So a bunch of (very attractive) female celebrities’ iCloud accounts were reportedly hacked, and naked pictures of these (very attractive) celebrities were stolen from their accounts.
The hackers then either apparently sold pictures of these (very attractive) celebrities, or merely posted pictures of these (very attractive) celebrities online. A bunch of social, security, and ultimately legal issues arise from this attack.
- The Social Issues
There are a few social and societal issues associated with the hack. First, of course is why people take these kinds of pictures. The answer there is (or should be) because they want to. And that is their right. So stop blaming the (very attractive) celebrities for having, exchanging, or storing their naked pictures.
There is a difference between taking such pictures and sharing them with others who want them (and hopefully who will protect them), and sharing pictures with strangers, or unwanted persons.
A second issue is, of course, “why females?” Well, it’s not much of a question. But a better question is why no market for naked pictures of, for example Brad Pitt or anyone else? I’m not sure of the answer to this one, but from a security and marketplace position, if I had nude pictures of (very attractive) women, I would protect it more than of just some dude. Unless that dude was Carlos Danger. Then, I would do what I could to protect it from “over exposure.”
- Security Problems
Apple has issued a press release stating – shockingly – that it has no responsibility for the hack to the iCloud accounts. In particular, Apple stated:
“We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
“To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.”
OK. Let’s parse this statement. Apple is saying this was a “very targeted attack” and had nothing to do with any breach of Apple’s systems. Both wrong.
Sure, it was “very targeted” in that it impacted only a few hundred people out of the 10s of millions of Apple iCloud users. But it really wasn’t “very targeted.” The people who were targeted had, as far as we can tell, little if any connection to each other.
They didn’t work for the same company or companies, share Internet connections, or even necessarily know each other. What did they have in common? They all apparently used the iCloud servers for storing or transmitting their information at one time or another. Oh yeah, and did I mention that they are all (very attractive) female celebrities?
What Apple is saying in noting that these were “very targeted” attacks is a few things. First, of course, they are saying, “it’s not our fault.” Or alternatively, blame the (very attractive) celebrities. Second, they are saying that the hackers specifically went after these individuals — reading between the lines, that this was likely a “spear phishing” attack on these (did I mention, very attractive) female celebrities. Thus, it had nothing to do with Apple or iCloud. Preventing phishing attacks isn’t their jobs. Well, no more than anyone else’s.
The spear phishing attacks likely were targeted at getting the User ID’s and passwords of as many (very attractive) celebrities as possible. Some of these (very attractive) celebrities likely knew each other, so a successful attack on one might result in obtaining information about, and a route of access to others.
So Jennifer Garner is connected to Jennifer Lawrence. Six degrees of Kevin Bacon (except Kevin, as a guy, wasn’t hacked.) Of course, all of this is just speculation, but in the absence of facts, speculation will do.
Second, Apple said that there were things that the (very attractive) celebrities could have done to prevent these attacks. They could have used two-step verification. They could also select strong passwords. Yeah, sure.
They could also not take nude pictures, not have a private life, or stick to the USPS for their communications needs. We have no reason to believe that the (very attractive) celebrities were doing anything other than using two-step verification with strong passwords. This is another way for Apple to blame their customers. Hey, WE provide you with security tools. If YOU don’t use them, well your private parts are public. Not our fault!
Two-step verification involves an “out of bandwidth” communication whenever an account is accessed from an “unusual” IP address or computer. Thus, if someone tries to log into your account from say Stormstadt, Sweden (assuming you aren’t usually on the Southwestern coast of Sweden) you will get a text message on your phone alerting you of this fact.
So if someone accesses Jennifer Lawrence’s account from somewhere strange, she gets a text. Of course there are many ways to circumvent this scheme – including hacking the phones, but it’s better than nothing.
As for “strong” passwords, there’s no indication that these (very attractive) celebrities were using weak passwords, or that the attackers used a “brute force” password cracker to get their passwords. Strong passwords are good. No passwords are (is) better. That is to say, passwords need to die a slow death. But let’s blame the (very attractive) celebrities.
Another problem that the iCloud attack illustrates is the fact that we don’t just record every aspect of our lives on our phones, effectively we stream every aspect of our lives. Many services, including iCloud, Google Documents, and Microsoft OneDrive automatically make a copy of what you create and store it remotely. In many cases, that is the default for the application. This means that if you lose your phone, no worries – your docs, apps, and family pictures are stored on the cloud. Voilà! One click recovery.
