Over the weekend there was a very public iCloud breach that led to personal materials from several celebrity women being leaked and then published onto public sites. The bug appears to have been weakness in Apple’s Find My Phone feature. The security problem allowed access to a persons private iCloud with a brute force attack using a library called iBrute. Apple may have fixed this issue; if that is true the leak should be done.
Data breaches are becoming a fixture in modern life. Your private data is everywhere by design. Every time you make a purchase, or update your Facebook status, or tweet something, a little bit of information is added to the collection of data that is you. Only, some of that, you would really prefer for other people to not see.
Target, Michaels, and most recently JP Morgan Chase have all had financial information leaks. All of these were clearly the fault of the companies, not the consumer.
The iCloud situation is a bit different.
Blaming the victims
Apple quietly fixed what they thought to be the issue, but I have not yet seen outcries against Apple for allowing this to happen. Quotes similar to this, often much less charitable, can be found in most articles with a comment section.
Store stuff in the cloud. It gets hacked and distributed publicly. Surprise!
Victim blaming is a new, startling trend in this occurrence. Target shoppers weren’t blamed for making their data available to hackers to steal. The people with stolen data aren’t at fault, the person or people that did the stealing, and maybe the company that didn’t protect the data are responsible. Discussing the naivety of the people whose images were made public and making statements along the lines of “If they hadn’t made the pictures, they wouldn’t have been available to steal” is a slippery slope argument. That is akin to calling the people that had credit information stolen from Target, idiots.
A note on privacy
People use services advertised as secure with a certain amount of trust. You don’t expect that using a credit card at a retailer will result in your identity being stolen. You don’t expect that filing your taxes online will result in all of that information being made public. Our world has been moving away from local storage and toward storage on someone else’s network at an increasing rate since the early 2000s.
Without trust from the consumers of the services, and facilitation and skin in the game from service providers, this falls apart.
Responsibility for this data leak lie firmly on the shoulders of the person that exploited the Find My Phone feature with a brute force attack, and the creator of the product, Apple. One thing I would be interested in seeing is some amount of liability on the part of the companies that have been breached. Services are offered under certain terms. If the consumer abuses those terms, they are subject to litigation. I have no confidence that an individual could battle and win the team of lawyers that companies like Apple and Target have for a case like this, but that will be an important precedent for consumer activism in the technology world.
This certainly wasn’t the first data breach that resulted in defamation of a persons character, and it certainly won’t be the last. What I would like to see are the beginnings of a legal group for customer advocacy in an inherently technological time.