I imagine it will be next to impossible to conclusively prove that AM was the reason for the suicides, so the best anyone can say is that the two events coincided.
It is crystal clear that Mainstream media has been chomping at the bit to release the "fallout of the AM hacks" type story. These stories generate clicks - whether true or not.
This topic is touched on in the Krebs article released today (which includes information from the Toronto PD press release), in that the Toronto PD are investigating...
That is quite some money they're offering for a hack that didn't happen. Or did they acknowledge in the meantime, I haven't really followed these news.
The current suicide rate in the US is about 12 per 100,000 per year, so that translates to about 10 per day among a population of 30 million. Assuming, of course, that the risk factors among that population match up with that of the entire US population, which they probably don't.
Statistically, females are more likely to self-harm in non-lethal ways. This acts as suicide prevention, in a way, since it triggers responses from the environment and reduces the likelihood of worst outcomes.
Males don't self-harm and overall don't signal their discomfort until it's too late.
I think it has more to do with the method than the act. Men are more likely to have guns, which work very well. Women are less likely to have access to guns and so survive more suicide attempts (pills, jumping off things etc).
Same for the military. The 'success rate' for military suicides is higher partially because of ready access to the means.
Which does nothing to explain the similar ratio in say England where access to guns is very restricted.
"Jumping off things" would be "falls and fracture", and it's not a common method for completed suicide. About 4% of registered deaths are "jumping off things". Drowning is a bit more, about 4%. Poisoning is about 20% and hanging, strangulation and suffocation is about 56%. (The rest has the unhelpful title of "other". I'm not sure what that means.)
> Which does nothing to explain the similar ratio in say England where access to guns is very restricted.
Drive a car fast. Just a lethal. Sometimes you hear about car accidents with only one car involved and the young male driver was the only fatality. Sometimes it's an accident. Sometimes it's someone ending it all.
Help seeking is definitely part of the problem. UK charity "The Campaign Against Living Miserably"[1] and Australian charity(?) "Soften The Fck Up" both campaign to make it easier for men to talk about mental health and to seek help. UK charity "Time to Change" has a number of campaigns to destigmatise mental health, some of which are targeted at men.
But in the UK there has been a rise in rate of suicide amoung people already known to MH services, so we need to be a bit careful not to put all the "blame" on help seeking behaviours.
(I'm interested in other anti-stigma organisations, where ever they're based and whatever demographic they target.)
Globally, 16 suicides/100000 people/year. So the 30 million people should have 4800 suicides in a year, or 13 per day. But these two deaths are restricted to Canada which has a lower suicide rate than the global average, and we don't know what portion of the 30 million are Canadian, so we don't have enough data to make a guess.
That's about 1% of 30 million, or about 0.1/day, or 3 weeks for those 2 suicides. I bet any deviation from the average isn't statistically significant (in fact, for 2 suicides, ¿almost? no 'background' suicide level will be statistically significant)
On the other hand, I do expect that Canadian police didn't base their claim on nothing. Chances are they found suicide notes, or something similar.
I think the problem of testing for randomness of these suicides is harder to solve than it seems. Randomness only occurs in the absence of suicide letters which state that the leak caused them to do it. At least two scenarios:
1. They leave suicide notes where they explicitly attribute it to the hack. Then, the probability that it is due to the Ashley Madison hack becomes = 1. The question then becomes, did the 'outing' push them over the edge. Especially so, if they attribute taking their life to multiple reasons.
2. If it is not attributed to the 'outing', then one has to carefully see what the probabilities of suicide are in their particular cross-section of population and also consider other risk factors. The numbers someone else quoted here, 16/100,000 is an average. It is fallacious to assume that this number uniformly applicable to the population as a whole. You have to consider prior probabilities for each individual. These priors can possibly be computed based on the individual's medical history, socio-economic background, geographical location, etc. with importance assigned in that order. I would imagine medical conditions would play a big role. For example, if an 'outed' person with no history of depression, etc. from a hyper-religious family commits suicide, it is quite likely that it was because of the 'outing' in the absence of explicit attribution in a suicide letter, etc. If a person has on his/her history previous suicide attempts, depression, etc. the marginal probability that it was solely due to the Ashley Madison outing would probably be lower.
Yeah, except in this case I believe this is a number released by the police and is likely based on evidence learned at each suicide. Notes left behind or information from people close to the now deceased, it's safe to say these two deaths have been attributed to the impact the leak had on their lives.