It also means that your intimate pictures, texts, and porn browsing activities, medical diagnosis and treatment (STDs?) and chat logs with girlfriends are also winding their way through and on the Nephelai.
It is doubtful that the (very attractive) celebrities were aware that their pictures were stored on the cloud. You can’t (don’t) protect what you don’t know about. Data backup is great for DR/BCP purposes. It also means that you have TWO copies to protect. And you typically don’t expend money and energy on protecting archives – especially if you never access them.
- Delete Doesn’t – Restore Won’t
It has been reported that many of the purloined porn pics had been deleted by the (very attractive) celebrities. This illustrates another problem with the web. When you think you have deleted something, you probably haven’t. Similarly, when you think you can recover something, you probably won’t be successful either. Deleting, as a means of protection is worse than ineffective. It is dangerous and expensive. This is also true when it comes to incident response, and eDiscovery. Don’t delete. WIPE.
- Encrypt, encrypt, encrypt.
Many services provide security by encrypting documents or pictures of (very attractive) celebrities by default, and I assume iCloud does the same. Great. ‘Cept for one thing. When the user, or anyone with the user’s credentials, logs in, the files are not only decrypted, but indexed and searchable.
Also, Apple like other ISP’s reserves the right to examine the contents of your theoretically encrypted records, and the government reserves the right to compel Apple and others to decrypt and produce your files. It’s like the story of King Arthur who, off to the Crusades locked his lovely wife, Guinevere, into her chastity belt. Then he summoned his loyal friend and subject Sir Lancelot. “Lancelot, noble knight,” said Arthur, “within this sturdy belt is imprisoned the virtue of my wife. The key to this chaste treasure I will entrust to only one man in the world. To you. If I am killed or fail to return in seven years, you may release her from her vow of chastity.” Humbled before this great honor, Lancelot knelt, received his king’s blessing and took charge of the key. Arthur mounted his steed and rode off. Not half a mile from his castle, he heard hoof-beats behind him and turned to see Sir Lancelot riding hard to catch up with him. “What is amiss, my friend?” asked the king. “My lord,” gasped Lancelot, “you have given me the wrong key!”
Don’t trust the key to Apple. Or to Microsoft. Or to Google. Or to Facebook. Encrypt at least your nudie pictures of (very attractive) celebrities BEFORE you store them online or offline. And keep the key yourself.
- Crimes, Torts and Wrongs
So, who committed crimes, and what can they be prosecuted for? Clearly the hackers violated the computer crime law – 18 USC 1030. They intentionally exceeded the scope of their authorization to access a computer. Or many.
These would either be the computer of the (very attractive) celebrities’ computers, or their iCloud accounts. In addition, the hacks may have related to the email accounts of these same (very attractive) celebrities which would implicate the Stored Communications Act, 18 USC 2701. They might also have violated the wire fraud, theft, conversion or extortion statutes.
The FBI has also reportedly warned anyone who posts these pictures online that they are committing a crime and are subject to prosecution. Really? Really? What crime is that? I am scratching my head trying to figure that one out.
In addition to federal crimes, there are a host of similar state crimes – including some potential privacy crimes – that might make the attacker s subject of investigation or prosecution.
My best advice to these (very attractive) celebrities is to hire a lawyer. Hire one right away. Hire one who knows and understands computer forensics, computer investigations, privacy laws, and criminal investigations. Hire a former federal computer crime prosecutor experienced in cyber investigations. Do it now.
The (very attractive) celebrities should sue both Apple (why not, if it moves, sue it – if it doesn’t move, move it – then sue it) but mostly sue the “John Doe” hackers. They could sue for hacking, copyright infringement (more on that below) and privacy violations like “intrusion into seclusion” or theft.
This gives the (very attractive) celebrity access to subpoenas and discovery, and a limited amount of cooperation from ISP’s or others. It allows for the (privileged) retention of experienced cyber investigators, and shows that privacy is something worth fighting for.
Hire a lawyer.
- Of Monkeys and Monkey Business
What does a crested black macaque have to do with the theft and posting of pictures of (very attractive) celebrities? Plenty. You see, many of the celebrities have reportedly used provision of the federal DMCA – the Digital Millennium Copyright Act – to get ISP’s and others to take down the nude pictures. There’s no law against hosting or posting nude pictures – even if the (very attractive) celebrity doesn’t want them posted. In fact, the law generally gives ISP’s immunity for hosting just about anything online. It is that law that provides refuge to spite sites and revenge porn sites.
