NZNTV

THE ASHLEY MADISON hack is bad news for, well, just about everyone. With some 32 million users reportedly exposed, the hack of “the most famous name in infidelity” is bad forthe company, bad for its users, and undeniably awful for their spouses.

But at private investigation startup Trustify, business is booming—and it’s all thanks to the hack. The company has capitalized on the situation by launching a service last week that lets anyone search the data dump of Ashley Madison logins, while touting its PI wares to those who are, er, concerned by a name they’ve found on the list. “Find the truth,” the company homepage says. “Get peace of mind.”

Since the tool’s release, critics have been calling foul, arguing that Trustify has not only exposed the private information of the site’s users, but is further exploiting their situation by trying to sell its PI services. But much like Ashley Madison itself profited from potentially destroying the lives of the spouses looking to cheat, Trustify hasn’t seemed all that concerned with its moral compass, well, until the bad publicity hit.

“For us, it’s a fine line. We’re in the business of finding truth,” Danny Boice, the company’s founder and chief executive, told WIRED last week. “We don’t have a position on that truth, there’s no bias. We don’t help anyone cover it up, and we won’t help anyone take actions once they find the truth.”

The company, however, seemed to change its mind—twice. Yesterday, seemingly responding to the criticism, the company updated the “check tool” to allow people to search only their own email addresses. But it quickly changed the tool back to allow anyone to search for, well, anyone, claiming negative feedback of the new tool. All of which goes to show that, when it comes to the Internet, if there’s a will, there’s a way—and, if there’s a situation that can be exploited for gain, people will do whatever they can to exploit it as much as they can.

Service, Democratized

A great private investigator can be extremely useful, Boice says, adding that he himself knows the pitfalls of a bad one. During a messy custody battle, Boice hired a series of private investigators for “thousands of dollars” who turned out to be, well, useless. But once he found a younger, savvier PI, he explains, he was able to compile the evidence he needed to win in court.

That experience is why Boice founded Trustify in March of this year. With an internal screening process and customer star-ratings, the service functions like an on-demand tech company—Uber for PIs. The majority of investigations are conducted on the Internet, and a quarter are led with more traditional “hiding in the bushes” style surveillance.

“Historically, going back to Abraham Lincoln, PIs were a service for the wealthy,” he explains. “We’ve made it so the average consumer can now afford a PI. We’ve democratized the service—anyone with $67 can get a PI to do surveillance or an Internet investigation.” (Through the company, PIs cost $67 an hour.)

But while Trustify typically sees customers who are looking to locate an old friend or do a more thorough background check on, say, a new nanny, the Ashley Madison hack has been especially good for business. The company says it has seen its daily caseload increase fifteenfold in the past week with new sign-ups specifically looking to find out if their partner or spouse is a cheater.

‘The Truth’

“Ashley Madison folks have been interesting,” Boice says. “Half of them, surprisingly, are men who were using Ashley Madison and are now like ‘Crap, I’m busted and I want to see how bad it is.’ The other half is the flip side of that where it’s spouses that have suspicions and want to do a search to see if that person was using Ashley Madison.”

But that’s at least partly the result of Trustify’s very own practices. Following the first dump last week, Trustify set up a way for worried spouses, or concerned users, to check if an email address was in the leak, which would indicate that the person was a potential Ashley Madison user, and perhaps imply that he or she was looking to cheat (or had). “We got ahold of the hack data. It was in a public place in the deep web,” says Boice. “And we hooked it up to a search utility.”

The data in the dump has not been verified, nor did Ashley Madison verify email addresses, so even if an address was in the dump, it does not mean a person used the service. However, after I spoke to Boice last week, he said the site checker was seeing 500 searches per second at its peak, adding that the company has more than doubled the number of users thanks to the hack.

“For us,” he adds, “it’s a way to get people to know about our service, and to give you a free, cheap way to look to see if your significant other was a user.”

The Flip Side

While Trustify’s employees may have been cheering their success, critics have lambasted the company for fear mongering, harvesting email addresses, and inciting users to sign up for its services. Troy Hunt, a security expert who runs a service that aggregates data breaches, railed against the company for exploiting the worries of those who may have been exposed in the site.

He says Trustify not only encouraged curious or concerned people to search the email addresses of others with its tool, but also harvested the input addresses and exploited worried users to sign up for its PI service by sending any email address that was found in the database a message that their address had been found, and potentially linked to the Ashley Madison hack. Trustify’s solution? Use our service.

“The design of the system specifically recognizes that people will search for other people and that it presents an opportunity for those other people to then receive marketing about Trustify services,” Hunt writes ina blog post, adding that “every search you do is contributing to their marketing database of potential customers built up without consent.”

Hunt is not the only one to call out the site. In a Reddit post related to the Ashley Madison hack, one user said the site “is acting as morally bankruptas a doxxer.” Another said it is “blatant ambulance chasing—pretty low for any business.” Trustify’s content marketing director, Elliot Volkman, reportedly took to Reddit last week to respond to criticisms in an AMA (Ask Me Anything), but any evidence of his responses (or verification that it was in fact him) has since been deleted.

Par For the Course

The company may now realize that it went too far, well, kind of. On Monday, the site’s Ashley Madison “check tool” was down as the company updated its service. The previous tool was then replaced with one that only allowed users to check their own addresses by getting an email confirmation indicating whether or not their address was part of the hack.

But then the company had a change of heart… again. As of Tuesday morning, the new check tool was replaced to now allow anyone to check any email address, and get a confirmation on the site itself, similar to how it was originally set up. The company says, however, it is no longer collecting email addresses, or emailing any address that was checked.

When WIRED asked Trustify why it flip-flopped on the search services (twice!), Boice explained in an email that the company had received “the most negative feedback to date from our customers” when it allowed users to check only themselves. “They wanted to be able to check any email address and not have any emails at all go to it. We responded immediately to this clear customer demand and made one last change to our tool,” he says.

And yet it’s not completely clear why Trustify ever needed to send an email to a user who had already done a search and seen that he or she had been exposed in the hack. In fact, from the beginning Trustify seems to have advertised its service to encourage people to check others. It is, however, clear that the company is now more than willing to confirm that any email address is part of the data dump if that’s what the people want. Be it good or bad, for Trustify, a business that depends on clients’ trust, the truth is nothing more than a marketing technique.