Also keep in mind we're talking about 30mil people in a particular population group, age range, that probably lives a stressful life (and possibly guilt)
If you mean would Ashley Madison be criminally negligent for allowing themselves to get hacked, the answer is pretty clearly no. There's a very high standard for criminal negligence. Your conduct has to "grossly deviate" from normal conduct, usually showing a great disregard for human life. We don't want to be locking people up for every poor business choice or bad decision.
> We don't want to be locking people up for every poor business choice or bad decision.
Whilst that is true, we equally don't want to be completely ruling it out. An investigation should be conducted regarding the actual attack, and perhaps their handling of the leak. Did they even notify all users?
This is important. The only reason this is much of a story at all is that the "affair" angle makes for very marketable stories. Otherwise this is strictly dog bites man.
If pretending to delete data is typical for the industry, then we can't know for sure unless a company is breached or an employee leaks the info. It would be very easy to sue a company for lying about that.
You may be right that many companies behave this way, but they at least pretend that they don't. The companies I've worked for have always been extremely conscientious about honoring data-related terms, even if no user would ever know. The fear of getting sued is strong.
Snapchat didn't even delete the pictures, to start with. They just made them unavailable to the interface. Which is similar, and maybe enough.
Given backups and billing records and stored message histories and so on, its not really a question of 'deleting an account'. More like 'making an account no longer visible/available to the current interface'. Nobody thought they'd wipe any disks or anything, in anticipation of a big data breach, right?
Probably not: most of these companies have user agreements drafted by actual lawyers, and those agreements are binding.
In any case: when I say that Avid Life is nowhere near the bottom quartile for companies when it comes to security, you can take that to the bank. Or, don't, if you're worried about taking things to places that won't lose your data in a breach. I guess you can take your data to Facebook in that case.
Your friends pay you money to permanently dispose of the evidence of their marital affair
You just leave the evidence at your house instead
You leave your doors and windows open
Now its still not your fault that people came in and rummaged through your stuff; but surely its you who are to blame for never disposing of the evidence as you promised (and accepted payment for)?
Its an interesting component to what is otherwise extremely simple.
If i paid a document shredding company to shred my documents and months later that company gets broken into and all my documents are released...
Surely i blame the shredding company as much, if not more, than i blame the thieves.
I don't really have a position or idea on what this all makes ashley madison guilty of from a criminal or civil law perspective - but i certainly feel that there are punishable actions taken by ashley madison in this whole mess
Your addition to the analogy doesn't really change anything, unless I made an absolute guarantee to either 1) immediately destroy the information or 2) destroy said information within a given timeframe and failed to do so.
Both of those are separate issues from leaving the information laying about.
In the original case, I might be stupid, but the interlopers are wrong to assume that they had an invitation to stuff laying about. They are, in fact, burglars.
Even with your addition, they are still burglars. However, I am liable for either 1) failing to destroy said information/stuff and/or 2) failing to do so within the specified timeframe, if the burglary happened after that timeframe.
The blame to the burglars remains the same in either case.
Honestly, I'm sort of enjoying a fat cuppa shadenfreude tempered by the knowledge that it is, for the most part, really none of my damn business what someone else does with their naughty bits.
I've been waiting to see some educated thought on this but it's been pretty absent from the coverage I've seen. Specifically also, I'm curious to understand how not deleting information people apparently paid to have deleted fails to constitute fraud... though successfully arguing negligence would be even more interesting for infosec in the software industry long term.
Also not a lawyer, but... Was there suspicion that Ashley Madison had been wilfully negligent in the first place? It has sounded to me like the leaked data indicated they actually followed reasonable security practices. Strong password hashing, separation of different types of data, etc. Yes, they got hacked, but it's virtually impossible to guarantee immunity from target attacks.
edit: also, as others have implied, 2 suicides out of 40 million is not that high (I don't mean to downplay the tragedy - all suicides are horrible) - but IMO you'd have a hard time proving the Ashley Madison hack was really the only cause, and not the final straw for somebody who was already in a bad place mentally. If I were to tell someone that their spouse was cheating, and their spouse commits suicide, would I be criminally negligent?
Their overall security procedures may have been good, but at the very least the fact that they charged money for permanent deletion of data and then didn't actually permanently delete data ought to qualify. People who just signed up may not have a case, but anyone who "deleted" their account does.
Practically every system I've built at scale uses soft-deletes. A flag is put into the database and records that are deleted are excluded via that flag.
Note that I'm not playing with people's identities, but even then, you have to ask whether they were paying to delete the availability of their user data or the actual database records (somewhere in the contract?).