But copyright law is different. You see, companies own copyrights, so they put in protection for their copyrights into the DMCA. If you own a copyright and an ISP or website is hosting your legally protected content, you can demand it be taken down. Generally, the ISP has to do it or face liability for copyright infringement.
These nude pictures of (very attractive) celebrities are copyrighted. No, they aren’t filed with the US Copyright Office and registered. But they are reduced to a tangible medium (yeah, bits and bytes are tangible enough) and unique enough to be copyrighted. By the way, so are your pictures from Disneyworld. So the copyright holder can send a “takedown” notice to the ISP or whoever is hosting the pics of the (very attractive) celebrities and demand that they be removed – or kept at the ISP’s peril.
Here comes the macaque problem.
While some of the nudies were “selfies” (we need a name for nude selfies – nelphies? Sexelphis?) In many cases some unknown photographer took the stolen nude pictures.
This illustrates a problem in copyright law. Jennifer Lawrence may not own the rights to her body. Well, to the pictures of her (very attractive) body. Whoever took those pictures probably owns the copyright to the pics.
Recently, the US Copyright Office decided that a photographer who gave a camera to a monkey who took a monkey selfie (yeah, yeah I know macaque’s are not monkeys) cannot assert copyright because he was not the “author” of the copyrighted works. This means that, in order to assert her rights under the DMCA, and to get her pictures taken off the web, Jennifer Lawrence may have to find “some random dude she met in a bar three years ago,” or an ex-boyfriend she dumped as a creepy stalker guy. ‘Gotta love the law. What’s worse, if she (or her lawyer) demand a DMCA take down without the dude’s participation, they are probably guilty of perjury, fraud and copyright violations themselves, because the DMCA requires certification UNDER OATH that you are the copyright holder – something that would not be true.
- Failing to Value Privacy
The above illustrates how the law fails to value privacy. I mean that in two respects. First, we don’t place an economic value on privacy per se. If a random stranger hacked my account and found nude pictures of me and did nothing with them but gasp in amazement, how would I be “harmed?” What actual and demonstrable damages could I show? Is privacy worth $100? $1,000? $10,000? More? Sure, if you can show actual “pain and suffering” or economic harm, maybe. But it is hard to value (economic) privacy. Same with lost medical records, financial records, or personal data. We don’t value it. We don’t measure it. In fact, numerous data breach cases have dismissed privacy lawsuits in connection with data breaches finding fear of privacy loss to be “speculative” and not compensable. We don’t value privacy.
And by not valuing privacy, we have no economic interest in preventing breaches. If you are a hospital wondering how much to spend on preventing a medical data breach, you figure out how many records you have (say 100,000), the annual risk of loss (say 5%) and the average cost per record of a breach (say, $50 per record.)
That comes to a 5% risk of a 5 million dollar loss, or $50,000 risk a year. It’s hard to convince someone to spend a lot more than that to prevent a breach (sure, the risks are cumulative, the harms much greater, but this is an illustration so I can make the numbers up.)
But if the per record cost truly reflected the harm – including emotional harm and privacy impact harm to the patients, the per record cost could be closer to $1,000 or more. This would seriously impact the risk/reward equation and get people to spend more not only on security, but on protecting privacy. By not valuing (and thereby undervaluing) privacy, we impact the amount of security we are willing to dedicate.
- Getting Away With It
I put the odds of catching these guys at 50/50. And that’s pretty good. In the movie Body Heat, Mickey Rourke’s “Teddy” tells William Hurt’s Ned Racine “when you commit a crime, there’s a hundred ways to [screw] up. If you can think of 50 of them, you’re a genius. And you ‘aint no [freaking] genius.” So we can only hope that the hackers have screwed up. Or bragged to the wrong people. Or tried to extort or monetize their hack. So I predict that the cops will catch them. Or not. Predictions are like that.
- Lessons Learned
A few lessons learned. The Cloud is not secure. Unless you secure it. And even then it’s not secure. Don’t take nude pictures. When you DO take nude pictures, don’t share them or store them. When you DO share or store them, see number one. And when they are hacked, and you are a (very attractive) female celebrity, hire an experienced, and possibly very attractive lawyer.
Cynthia M. Camacho of systems integrator DynTek contributed research to this article.