Apple’s been in the news this week because hackers apparently forced their way into various celebrities’ iCloud accounts and stole photos, which have now been released to the public. It’s still not clear exactly how the hacks were perpetrated, although that hasn’t prevented plenty of clueless reporting on the topic. In the absence of clarity about exactly what happened, I think it’s useful to focus on a few general points about privacy and security that provide some context for this sort of news.
If Apple really is at fault, it needs to remedy the situation fast
If it becomes clear, as has been reported, Apple’s systems for securing accounts are inadequate in that they either lack rate limiters or are otherwise open to brute force attacks, they need to fix this ASAP. As others have pointed out, these are basic precautions any online service ought to put in place and if Apple hasn’t had them, that’s a massive oversight. There should be (and almost certainly is) an internal review under way at Apple right now looking at all the potential vulnerabilities in Apple’s online sign-on systems and patching them as soon as possible.
The impact to Apple will be very limited
Every time a story like this blows up, I get calls from journalists asking whether this will (A) damage the company concerned, (B) make people warier of similar services in future, (C) dramatically change behavior. And every time, I tell them no to all three questions, for one simple reason: people have extremely short memories when it comes to this sort of thing. Just look at the Google Trends data for the search term “privacy”:
What you see is interest in the topic is actually declining over time, though there are periodical spikes in interest, usually triggered by specific news stories such as the one this week. Interestingly, there’s no spike this month even though the equivalent Trends data for the word “hack” has spiked enormously as a result of the news story. In other words, overall concerns about privacy as measured by this data remain low (and are in fact falling) and although there are brief spikes in interest, they don’t last. As such, this story will likely blow over like all the others before it, and there will be little to no lasting impact on Apple.
What is certain is that, if you were looking to orchestrate a campaign to hobble Apple’s announcements this coming week, this would be about as good an attack vector as you might conceive of. It hits Apple where it’s thought to be weakest (cloud services) ahead of what’s likely to be a series of announcements about particularly sensitive data sets (health, home and financial). But my guess is by this time next week it will be forgotten – the public has a very short memory when it comes to this sort of thing.
Privacy attacks are very targeted
One reason why these attacks tend to blow over so quickly is they affect so few people. This particular attack, like most of them, was very targeted – the Guardian reports only around a dozen celebrities were affected and a total of around 400 photographs and videos leaked so far. The overall scope of the hack may have affected “over 100 individuals” and their personal data. That’s a tiny, tiny fraction of the overall populace, and what all these people have in common is they’re famous.
All of these attacks require three things to be a threat: motive, means and opportunity. And, unlike the sort of financial hacking that has affected Target and others in recent months, all three simply don’t apply to most members of the general population. There’s little motive for hackers to access my personal photos or videos, because the market for images of my kids is non-existent outside my own family. These attacks take considerable time and it’s simply not worth the means required if there’s no payoff. There’s also little opportunity because the kind of personal data necessary to perform social engineering for someone who isn’t famous is hard to come by.
As such, though celebrity photos make for big news stories, most people can easily brush them off since they’re unlikely ever to be affected by them. Financial hacking stories, on the other hand, have far more wide-reaching effects, and the likelihood that many ordinary individuals will be affected is far higher. But that doesn’t apply to this sort of very targeted and therefore, limited, hacking.
The difference between careless and deliberate privacy invasions
Another thing to bear in mind is there’s a very important difference between personal information obtained by third parties despite the best efforts of a provider, and information actively shared with third parties by a provider. I’ve written previously about how business models either create alignment between users and those paying the bills or tensions between them, and the implications that has for security. What’s most damaging with these sorts of stories is when they start to create in people’s minds a pattern of breaches, and that’s far more likely to happen when a company’s business model depends on enabling sharing of personal data than when a company is doing everything it can to protect users’ data from third parties.
