something that hurt anybody, giving the arguments that with the high probability most didn't actually hurt anybody and maybe even reduced the number of actual "cheats"). And you claim that you "don't condemn" everybody but still find everybody "guilty" for doing the "wrong" thing to the equivalence of an unproved but possible child abuse. O-K.
> Are they "guilty" even if that very action of them (signing in to the site and "just looking") effectively reduced the total number of cheats in the world?
This is what I was talking about, it's a classic defense of cartoon depictions of child pornography, which I find immoral. Go to a therapist if you're struggling with the temptation to cheat on your significant other, not a dating site for cheaters.
It seems that here most of these that you like "outed" and consider "guilty" haven't had the significant other.
1. Not all users of the site were married/in a relationship.
2. Signing up for a site like this isn't an admission of wanting to commit adultery.
3. There is/was no email verification, so anyone can sign up using any email address they choose.
4. Not all users of this site were in monogamous relationships i.e. swingers.
I don't condone AM's business model, but there are many details that aren't known that simply having ones email in the database doesn't equate to actually hurting others.
Imagine a patient list for an abortion clinic. Now, I don't think abortion is immoral. But plenty of people do. And you can bet they'd absolutely leak that information, which could also ruin lives.
Basically, this is not a great precedent to set.
Can you really say that? See my other post here for questions.
Do you still consider all these poor dastards as the big "sinners?"
This is exactly the problem - maybe I think they are. Maybe you don't. Maybe someone else thinks anyone that did so much as load up the web site deserves to go to hell. But that's why making judgements about leaking based on your personal morals is bad, bad, bad.
I'm not defending the data leak. It is criminal, and two wrongs don't make a right. But you can't compare an abortion clinic, operating in a jurisdiction in which abortion is completely legal, to an organisation seeking to facilitate what is criminal and/or tortious behaviour in many of the jurisdictions in which it chooses to operate.
http://cityroom.blogs.nytimes.com/2008/03/21/is-adultery-a-c...
I think it's fair to say that - within the US at least - laws against adultery are leftover relics from another time. Apparently there is still a $25 fine for flirting in public on the NY books. As the article states:
About a dozen people have been charged with adultery since the early 1970s, most of them upstate. (Most of the charges were dismissed, or apparently were dropped after the defendants pleaded guilty to other charges.)
They didn't even make a token effort to deny access to email addresses belonging to a TLD whose controller criminalizes adultery.
No one knows whether laws against adultery are constitutional in the US. Some argue on the basis of Lawrence v. Texas they are not, but the US Supreme Court has never addressed that precise issue, and it could rule either way if it was ever presented with it.
Legally, the answer can be yes. If I commit a crime in country A, and you in country B help me, then you've likely committed a crime (as an accessory) under the laws of A too - even if B doesn't recognise my or your behaviour as criminal. Now, B will probably refuse extradition, but if you ever voluntarily come to A, you would be at the mercy of A's legal system.
Under Utah law, adultery is a class B misdemeanor (Utah Code 76-7-103), so conspiracy to commit adultery is a class C misdemeanour (Utah Code 76-4-202). So I think if a married person in Utah used the Ashley Madison website to arrange an affair, a Utah district attorney could justifiably charge Ashley Madison and/or its employees with conspiracy to commit adultery. Now, a class C misdemeanor, the maximum punishment is 90 days in jail (Utah Code 76-3-204), and a maximum fine of $750 for a natural person (Utah Code 76-3-301) and $1000 for a corporation (Utah Code 76-3-302) - so a DA might well decide it is not worthwhile. But, if they wanted to prove a point, I can't see why they couldn't bring the charges. Maybe if they had some personal connection to the affair; or maybe they might think the publicity would help their re-election campaign. Since Ashley Madison is based in Canada, I doubt Canada would agree to extradition - but if its employees or owners venture into the US, their extradition to Utah could be sought - intra-state extradition in the US is legally available even for misdemeanours. Now, if it all got this far, and further, the Supreme Court might decide laws against adultery are unconstitutional, but then again they might not decide that (or might refuse to hear the appeal). While I agree the story I'm telling here is somewhat unlikely to actually happen, I don't think there is anything legally impossible about it, and I'd call it somewhat unlikely rather than highly improbable.
That's only if you assume the victims are people with membership on the site. Think about the people that might have moved on, reconciled, or otherwise have already dealt with it. The people that might only be related.
Imagine being the wife or husband of someone on this site, and having already dealt with this in private. Now suddenly it's out there for everyone to see. Your privacy has now been violated. Now you have to deal with this all over again.
Imagine being the child of one of these members. Now you have to deal with the stigma of that hanging over your head. Being teased and mocked.
I can't imagine not feeling bad for the victims of this attack, and I hope the perpetrators are caught. Their actions were reckless, and will hurt a lot of people who were not even involved.
The Snowden leak had a similar structure: it started out with PRISM (which affected every American, and caused widespread indignation), then Snowden claimed responsibility (trying to get out ahead of official government investigations, putting a human face on the leaker and controlling the messaging), and then they followed up with a number of even more damaging leaks (eg. MUSCULAR, the Merkel cables, etc.) once they had the world's attention.
Then they probably should have released the first data dump on Monday and the second dump on Tuesday. By the time the media dig through the CEO's emails it'll be Friday and lose a lot of steam over the weekend.
My guess is that the timing didn't go according to plan - they picked an obscure subreddit to post on, and the first press coverage didn't happen until Tuesday night (having apparently heard about it on Tuesday morning). And then it's generally a good idea to let at least 2 days pass between press releases, otherwise the public doesn't have a chance to absorb the first media cycle. They probably hoped it would be noticed on Sunday night, hit the press first thing Monday morning, and then they could follow up with the CEO dump on Wednesday.
[1] https://www.reddit.com/r/AnythingGoesNews/comments/3h71ar/we...
[2] https://thepiratebay.vg/torrent/12237184