Friends, let’s have a little chat. Most of you have probably already heard about the iCloud compromise that sent hundreds of nude pictures of female celebrities racing across the Internet (including a few less-than-legal ones snapped before they turned 18). As a crime, it’s not really all that different from voyeurism and should be treated as such. Other than the trolls who think they have a right to get their jollies at anyone else’s expense, I don’t think you’ll find a lot of pushback on this position.
Where you will see a lot of pushback is when you start talking about how a user should have handled their personal security more effectively. For some reason, suggesting that a smarter, more proactive, more defensive posture in regards to your personal data would have been a good way to reduce the odds of being caught up in a compromise gets you slapped with ugly accusations of “blaming the victim”. Despite Apple also being a victim here (it was, after all, their system that got broken into), there’s no shortage of advice on telling them how they could have avoided the problem or at least discouraged all but the most determined attackers. There seems to be one heck of a double standard going on here concerning who we are and are not allowed to dole out security advice to.
All that aside, it’s quite the spectacle to see how Apple failed to protect users’ data. While they offer two-factor authentication on most other services, iCloud is conspicuously absent from that list. There’s also some solid evidence that Apple did not implement basic security features like tarpits and failed login controls (which lock accounts for a period of time after a number of unsuccessful attempts). Combined with tools that allowed brute force attempts to crack the passwords of select accounts and a mutation of a law enforcement tool that allows siphoning data from a phone, it was a matter of when, not if, these accounts would be compromised.
Even had Apple done everything right (and you can probably bet that will now change sooner rather than later), it still presents a very attractive target. Most smartphone users are not sophisticated. You grab your phone and just start using it, probably with whatever default settings it came with. If Apple, Google, Microsoft, or whoever said “hey, setup this backup”, you’d probably do it without considering what that entails. All of your pictures, videos, text messages, emails… backed up conveniently in a single location that is a tantalizing trove of personal data that someone might want to get access to. If you’re a famous person, you basically have a big, red bullseye on all of your digital assets.
If you want to take pictures of yourself naked, you’re absolutely without your right to do so. You’re absolutely a victim if someone steals and publishes them for any reason whatsoever. You do, however, need to be mindful that once you’ve created that data, you need to properly secure it to reduce your chances of it being stolen. Don’t back it up to a shared hosted solution like iCloud, DropBox, or Google Drive unless you’re encrypted the data first. Delete anything you don’t actually want to save. Employ remote wipe options for your phone (available on both Apple and Google products) so that the loss of a phone won’t expose that data. And maybe, just maybe, consider that not creating any media that you would be mortified to have out in the wild.
Every company will experience breaches now, even the ones that generally follow good security practices. Are you being smart with your data before you’re the next one in the crosshairs?