I think they should be clear about whether the information is still stored, true. But I also do sympathize with AM in this situation. I'm sure many of us have had the experience of going out of our way to secure someone's system for them, and then being asked years later if we can help them when they've locked themselves out. I'd be willing to bet there were more than a few people who paid to have their accounts deleted and came back at a future date and wanted to pick up where they left off.
If I have a crappy front door and someone breaks into my house and falls down the staircase, am I criminally negligent because I didn't have a baby gate?
Even if they aren't directly related, I hope some people will at least take pause about the spread and analysis of people's private, leaked information. Sure they're kinda scummy but it is their private lives.
Nobody cares about privacy when it comes to people they don't like. Donald Sterling is a good example of this. So is the ex-Mozilla CEO. Their lives were both destroyed...yet it's justified because what they did was morally wrong and against the narrative.
Nobody even mentioned the fact that privacy was violated because the ends justified the means.
Now that you might have your privacy violated, it's a topic of discussion.
If you violate the trust of your partner and show up on this website, you deserve everything you get.
After all the recent comments and stories here on HN, I hope this happens more often, to shit in the face of all the whiny little SF hipsters that think they are somehow morally better than the rest of society.
This is actually why Trump is winning in the majority of the polls. Most people (like me) are sick of the double-speak and political correctness that is destroying the country.
While you could argue that the Mozilla controversy was about Brendan Eich's privately held beliefs, he publicly donated $1,000 to Prop 8, which was how it came to be known.
> Is it possible to privately donate to political causes?
Its possible to privarely donate to all kinds of organizations which amount to political causes, its not possible (legally) to do so to political campaign committees, however.
> Donald Sterling is a good example of this. So is the ex-Mozilla CEO. Their lives were both destroyed.
Brendan Eich's activities after his time as Mozilla CEO doesn't really make it seem like his life was destroyed.
> This is actually why Trump is winning in the majority of the polls.
Trump is gaining the largest minority of Republican voters among the large number of aspirants to the Republican nominee. In the head-to-head polls against Clinton, Biden, and Sanders I've seen he loses (and does so worse than a number of other Republicans, some of whom beat at least one of the Democrats in head-to-head polls.)
Right, I was not "destroyed", much as soi-disant "SJW"s may wish that I were.
The high-priority destruction question is about Mozilla, not about me. Mozilla needs a more crisp differentiated value proposition against its well-heeled competitors, on top of minimum basic competence (E10S). Threatening to break add-on compat does not help to differentiate.
Well considering that accounts can be easily faked, someone might have put your E-mail on the list. Do you then deserve "everything you get"?
Also, please don't use phrases like "nobody..." and "most people are". There is no possible way you could know what "most people are" doing so by itself that statement is a made-up statistic. Either link to (preferably a couple) articles to back up such a statement, or just say "I am". Similarly, what is "the majority of the polls"? You could at least point out a few examples of these polls so that we can tell for ourselves how accurate the statement is likely to be.
What I hope "happens more often" is that discussions will veer away from this kind of unsubstantiated I-already-know-who-I'm-voting-for commentary.
You've been using HN primarily to post angry political rhetoric for a long time now. That's an abuse of HN, and we've asked you several times to stop. Instead, you've been breaking the rules ever more egregiously:
> to shit in the face of all the whiny little SF hipsters that think they are somehow morally better than the rest of society.
If you don't stop, we're going to ban your account. I don't want to ban you, first because you've been a legit user apart from this (though 'this' has unfortunately become dominant), second because we try not to penalize unpopular views, which some of yours are in an HN context, and third because if we do so we'll immediately be accused of "abuse of power" and "silencing", which is annoying when in reality we bend over backwards not to do that. But if you keep posting uncivil, off-topic flamebait and conducting yourself in ways that you know are not ok here, we'll have no choice. The quality of the discourse is the #1 thing we have to protect, and you're lowering it badly.
This has nothing to do with your views. For example, it would have been easy to post a comment arguing for the social beneficence of the AM leak that omitted your wish to "shit in the face" of perceived enemies, if you'd wanted to. HN is not a vent for personal rage.
The breach was "very sophisticated", said Detective Menard from the technological crime unit of Toronto Police.
Bets on whether the "sophisticated" attack turned out to be a run-of-the-mill employee phishing e-mail or a brute force attack on an unsecured server with root login?
Or the officers are preparing an early excuse for not being able to apprehend the criminals later on. Which is a likely outcome considering the track record of these types of non-financially motivated attacks recently.
79 comments
[ 2.2 ms ] story [ 127 ms ] threadMaybe we should wait until we have some kind of confirmation before discussing this?
