ANNA L. MANLEYamanley@sampsonmcphee.com

LEGAL PERSPECTIVES ON THE ASHLEY MADISON HACK

LIFE IS SHORT… SUE EVERYONE

2

3

4

5

CAST OF CHARACTERS

6

7

8

#Legal

9

#Information

10

Criminal Law Civil Law Defamation Family Law Employment Privacy Law

11

HACKERS

What have they done wrong?

12

HACKERS

Theft Extortion Mischief Possession of stolen property Unauthorized use of credit card data Interception of private communication Unauthorized use of a computer

13

14

BUDAPEST CONVENTION

Laws (re: unauthorized access) Search/Seziure Cooperation Extradition

15

BUDAPEST CONVENTION

Article 2 - Illegal Access Intentional access to a computer system without right. (with or without infringing security measures) (with or without intent to obtain data or dishonest intent)

16

Unauthorized use of a computer 342.1 (1) Everyone is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years, or is guilty of

an offence punishable on summary conviction who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service;

(b) by means of an electro-magnetic, acoustic, mechanical or

other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system;

(c) uses or causes to be used, directly or indirectly, a computer

system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to computer data or a

computer system; or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to

commit an offence under paragraph (a), (b) or (c).

341.1(1) CRIMINAL CODE• Obtain computer service • Intercept any function of a

computer system • Uses a computer system

with intent to obtain or intercept

• Uses / possesses / traffics in or permits another person to have access to a computer password

• Fraudulently • without colour of right • Indictable or Summary

17Credit: Fox

18Credit: Fox

19

BUDAPEST CONVENTION

Article 3 - Illegal Interception Interception of non-public transmissions of data to / from / within a computer system - without right. (with or without dishonest intent) (with or without connection to another computer system)

20

Interception of Communications Interception 184 (1) Every one who, by means of any electro-magnetic,

acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and

liable to imprisonment for a term not exceeding five years.

184(1) CRIMINAL CODE

• Intercept a private communication

• Wilfully • Via: electro-magnetic,

acoustic, mechanical or other device

• Indictable (max 5 yrs) • Saving provision

• Management of system • Protecting the system

21

Disclosure of information 193 (1) Where a private communication has been intercepted

by means of an electro-magnetic, acoustic, mechanical or other device without the consent, express or implied, of the

originator thereof or of the person intended by the originator thereof to receive it, every one who, without the express

consent of the originator thereof or of the person intended by the originator thereof to receive it, wilfully

(a) uses or discloses the private communication or any part

thereof or the substance, meaning or purport thereof or of any part thereof, or

(b) discloses the existence thereof,

is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years.

193(1) CRIMINAL CODE

• Discloses the intercepted private communication

• Substance or meaning • OR the existence of the

private communication

• Without the express consent of the originator or the recipient

• Wilfully • Indictable (max 2 yrs) • Exemptions

22

Mischief in relation to computer data (1.1) Everyone commits mischief who wilfully

(a) destroys or alters computer data;

(b) renders computer data meaningless, useless or

ineffective;

(c) obstructs, interrupts or interferes with the lawful use of computer data; or

(d) obstructs, interrupts or interferes with a person in the

lawful use of computer data or denies access to computer data to a person who is entitled to access to it.

430(1.1) CRIMINAL CODE

• Destroy / Alter data • Renders data meaningless,

useless, or ineffective • Obstructs, interrupts, or

interferes with lawful use of computer data or a person

• Wilfully • Danger to life - Indictable

(max life) • Property - Indictable or

Summary

23Credit: Warner Brothers

24

…. hacking is really illegal.

25

26

RETRIEVERS OF DATA

What have they done wrong?

27

28

29Credit: Binary Edge

30Credit: Dwaas

31

“All of our analysis must not expose the users of Ashley Madison (at BinaryEdge privacy is of outmost respect and we do not condone the actions that were performed against the Ashley Madison website).”

DISCLAIMER:

blog.binaryedge.io

32

#Legal

33

Do you want to see?

Yeah… No.

Credit: Marvel

34

Possession of property obtained by crime 354 (1) Every one commits an offence who has in his

possession any property or thing or any proceeds of any property or thing knowing that all or part of the property

or thing or of the proceeds was obtained by or derived directly or indirectly from

(a) the commission in Canada of an offence punishable by indictment; or

(b) an act or omission anywhere that, if it had occurred in Canada, would have constituted an offence punishable

by indictment.

354(1) CRIMINAL CODE

• Possess property you know is stolen

• Obtained or derived (directly or indirectly) from an indictable offence

35

Unauthorized use of credit card data (3) Every person who, fraudulently and without colour of

right, possesses, uses, traffics in or permits another person to use credit card data, including personal

authentication information, whether or not the data is authentic, that would enable a person to use a credit card

or to obtain the services that are provided by the issuer of a credit card to credit card holders is guilty of

(a) an indictable offence and is liable to imprisonment for a term not exceeding ten years; or

(b) an offence punishable on summary conviction.

342 CRIMINAL CODE

• Possess / use / traffics credit card data

• Data enabling use of credit card

• Whether or not data is authentic

• Indictable offence

36

Unauthorized use of computer

342.1 (1) Everyone is guilty of an indictable offence and

liable to imprisonment for a term of not more than 10 years, or is guilty of an offence punishable on summary

conviction who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service;

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be

intercepted, directly or indirectly, any function of a computer system;

(c) uses or causes to be used, directly or indirectly, a

computer system with intent to commit an offence under paragraph (a) or (b) or under section 430 in relation to

computer data or a computer system; or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would

enable a person to commit an offence under paragraph (a), (b) or (c).

341.1(1) CRIMINAL CODE• Uses / possesses / traffics in

or permits another person to have access to a computer password

• Fraudulently • without colour of right • Indictable or Summary

37

Sell Export / Import Distribute Deal with

“TRAFFIC”

38

So…. possessing the data is also illegal.

39

40

41

42

43

PIPEDAPersonal Information Protection and Electronic Documents Act, SC 2000, c 5

44

45

4.7 Principle 7 — Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 4.7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. 4.7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4. 4.7.3 The methods of protection should include (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption. 4.7.4 Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. 4.7.5 Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).

4.7 PRINCIPLE 7 PIPEDA

• Info protected by security safeguards appropriate to sensitivity of info

• Protects against theft / unauthorized access

• More sensitive >> higher level of protection required

• Methods of Protection: includes passwords and encryption

46

DUTY TO REPORT

47

48

USERS

What can the users do?

49

…

50Credit: The International Consortium of Investigative Journalists (ICIJ)

51Credit: Aly Song/Reuters

52

CAN JACKIE CHAN SUE? CAN THE ASHLEY MADISON USERS SUE?

53Credit: AMC - “Breaking Bad”

54Credit: McDonald’s

55Credit: Star TreK (TNG) CBS Television

56Credit: The Internet

57

58

?

59

CLASS ACTION

60

CLASS ACTION

61

CLASS ACTION

(1) Scrub Fee(2) Failure to Secure

“… the last truly secure space on the Internet.”

62Credit: The Walt Disney Company

63Credit: The Walt Disney Company

64

65

NEGLIGENCE

66

67

CLASS ACTION

68

CLASS ACTION

69

CLASS ACTION

70

71

72

Common law requirement for encryption of data?

73

74

HOW DOES THE PLAY END?

75

The first thing we do, let's kill all the lawyers. (2 Henry VI, 4.2.59)

ANNA L. MANLEY@nnamanley

amanley@sampsonmcphee.com

annamanley.blogspot.ca