Case study: Ashley Madison

In 2015, Ashley Madison, a global social media platform facilitating extramarital affairs, experienced two data breaches, where hackers threatened to leak the personal account details of 33 million users to the public (Hern & Gibbs, 2015). The group of hackers blackmailed users - including members of the UK Defence Ministry - demanding bitcoin in exchange for not exposing them (Hern & Gibbs, 2015). The data breach meant that millions of users who had joined the site thinking their affairs would be secret, were faced with having their personal lives exposed - with consequences for their relationships and their careers.

Ashley Madison did not have a robust system of data-protection policies, despite boasting about its security standards. The platform should have identified risks, based on the privacy concerns of its customers and informed by the regulations that govern data protection in its countries of operation, such as the UK's Data Protection Act 2018.

Blog post on behavioural awareness

Wrongdoing is ubiquitous. Media outlets relentlessly report a seemingly ceaseless stream of deleterious human behaviour, from consumer fraud and financial misrepresentation to corporate and political corruption. And yet, despite the undeniable pervasiveness of human misconduct, people typically think of themselves as 'good people', and declare they value moral conduct (Feldman 2018). The reason for this apparent inconsistency is that people often behave badly while still maintaining a moral self-image.

The burgeoning field of behavioural ethics explores the different cognitive biases that lead wrongdoers to ignore or justify their own unethicality, thereby allowing self-perceived 'good people' to act in socially harmful ways. Concepts such as that of 'bounded ethicality', are increasingly being used by researchers to highlight the biased nature of ethical deliberation, and to explain the prevalence of unethical and illegal behaviour.

Research in behavioural ethics suggests that people do not typically make a calculated and deliberate decision to act 'immorally'.instead, people's ethical deliberations are often biased, distorted by their self-interest.People will thus tend to act immorally, but only when they can convince themselves their actions are in fact justifiable. Biased ethical reasoning, influenced by self-interest, can lead people to justify their wrongdoing even when a candid ethical deliberation would have led them to recognize the unethical nature of their choices. Biased cognitive processes can also prevent people from seeing ethical dilemmas altogether. People often interpret reality in whichever way is most comfortable for them; therefore, they will systematically fail to observe facts that would indicate they are treading on morally questionable grounds.

Behavioural ethics research indicates that semi-deliberative and non-deliberative wrongdoing is situation-driven. That is, in some situations and scenarios (ethical traps or 'moral blind spots'), a great majority of people do not comply with legal norms. Behavioural research highlights multiple situational antecedents of non-compliance. For instance, research indicates that misconduct proliferates when legal norms are vague, when people think their wrongdoing can benefit others (and not just themselves), when victims are unidentified, or when decisions can be easily attributed to both legitimate and illegitimate motivations. Behavioural ethics research suggests that in such situations 'minor' wrongdoing would become endemic, widespread, and difficult to regulate and prevent.Where such moral blind spots are present, wrongdoing may become the norm rather than the exception. The reason that such ordinary unethicality is so common, and so difficult to deal with, is that it is easier for ordinary people to ignore, justify and excuse it to themselves.

In a forthcoming Cambridge Handbookchapter, we highlight the far-reaching implications that behavioural ethics research bears for questions of legal compliance. That is, if wrongdoers convince themselves they are in fact committing no wrong, or are otherwise blinded to their own misconduct, how can the law act to prevent wrongdoing? Traditional deterrence approaches, emphasizing sanctions and punishment, might fall short in this respect. After all, if perpetrators regularly fail to recognize their own misconduct, why should they be deterred by the threat of legal sanction?

These findings represent the need for a new regulatory approach, one that incorporates behavioural ethics findings into a comprehensive framework aimed to improve compliance. Such an approach must account for the need to engage effectively with the awareness of potential perpetrators and attempt to improve ethical deliberation and shed light on moral blind spots. Such an approach should also aim to identify the situational antecedents of unethicality, and tailor specific regulatory responses to specific situations.

We suggest that such a regulatory approach should centre around the idea of 'ethical nudging'. An ethical nudge can be any regulatory intervention that is designed with the explicit goal of improving ethical deliberations by potential wrongdoers. Thus, ethical nudges can take the form of hard or soft sanctions, ethical alerts, and other de-biasing mechanisms, as long as these are all designed to help people overcome the cognitive and ethical biases that generate wrongdoing and conduct a more candid ethical self-evaluation of their own actions. Experimental findings suggest that, deployed appropriately, ethical nudges can be highly effective. In some circumstances, a measure as simple as making people sign an ethical code of conduct before making an important decision was found to reduce wrongdoing significantly. Similarly, ethical reminders can bring specific facts to the attention of wrongdoers at crucial junctures of decision-making, to make sure they are more difficult to ignore. To be effective, such reminders must stand out, so they are not easy to brush off. Reminders may therefore also include references to legal or social sanctions, when appropriate. Importantly, ethical alerts have been proven effective not only in prompting deliberative decision-making, but also in improving the ethical outcomes of non-deliberative choices. That is, a statement of commitment to a moral code, as well as other ethical reminders, can help people reach more ethical outcomes even in their non-deliberative decision-making.

The regulatory use of ethical nudges must be based on behavioural research findings and on a solid understanding of the cognitive sources of unethicality in specific instances. Accurate identification of the cognitive sources of illegal behaviour in different contexts is necessary in order to allow regulators to deploy the appropriate ethical nudge (such as an ethical alert, or a requirement for a declaration of commitment to an ethical code of conduct) that would best eliminate the particular cognitive blind spot that generates misconduct in a specific context. The ethical nudge approach must therefore be embedded in a regulatory framework that is tailored and responsive to the particulars of the regulated situations, in order to identify the specific ethical blind spots that cause misconduct in specific scenarios. This approach will also call upon regulators to alter in advance the situational factors which were shown to be the antecedents of unethicality (egwhen norms are ambiguous, or when wrongdoing harms unidentified victims). For a more comprehensive account of such an approach, the interested reader is welcome to read our recentarticle, outlining the structural features of a responsive regulatory system designed to support and facilitate ethical nudges and improve deliberations by potential wrongdoers.

The following extract from the Data Protection Act is about the General Data Protection Regulation (GDPR) and protecting personal data. It is relevant in the case of Ashley Madison:

1. The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by:

1. Requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis;
2. Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified; and
3. Conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

2) When carrying out functions under the GDPR, the applied GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.

(Data Protection Act 2018)

1. imagine that it is 2014 (before the 2015 data breach) and you are a compliance consultant for Ashley Madison. You have been asked to identify risks that could impact the organisation
2. Use the extract from the act and the blog post on behavioural awareness to analyse how the behaviours of customers using the Ashley Madison platform could open the organisation to certain types of risk.