[1] https://news.ycombinator.com/item?id=10110649
Males don't self-harm and overall don't signal their discomfort until it's too late.
http://www.suicide.org/suicide-statistics.html
This PDF says that there are 25 attempts for every suicide:
http://www.cdc.gov/ViolencePrevention/pdf/Suicide_DataSheet-...
I had no idea it was that high!
(This is from office for national statistics data)
Not to mention it tends to be rather expensive and of limited value.
Same for the military. The 'success rate' for military suicides is higher partially because of ready access to the means.
"Jumping off things" would be "falls and fracture", and it's not a common method for completed suicide. About 4% of registered deaths are "jumping off things". Drowning is a bit more, about 4%. Poisoning is about 20% and hanging, strangulation and suffocation is about 56%. (The rest has the unhelpful title of "other". I'm not sure what that means.)
Drive a car fast. Just a lethal. Sometimes you hear about car accidents with only one car involved and the young male driver was the only fatality. Sometimes it's an accident. Sometimes it's someone ending it all.
But in the UK there has been a rise in rate of suicide amoung people already known to MH services, so we need to be a bit careful not to put all the "blame" on help seeking behaviours.
(I'm interested in other anti-stigma organisations, where ever they're based and whatever demographic they target.)
[1] Calmzone is currently banned from Facebook. I don't know why. https://www.thecalmzone.net/
http://softenthefckup.com.au/ -- they don't censor the word on the website.
http://www.time-to-change.org.uk/
That's about 1% of 30 million, or about 0.1/day, or 3 weeks for those 2 suicides. I bet any deviation from the average isn't statistically significant (in fact, for 2 suicides, ¿almost? no 'background' suicide level will be statistically significant)
On the other hand, I do expect that Canadian police didn't base their claim on nothing. Chances are they found suicide notes, or something similar.
Actually, they didn’t claim anything, and only talked about unconfirmed reports (https://twitter.com/TorontoPolice/status/635816932474814464, http://www.cbc.ca/news/canada/toronto/ashley-madison-hack-2-...)
1. They leave suicide notes where they explicitly attribute it to the hack. Then, the probability that it is due to the Ashley Madison hack becomes = 1. The question then becomes, did the 'outing' push them over the edge. Especially so, if they attribute taking their life to multiple reasons.
2. If it is not attributed to the 'outing', then one has to carefully see what the probabilities of suicide are in their particular cross-section of population and also consider other risk factors. The numbers someone else quoted here, 16/100,000 is an average. It is fallacious to assume that this number uniformly applicable to the population as a whole. You have to consider prior probabilities for each individual. These priors can possibly be computed based on the individual's medical history, socio-economic background, geographical location, etc. with importance assigned in that order. I would imagine medical conditions would play a big role. For example, if an 'outed' person with no history of depression, etc. from a hyper-religious family commits suicide, it is quite likely that it was because of the 'outing' in the absence of explicit attribution in a suicide letter, etc. If a person has on his/her history previous suicide attempts, depression, etc. the marginal probability that it was solely due to the Ashley Madison outing would probably be lower.
Does a suicide potentially move this from willful civil negligence into the realm of criminal negligence? Nonfeasance?
Whilst that is true, we equally don't want to be completely ruling it out. An investigation should be conducted regarding the actual attack, and perhaps their handling of the leak. Did they even notify all users?
It'd be hard to argue that it conduct that disregarded human life, though.
You may be right that many companies behave this way, but they at least pretend that they don't. The companies I've worked for have always been extremely conscientious about honoring data-related terms, even if no user would ever know. The fear of getting sued is strong.
Given backups and billing records and stored message histories and so on, its not really a question of 'deleting an account'. More like 'making an account no longer visible/available to the current interface'. Nobody thought they'd wipe any disks or anything, in anticipation of a big data breach, right?
In any case: when I say that Avid Life is nowhere near the bottom quartile for companies when it comes to security, you can take that to the bank. Or, don't, if you're worried about taking things to places that won't lose your data in a breach. I guess you can take your data to Facebook in that case.
Leaving my doors and windows open is stupid but not an invitation to go rummaging thru my stuff.
Your friends pay you money to permanently dispose of the evidence of their marital affair
You just leave the evidence at your house instead
You leave your doors and windows open
Now its still not your fault that people came in and rummaged through your stuff; but surely its you who are to blame for never disposing of the evidence as you promised (and accepted payment for)?
Its an interesting component to what is otherwise extremely simple.
If i paid a document shredding company to shred my documents and months later that company gets broken into and all my documents are released...
Surely i blame the shredding company as much, if not more, than i blame the thieves.
