Founded just five months ago by Danny Boice, formerly an executive with Speek (acquired by Jive communications), D.C.-based on-demand private investigations startup Trustify is in hot water because of a promotional search tool it created to help sift through leaked Ashley Madison customer files.
In an interview with DC Inno, Boice said he isn’t backing down amid the criticism: “I 100 percent fully stand behind our decision to be the first ones to launch this tool. Our customers are happy so we are happy.”
The search product was intended as an investigative tool to allow users to search for the name of a spouse or loved one who they suspected of using the infamous affair matchmaking service. But Trustify, and its tool, have received pointed criticism from a number of national tech publications for allegedly storing inputted email data for marketing purposes.
Other related marketing content and social media outreach posts depict how Trustify advertised the product to a wide customer base that included curious bystanders, anxious former Ashley Madison users and concerned spouses. Regardless of personal opinion, however, one thing is for sure: the search tool became a viral sensation.
“The tool had gone viral and we were getting like 500 searches per second so things got pretty nuts there for a while and we were just trying to keep up with demand,” Boice said.
1.) How it started
The saga first began via a Reddit thread and was then further expanded by a blog post written by Troy Hunt, a Microsoft MVP for Developer Security. In both cases, criticism was focused on the content of auto-emails being sent by Trustify, the methods used to obtain these email addresses and the purpose of collecting this information.
Hunt, according to Boice, was an API provider for Trustify and is also the creator of a somewhat similar service called Have I been pwned? (HIBP). Hunt’s service lets users verify and receive notification if they have a website account compromised in a data breach. While this includes accounts tied to AM it also includes other linked accounts to Adobe, Snapchat and Gawker, among others. HIBP is a donation based service.
"The emails were done correctly in the context of how the tool was intended."
Boice told DC Inno, “ironically, we used Troy Hunt's own public API to build our original tools. In fact, we paid him via a donation he solicited for access to this API. He had no issues with anything we were doing until our tool started getting more press than his and then suddenly he took issue with us."
In an email interview with DC Inno, Hunt said he had no knowledge of Boice's donation because the process was intentionally designed to be discretionary. Hunt added, "what Trustify don’t seem to understand is that this incident is not about popularity or who can build the most hit service; I don’t know how much press they’ve had compared to HIBP and frankly, I don’t care because HIBP doesn’t commercialise the traffic. The focus should be on maximizing support for victims whilst minimizing harm to them."
The tool had gone viral and we were getting like 500 searches per second so things got pretty nuts
Hunt, along with Wired and The Register, described that the AM-Trustify tool would inconspicuously store email addresses that customers searched for. A followup email would then be sent to not only the original Trustify user who inputed the email, but also to the email address for which an “investigation” was initiated. These emails included forms and signup options to purchase Trustify services and products. The insinuation is that Trustify is recording searches and thereby spurring inquiries for paid investigations.
Boice replied to the email outreach criticism levied by Hunt and other publications by saying, “if you use a tool that promises to email you a report stating whether you were personally compromised in the Ashley Madison breach then I would assume the user expects an email to come to them. Seems like a no-brainer to me … We stopped sending emails and I don't have a copy handy to send you.”
2.) Email storm
The outgoing email to suspected cheaters read, “You or someone you know recently used our search tool to see if your email address was compromised in the AM leak, and we confirmed that your details were exposed. This sensitive data can affect you love life, employment, and follow you across the web forever. There are ways to hide the exposed details, but first you need to see what information can be found across the web. Talk with our experienced investigative consultants to learn how you can find out what incriminating information is available and could ruin you life."
A key point of emphasis made by many of the news outlets who have mentioned the [above] email is that a small note towards the bottom of some of Trustify's emails reads “you received this email because you are subscribed to marketing information from Flimflam Investigations.” Trustify was previously named Flimflam.
Boice confirmed to DC Inno that the content reportedly tied to the outgoing email was in fact, legitimate. That being said, he also outright denied the allegation that every search was contributing to a marketing database.
“The emails were done correctly in the context of how the tool was intended. As the tool went viral and started being used in ways outside of how it was intended we adjusted it on the fly,” Boice said.
3.) Reconciliation
Interestingly, Trustify released an official statement regarding the AM tool as the marketing controversy story began to gain steam.
In it, the company described that “an automatic message is sent to the e-mail address that [are] found to be compromised. The purpose of the e-mail is to provide confirmation to the Ashley Madison user, which to our knowledge, has not communicated with their customer base to notify them, or offer any support for identity theft protection. Ashley Madison users have a right to know that their personal information is now publicly available to anyone on the Internet.”
In the past several days, and as part of an update, Trustify has changed the language on several prompts and also via its tool to exclude the text “your spouse.” Another change via a notifications makes it clear than an email inquiry will follow after a user has inputed information into a more detailed customer form, describing the conditions of an investigation and its processes.
Analysis
As further developments in the AM hack case have unfolded it has become increasingly clear that the online affair matchmaking service did not institute user registration confirmation emails. In essence, it was entirely possible to sign up a person by simple inputing their email address without ever activating an outgoing email to check-in with the email’s owner to verify their authenticity.
"AM did not verify email addresses or physical addresses, so many of them could be fake. One AM user registered under former Prime Minster’s of the United Kingdom, Tony Blair. It could have been anyone using that email address," Aamir Lakhani, senior cybersecurity researcher at Fortinet, said.
As a result, emails being flagged by Trustify and other similar AM search tools could be fake emails or were even registered on AM by individuals unaffiliated with the ownership of said email address—causing a false-positive test result. One inherent issue in the search is that it cannot avoid these false-positive results. And that can be especially damaging for concerned users who find their spouse’s email registered while it’s also possible that they never participated in an extramarital affair.
“Undoubtedly, many of the emails and domains now published to the Dark Web are fake,” Jason Polancich, a 20-year NSA veteran and the founder of cybersecurity startup SurfWatch Labs, previously told DC Inno.
VIDEO:
