Well, it looks like another one of my 2014 Bold Predictions came true over the weekend. If you don’t know, a large number of prominent female celebrities had their Apple iCloud accounts compromised and a bunch of nude photos taken from said accounts have been making their rounds online. I’m not naming names or detailing beyond that, a quick Google search will give you all the info you need. There have been some admitting their legitimacy, legal threats have been made by others who don’t seem to understand that’s also basically admitting their legitimacy and hosting sites are trying to swat down the photos but since this is the Internet, they’ll never be gone. These are out in the public now and so they will stay.
Let me be clear because as with other controversial issues lately, I have to disclaim them lest I be purposefully taken out of context and made an easy target by people who make a hobby out of such things: This should not have happened, these women (and it was only women) did not deserve to have these photos made publicly available and the scumbags responsible should be found and prosecuted fully for their actions. We clear? OK, good.
That said, this is a valuable lesson in something I’ve long been saying, pretty much since the nebulous concept known as “the cloud” came into being: You can’t trust it and you shouldn’t trust it. Ever. That’s not the same as not using it. I use an encrypted cloud service as a secondary backup for my critical data. I also use an automated cloud sync service to easily move files I frequently access between all my machines. My Android phone maintains a cloud backup of its settings and wait for it, backs up any photos I take to the cloud automatically, though those photos are almost entirely of my pets. These services are convenient, cheap (often free) and for the most part, pretty hands off and seamless.
They’re also all completely untrustworthy.
The reason for this is simple: You are never fully in control of your data when it lives on someone else’s service. Another quick Google search will find all sorts of examples of services being compromised, either by hackers or by incompetence or oversight of their employees. Many of these services don’t encrypt your data and even if they do, other oversights can get people the means to access said encrypted data anyway. Some companies have better security track records than others to be sure but no one is immune to slip ups. Size of the company is irrelevant to the size of risk but more on that later.
Now, the first argument a lot of people leap to in these situations is how supposedly stupid these women were for taking illicit photos with their phones and you know what? It’s not considered appropriate to say but there is an argument to be made that you probably shouldn’t do that. Thing is, that’s not the issue here. It wasn’t their phones that were hacked, it was iCloud. It doesn’t matter if they took the photos with their phones, their tablets, their webcams or a fancy SLR camera. If the photos ended up in a folder iCloud syncs, they were in the crosshairs of the hackers. The other half of this though is I’ve already seen a couple of the celebrities quoted as saying they just accepted all the defaults when they set iCloud up and never bothered to check was it was doing because they just trusted it. That right there is their biggest mistake and the one made by most people, especially Apple users.
I think there is some personal responsibility here. If you’re a person of prominent celebrity (or anyone at all really) and you fancy taking nude photos of yourself from time to time, there’s nothing wrong with that at all. However, you should be damn sure of where those photos are potentially ending up. If you aren’t, most celebrities are wealthy enough to hire someone to make sure they have a safe space on their computers that isn’t ending up in the cloud or who can teach them to put stuff they don’t want in the wild onto a flash drive they can lock in a safe. Rule number one, bolded and double-underlined is that you should never ever store anything in the cloud that you don’t want potentially being made available to the public at large. If it’s something you must store in the cloud, you need to make sure it’s encrypted and that you control the means to decrypt it. A password isn’t good enough, you need to control the actual keys to it. I have critical personal data stored on my backup service (no nudes though, sorry) but I control the keys to access that service so even if someone guesses my password (which is also long, complicated and unique so as not to be easily guessed), they’re out of luck.
While this is something that shouldn’t have happened, I hope it teaches people that this is something you need to pay attention to. If you just accept all of the default settings for any service, be it iCloud, Dropbox, OneDrive, CrashPlan or whatever and then store illicit material on it, a certain amount of anything bad that happens to it is yes, on you. People with both money and fame have even less of an excuse. Technology is becoming easier to use all the time. This is a good thing but it’s also not an excuse for ignorance of what it’s doing with some of your most important data. If it’s something that absolutely can’t be in the cloud, then you need to make sure it doesn’t end up there and there are plenty of other ways to ensure it’s backed up safely without it.
I think the lesson this also serves is that it doesn’t matter how big the company is that’s hosting your cloud of choice, size does not equal trustworthiness. In this case, a service was hacked that’s run by a company that despite being one of the most valuable in the world, still treats security as a secondary concern. Everyone thinks Apple products are secure. Why? Because Apple says so. That’s pretty much the only reason. They were able to ride this marketing blurb for years successfully because their products only comprised a fraction of the overall market (which is still true when it comes to computers) and few hackers go after small targets. However, especially in phones and tablets, that’s not the case any more. Most celebrities use Apple products because they’re what’s fashionable right now and the hackers know this.
Say what you will about Microsoft both about security and in general and despite being a PC guy, I can say plenty too. But riddle me this: When was the last major virus or hack of a Microsoft product or service that made the news? It was a long time ago and there’s a reason for that. After being lax in security for years and getting beat up for it, Microsoft established a massive, well-funded department of the company who does nothing but find and patch holes in their products, many of which are fixed before hackers even find out about them. When a hack is found, Microsoft usually announces it right away, along with a timeline for getting a fix out and those deadlines are both fast and almost never missed.
How has Apple responded to this iCloud hack? By saying nothing. It’s been a couple of days now and aside from quietly patching the Find My iPhone portion of iOS, they’ve said nothing. No explanation of how the attack happened, no commitment or timeline for a permanent fix, not even an article telling people how to better protect their iCloud accounts. In spite of this massive breach of one of their supposedly bulletproof products, they’ve said nothing. Why? My guess is because they know it’ll blow over. The Apple fashion trend is still kicking (though starting to wane) and their hand-picked fanboys in the tech press are not only failing to hold their feet to the fire, many of them are saying this issue is overblown. I’ve seen more articles today with iPhone 6 rumours than talking about this huge security breach. After all, the tech press doesn’t want to get blackballed for speaking ill of the company, a practice that’s been common at Apple for years. They know that if they just sit on this, eventually it will blow over and even a bunch of their nude photos leaking probably won’t be enough for these celebrities to give up their precious iPhones.
This is a frankly epic failure on the part of both the company and the tech press to inform their readers of a potentially serious problem. Sure, the story is that nude photos got out but who knows what else was compromised, from whom and how it was done? If this happened to Microsoft OneDrive, we’d already know. With Apple, if they don’t want to talk about it, they just zip up and wait for people to go back to gushing. This is one of the biggest companies in the world with enough cash on hand to almost literally buy a solution to any problem. When Microsoft, the company whose products have been at the center of some of the biggest security breaches in history is now beating you on security, that’s pretty shameful. Never have I been in greater confidence of my decision to not have Apple products in my life.
Ultimately though, while Apple’s arrogance is adding an extra layer to this issue, it doesn’t detract from the lesson that the cloud is simply untrustworthy, regardless of who is running it for you. Whether you prefer PC or Mac, Android or iOS, OneDrive or Dropbox, your first instinct should be to only put stuff on those services you could live with the entire Internet seeing. You don’t need to cease using them, just be smart about what you put on there and know how they’re using it. Educate yourself, it’s not hard. It’s maybe not what you’d rather be doing but ignorance through laziness is no excuse and as we’ve seen, it’s a big part of this whole thing.
I also think this is a perfect opportunity for smaller cloud services that want to pick up some customers to lead such education. Tell people exactly how you protect their data, make your tools easy to configure, show people how they can leave out the stuff they don’t want in the cloud. If you show you’re committed to letting people have control of their own stuff, I think they’ll respond positively to that. The cloud is an incredibly useful resource but it comes with a cost and everyone on both sides needs to be aware of it. This scandal is the best lesson of that we’ve had in a long time and I hope people wake up with it.
Pingback: The Smart Watch Distraction | Geek Bravado
Pingback: The Double Standards of the Windows 10 Privacy Outrage | Geek Bravado