I don't really have a position or idea on what this all makes ashley madison guilty of from a criminal or civil law perspective - but i certainly feel that there are punishable actions taken by ashley madison in this whole mess
Both of those are separate issues from leaving the information laying about.
In the original case, I might be stupid, but the interlopers are wrong to assume that they had an invitation to stuff laying about. They are, in fact, burglars.
Even with your addition, they are still burglars. However, I am liable for either 1) failing to destroy said information/stuff and/or 2) failing to do so within the specified timeframe, if the burglary happened after that timeframe.
The blame to the burglars remains the same in either case.
Honestly, I'm sort of enjoying a fat cuppa shadenfreude tempered by the knowledge that it is, for the most part, really none of my damn business what someone else does with their naughty bits.
edit: also, as others have implied, 2 suicides out of 40 million is not that high (I don't mean to downplay the tragedy - all suicides are horrible) - but IMO you'd have a hard time proving the Ashley Madison hack was really the only cause, and not the final straw for somebody who was already in a bad place mentally. If I were to tell someone that their spouse was cheating, and their spouse commits suicide, would I be criminally negligent?
Note that I'm not playing with people's identities, but even then, you have to ask whether they were paying to delete the availability of their user data or the actual database records (somewhere in the contract?).
http://krebsonsecurity.com/2015/08/leaked-ashleymadison-emai...
Nobody cares about privacy when it comes to people they don't like. Donald Sterling is a good example of this. So is the ex-Mozilla CEO. Their lives were both destroyed...yet it's justified because what they did was morally wrong and against the narrative.
Nobody even mentioned the fact that privacy was violated because the ends justified the means.
Now that you might have your privacy violated, it's a topic of discussion.
If you violate the trust of your partner and show up on this website, you deserve everything you get.
After all the recent comments and stories here on HN, I hope this happens more often, to shit in the face of all the whiny little SF hipsters that think they are somehow morally better than the rest of society.
This is actually why Trump is winning in the majority of the polls. Most people (like me) are sick of the double-speak and political correctness that is destroying the country.
The truth will set you free.
Its possible to privarely donate to all kinds of organizations which amount to political causes, its not possible (legally) to do so to political campaign committees, however.
What's destroying the country, really? That you can't openly hate gay and black people without being shunned by SF hipsters? Give me a break.
Brendan Eich's activities after his time as Mozilla CEO doesn't really make it seem like his life was destroyed.
> This is actually why Trump is winning in the majority of the polls.
Trump is gaining the largest minority of Republican voters among the large number of aspirants to the Republican nominee. In the head-to-head polls against Clinton, Biden, and Sanders I've seen he loses (and does so worse than a number of other Republicans, some of whom beat at least one of the Democrats in head-to-head polls.)
The high-priority destruction question is about Mozilla, not about me. Mozilla needs a more crisp differentiated value proposition against its well-heeled competitors, on top of minimum basic competence (E10S). Threatening to break add-on compat does not help to differentiate.
There is no such thing as being a bigot in private.
Also, please don't use phrases like "nobody..." and "most people are". There is no possible way you could know what "most people are" doing so by itself that statement is a made-up statistic. Either link to (preferably a couple) articles to back up such a statement, or just say "I am". Similarly, what is "the majority of the polls"? You could at least point out a few examples of these polls so that we can tell for ourselves how accurate the statement is likely to be.
What I hope "happens more often" is that discussions will veer away from this kind of unsubstantiated I-already-know-who-I'm-voting-for commentary.
> to shit in the face of all the whiny little SF hipsters that think they are somehow morally better than the rest of society.
If you don't stop, we're going to ban your account. I don't want to ban you, first because you've been a legit user apart from this (though 'this' has unfortunately become dominant), second because we try not to penalize unpopular views, which some of yours are in an HN context, and third because if we do so we'll immediately be accused of "abuse of power" and "silencing", which is annoying when in reality we bend over backwards not to do that. But if you keep posting uncivil, off-topic flamebait and conducting yourself in ways that you know are not ok here, we'll have no choice. The quality of the discourse is the #1 thing we have to protect, and you're lowering it badly.
This has nothing to do with your views. For example, it would have been easy to post a comment arguing for the social beneficence of the AM leak that omitted your wish to "shit in the face" of perceived enemies, if you'd wanted to. HN is not a vent for personal rage.
Bets on whether the "sophisticated" attack turned out to be a run-of-the-mill employee phishing e-mail or a brute force attack on an unsecured server with root login?
The hard part is:
- exfiltrating large amounts of data without detection
- not getting caught afterwards