The hack of infidelity website Ashley Madison is the biggest story in the tech world today. Hackers have released what appears to be a trove of data about users of the site, including their addresses, phone numbers, and sexual proclivities.
There’s a lot we still don’t know about the hack. One thing we do know is that, in the years leading up to the unprecedented breach, Ashley Madison CEO Noel Biderman loved to boast about how secure his site was. (We now know, of course, that Ashley Madison had all kinds of holes in its data practices, including storing seven years’ worth of credit card transactions, and a password reset loophole that allowed bystanders to check whether a certain email address was registered on the site.)
But the danger of a devastating hack didn’t appear to concern Biderman. Here are 7 times the Ashley Madison CEO bragged about how secure his site was, before it got royally hacked.
1. In a January 2015 interview with the Calgary Herald, Biderman claimed that Ashley Madison provided its users with complete anonymity, and made it possible for them to delete their profiles entirely, leaving no trace of “digital lipstick” on their collars.
“It’s not lipstick on our collars anymore getting us caught,” he says. “It’s digital lipstick. Voice mails you leave behind, text messages you leave behind — so I focus on that. The technology I’ve built: the photo masquerading, the anonymous billing, even the way my messaging works — the password protection — even to the Nth degree, where if you’re on Ashley Madison and decide, hey, I want to eradicate my presence — I want to delete — you don’t just delete (your profile) the way you would on Match.com or Facebook.”
“We’ll go back in time,” he says. “We’ll take back every message you ever shared. We’ll make like you’re a ghost — you never were here.”
2. In 2012, Biderman claimed in a Reddit AMA that the site “never ask(s) for your real information,” and therefore doesn’t present a legal risk to its members. (We now know this is false — while the site doesn’t require users to present a verified email address, it does collect and store their billing information.)
3. Earlier this year, in an interview with V.v. magazine, Biderman was asked about his fear of a hack. He replied, “If anyone tells you that they don’t fear hacking, they are lying to you.” But then, he went on to brag about Ashley Madison’s security features:
Our database is all anonymous. You could be using my service right now and I wouldn’t know. On the credit card side, we’re not interested in that level of security. That’s not what our organization is about. We are a social network so we hand it off to companies who are suited to that. Putting the data in a bunker away from everybody else is our approach. But everyone is fearful of it. We have done a really great job of making sure our data is kept secret; the anonymity of it hopefully gives comfort to our members.
4. In June, Biderman claimed in an interview with CNBC that Ashley Madison users could remove “everything” about themselves from the site.
If you want to leave no trace you were here, we can recall everything — every image, text message you ever sent. To us, the perfect affair was not like meeting of the minds — it was about not getting discovered.
5. In 2013, Biderman bragged to the Daily Dot that Ashley Madison’s security practices could turn its users into “ghosts” — effectively removing any trace they’d ever signed up.
Ashley Madison is one of the only social networks that promises complete deletion of what Biderman calls “digital lipstick.” If a user deletes their account, he or she is not just taken out of search rotation: Every point of exposure is fully erased, even messages in someone else’s inbox. Nothing is kept on a server or saved in any files.
“You’re a ghost,” he says. “It never existed.”
Photos are masked until a user unlocks them specifically for another user. Ashley Madison’s messaging is done so no emails or phone numbers need to be exchanged. If you choose to pay for site upgrades, your credit card statement won’t read “Ashley Madison”; instead, the site rotates through different code names that are unique to each user.
6. Biderman later repeated those “ghost” claims in an interview with Bloomberg TV:
7. In 2014, Ashley Madison’s PR firm emailed media representatives, including tech blogger Robert Scoble (who posted the below image on his Facebook page), in which the company claimed to be “the last truly secure space on the Internet.”
Life lesson: if you’re selling a “truly secure space” for millions of people to seek out affairs, you might want state-of-the-art security practices to back up your claims.