Yesterday, HuffPost released a damning expose written by Christopher Mathias (@letsgomathias) on the libertarian pundit Richard Hanania1 and his deeply troubling past. I won’t relay the gory details here, but it’s a well-written, well-researched piece and pulls no punches.

Instead, I want to talk about how Mathias managed to uncover Hanania’s past, and specifically a decade-old online persona, where Hanania posted some absolutely abhorrent garbage that is almost certainly going to alienate anyone not already to the right of Tucker Carlson.

Like Diamonds, Data Breaches are Forever

Mathias discovered that Hanania was associated with the ‘Richard Hoste’ persona by matching email addresses, shared passwords, and related IDs that had been exposed in two data breaches — the Disqus 2012 breach, and another unnamed breach. From the article:

In 2012, Disqus suffered a data breach, with hackers stealing the details of more than 17.5 million users. Hoste was one of those users. HuffPost has reviewed data showing that Hoste’s account used a unique password on Disqus that was also used to log into other Disqus accounts that commented on AlternativeRight.com. …

One of his email addresses, according to data HuffPost reviewed from another data breach, was connected to an account on AutoAdmit, also known as XOXOhth ― a largely unmoderated message board, purportedly for lawyers and law students, that’s infamous for its anonymous users’ hatred of women.

I haven’t seen many cases published where source material came from a data breach, but I’m sure data breach information is a goldmine for open source intelligence (OSINT) gathering purposes. Still, it’s not unheard of. For example, the massive Epik data breach in September 2021 exposed a Florida real estate agent who registered multiple racist domain names. In early 2023, the social media site Poast was hacked, and researchers matched at least 260 different account holders to individuals in academia, government & the police and armed forces.

As a privacy-respecting person, this puts me in an uncomfortable position.

I am not a fan of Nazis, racists, or even most conservatives. I post pretty consistently about that in other channels. But I find the practice of using exposed data breach information to be deeply troubling. It’s one thing, for example, to match a person’s writing back to them — as Mathias also did in the Hanania case. If I post something online as “Privacat” and substantially the same thing as “Carey Lening” and people make a connection there, to me this is fair game. There is a degree of choice and consensuality here. But it seems different to do this by exposing individuals who were victims of a data breach. And yes, even misogynists, racists, and bigots can be the victims of a data breach.

Hanania’s past may have defined him at one point in his life. It may also define him now, I don’t know. But the fact that he was one of millions of individuals exposed in the Disqus breach is not something he willingly chose. It’s possible that Hanania has evolved as a person, but the fact that details of his past live on, immortally on the internet means that he’ll likely never shake that down.

Reputational & Autonomy Harms

Most of us shrug off data breaches at this point especially garden-variety email or userid breaches — they are so frequent they barely make the news. There have been almost 700 publicly-disclosed data breaches (according to IT Governance research) this year, including the MOVEit security vulnerability which itself has impacted 122 organisations and counting. The law really only considers data breaches from the perspective of financial harm and so-called ‘objective’ impacts — which is why many US laws require companies to provide free credit reporting when a serious financial or healthcare breach occurs, and why litigants have largely been unsuccessful at recovering for so-called “non-material” damages (like pain and suffering, reputational harm, etc).

In their seminal work “Privacy Harms”, Professors Daniel Solove and Danielle Citron remind us, however that there are more than just financial consequences to consider when it comes to privacy impacts. There’s reputational harm of course (which is usually treated as a tort harm under defamation law), but also harms to our autonomy, such as lack or loss of control, and chilling effects to speech. “Lack of control”, as defined by Solove & Citron refers to “the inability to make meaningful choices about one’s data or prevent the potential future misuse of it. “Chilling effects”, borrowed from First Amendment jurisprudence, refers to acts “inhibiting people from engaging in lawful activities.”

As the authors note courts have been inconsistent or uneasy in recognizing these harms, largely due to their lack of material (read: financial) or objective effect. Regardless of whether one agrees with Hanania, or the Epik or Poast account holders, it’s hard to argue that exposing them for their odious views or private decisions — not necessarily by their words or outward choices, by way of a data breach — does not fundamentally strip them of their autonomy or chill their speech. As Solove & Citron note:

Chilling effects have an impact on individual speakers and society at large as they reduce the range of viewpoints expressed and the nature of expression that is shared. Monitoring of communications can make people less likely to engage in certain conversations, express certain views, or share personal information. Consider the impact of news that the gay dating app Grindr had shared subscribers’ HIV status with analytics firms. Subscribers expressed profound dismay. Individuals told the press that they would no longer share that information on that app or any dating app—it was simply not worth the possibility that employers or others could find out their HIV status and hold it against them. [Citations omitted]

These outcomes can affect anyone. Sure, journalists are exposing right-wing extremists and racists now, but there’s nothing stopping the same from occurring against left-wing activists or pundits. Imagine, for example, if you’re a reformed Nazi or de-radicalized Islamist, who happened to have an active posting history back in your unenlightened days. The US has a pretty bad track record for enforcing “right to be forgotten” laws, and many message boards, online publications, and even social media sites are rather crap at allowing account or post deletion. Should you be punished now for a view you had as an ill-informed teenager, even if you were a vocal one?

This ties back, of course, to the concept of why we all need a right to data curation, a right to manage what we expose or keep online.

The Right to Data Portability Is Kind of a Joke, But It Could Be So Much More

Carey Lening

·

July 17, 2023

Read full story

I wrote: “Few of us are static creatures. What we like and dislike may change over time. Like hairstyles, careers, relationship statuses, and flirtations with libertarianism, things change as we grow older, experience more of life, and evolve as people.” We should empower users with the means to easily and selectively delete or control what lives on about us online, and right now, we’re just not there yet. As I said before, we should have the ability to keep (or change) “our online identities, without necessarily keeping every single awkward, painful, or regretted memory exposed in a database somewhere.”

Losing one’s job or standing in the community has an effect — the real estate agent in the Epik breach for example, was sacked by his employer. Hanania may fare better — he’s a rising star and the alt-right is still strong in the United States — but I expect this will force him away from the more interesting perspectives he periodically shared towards hard-right perspectives. Essentially, his cover as an “enlightened centrist” is blown, so why bother? He might very well have reformed his views since 2008, but with the exposure of his past, I wouldn’t be surprised if he takes a harder right turn. In my view, that would be a loss for everyone.

Leave a comment