AshMad search outfit Trustify to El Reg: 'Trust us, we're the good guys'
And we just thought you were busy chasing ambulances
Updated Online “Uber for private investigators” outfit Trustify is upset with The Register for not replicating its messaging with sufficient sycophancy.
The company has, through PR company PR/serve, sent the following missive to explain why it harvested searches from the desperate and foolish visiting its site to see if they're on the Ashley Madison dump:
Trustify, a company that provides customers affordable access to private investigators, developed a free self-check tool for users who suspected their personal information had been compromised in the Ashley Madison hack. Entering an e-mail address queries the database, and the user is then notified whether or not their information was compromised in the hack.
An automatic message is sent to the e-mail address that was found to be compromised. The purpose of the e-mail is to provide confirmation to the user.
"They might not have any other way of knowing whether or not this data breach affects them," says Danny Boice, Founder & CEO of Trustify. "Ashley Madison, to our knowledge, has not communicated with their customer base to notify them, or offer any support for identity theft protection. Ashley Madison users have a right to know that their personal information is now publicly available to anyone on the Internet."”
The company did not explain why it harvested the data without notifying users up-front (which would be a breach of privacy law in many jurisdictions). Here's how the search page looked on August 21:
Wayback's August 21 capture of Trustify's Ashley Madison check page
This has since been updated with a wording that hints at data collection – if the user is paying attention:
Spot the difference: Trustify's check page now.
The key change is this: “To check if your personal information was compromised, enter your email address. You must have access to the associated email address you are searching. You will receive an email with a yes or no confirmation in your inbox, not on our site.”
In its Q&A, Trustify says: “August 24 update: All emails tied to the search tool use have been turned off.”
In Vulture South's opinion, the data Trustify is collecting is even more sensitive than the contents of the Ashley Madison dump, since the latter is known to include some fake addresses.
Trustify, on the other hand, is in a position to confirm the interest of specific individuals in the dumped data.
In light of that, we have asked the company (among other things) to provide information on the measures it's taking to secure the data. No reply was received at the time of publication. ®
Updated to add: Leopard changes its spots, changes back
Shortly after this article was published, Trustify decided it preferred its old enter-any-email-address approach, and reverted. Thanks to Troy Hunt for alerting us, and Twitter user Wily for spotting the email on August 21.