Identity scrubbing: Can you ever really erase your personal data from the web?

Hackers claim to have exposed data on millions of spouses who signed up to the Toronto-based cheating website Ashley Madison.
While Avid Life denies the hackers’ claims – stating that the service erases “all information related to a member’s profile and communications activity” – cyber security experts aren’t convinced. THE CANADIAN PRESS/AP, Lee Jin-man

TORONTO – It’s probably any user’s worst nightmare. Hackers have stolen confidential customer data from the website – aimed at people seeking affairs – and have threatened to publish it all unless the company is shut down.

Avid Life Media, which owns the Toronto-based cheating site, has called the attack an “act of cyberterrorism” and vowed to hold those behind the hack responsible for their actions.

But potentially more damaging to the company than the leak of some 37 million cheating spouses and partners personal information, is the hackers’ claim that the site’s “paid-delete” option – which the company claims erases all of the user’s profile information for the small price of $19 – doesn’t work.

READ MORE: Hackers steal personal information of millions of Ashley Madison users who sought affairs

The hackers allege that although the “paid-delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” user details – such as their real names and payment information – aren’t scrubbed from the site.

Story continues below advertisement

While Avid Life denies the hackers’ claims – stating that the service erases “all information related to a member’s profile and communications activity” – cyber security experts aren’t convinced.

“They should have gone a great distance to protect that data – but they are going to charge you for doing this so called hard delete,” said cyber security expert Patrick Malcom.

“It’s a bit of a money grab on the part of Ashley Madison – they should have been doing that anyway.”

Malcom said users should be aware of what a company defines as a “hard delete.” To the company, it means all of your public-facing posts on the forum would be deleted – such as photos, profile information, or even conversations – but they likely aren’t going to delete private user data.

Malcom described this kind of data as an asset to businesses like Ashley Madison.

“Asking a business to get rid of an asset that they’ve collected isn’t in their best interest,” he said. “The only way you can [avoid having your personal data leaked] is by not offering it in the first place.”

David Skillicorn – privacy expert and professor at Queen’s University – is doubtful that every last bit of profile information could be scrubbed from a website entirely.

Story continues below advertisement

“The thing that’s always going to kill you is backups. Every website is backing up their data just in case and every day there is a snapshot taken to see what has changed since the day before,” Skillicorn told Global News.

“If you wanted to remove it, first of all you have to remove it now in thousands of places, but it’s all mixed up with all the other data. It’s not like a file folder that is organized.”

READ MORE: Twitter users delight in Ashley Madison hack, potential exposure of cheating spouses

Which brings us to the question – can you ever really scrub your identity entirely from the web?

Most experts say no.

“If someone was trying to be 100 per cent removed from a network… it’s impossible,” said Chris Parsons, post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs and cyber security expert.

“There is so much data created every day that finding every mention of yourself – every photo of yourself – online can be very challenging.”

Social media sites present a bigger challenge, said Parsons – who has done research specifically into how data deletion works on social networks – because users are able to comment and share things on other user pages.

Story continues below advertisement

That information will remain on the site even if the person successfully deactivates their account and manually deletes all of their posts.

So what can you do to make sure your data stays private in the event you decide to delete an online account? Other than a little research… not much, experts say.

“If you are choosing to put information online, do some due diligence and see if the company that you are sharing the information with has a data policy or data deletion policy,” suggested Malcom.

But, Skillicorn points out that no company or website if safe from hackers or information leaks in this day and age.

“The trouble is nobody in the cloud situation can guarantee that your data isn’t going to be made public. It just isn’t plausible,” he said.

“Once it leaves your desktop you really ought to pretend its public.”

Sponsored content