What no one is accusing Apple of here is deliberately pushing the boundary on sharing personal information with third parties, and in fact Apple has spent the past week clarifying developer guidelines around HealthKit, HomeKit, Extensions and other functions in iOS 8 which have the potential for privacy invasions and violations. One of the things I was most struck with as I watched some of the individual sessions from WWDC was how carefully Apple has thought through some of the privacy implications of HealthKit. One example I’ll highlight that’s representative: apps can check whether they have write permission for HealthKit data, but not whether they have read permission, because the very fact a user has denied an app read permission to their blood sugar data might be an indication they are storing such information and therefore they’re diabetic. That kind of attention to detail is critical if Apple is to gain the trust of its users around HealthKit, HomeKit and whatever payment solution it will launch next week. The details that have emerged this week about the limits placed on what developers can do with HealthKit and HomeKit data are further illustrations of how seriously Apple is taking all of this. I don’t know if the timing is a coincidence – if the iPhone launch weren’t next week, I’d say it might have been moved up, but I suspect it’s just fortuitous timing.
Both Apple and Microsoft have taken advantage of Google’s focus on advertising to hammer it over privacy invasions. Microsoft’s Scroogled campaign was a good example of this strategy and it works because it reminds users of the inherent tension that exists between the needs of users and advertisers. Both Apple and Microsoft have been highlighting their commitment to keeping user data private, as I mentioned in my business models piece. While this week’s iCloud story may hurt Apple for a few days, it’s in a fundamentally different category from the regular stories about Facebook and Google privacy invasions, because those are about deliberately shifting the boundaries between what’s personal and what’s not. While Apple bears responsibility if poor security precautions allowed the iCloud hack to take place, it’s certainly not leaking that data deliberately to third parties.
Users are always the weak point in security
Lastly, we as the end users are always the weak point in security. That’s not to absolve tech companies of blame: in fact, it’s a key challenge they should all be working to overcome, while managing the balance between removing the barriers to good security and maintaining strong protections for users. I’ve had good discussions on Twitter about this over the last few days, and several themes have emerged:
- The vast majority of users will always seek the path of least resistance when it comes to security – this means simple, often reused passwords and an aversion to things like two-factor authentication which might strengthen security
- TouchID and other new forms of authentication can be very helpful in this respect, but they only go so far, as long as PIN codes and passwords are used as alternatives, and as long as they’re only used for on-device security, leaving the web as a whole, and non-enabled devices back in the current username-password model
- Two-factor authentication which automates one of the factors – e.g. by using a fingerprint sensor or iris scanner on a device to authenticate on the web, or for mobile payments, could be a significant step forward. Two-factor authentication is being held back by its sheer awkwardness: waiting for an SMS or opening an app, manually entering a code etc. and something which makes the second factor easier to confirm could increase adoption.
There are no easy solutions in security, which is characterized by constant tradeoffs between ease of use and prevention of breaches. But better security and privacy protections are essential focus areas for all technology companies, and we can do much better than we currently are.
A technology provider is always responsible for any secure issue when it come to their user, no matter what.
Apple and they apologist need to stop being arrogant and step up their game when it come to iCloud before it becomes a joke
Indeed – your first sentence mirrors my first point precisely. If Apple really is at fault, they obviously need to fix it pronto.
I also agree with Kenny.
Google protects their users’ data as though they were their very own…for they surreptitiously, and unquestionably are. When a Google server gets a hold of a datum, it becomes Google owned, …and Google’s own. Neither God nor the Devil can lay claim to what has become proprietary material to Google’s singularity quest. The conflict of interest melts, to the rhythm of a user’s private data melting into a proprietary whole.
Apple, business model ‘oblige’, must reconcile two, by definition hard-to-reconcile for antithetical, idealistic elements: absolute security and absolute privacy. They aim at colonizing the extreme middle-ground territory within a realm of extreme interests. This is where reside, in all comfort, human dignity, solidarity, and fruitful collaboration. No clerical melting here. Just anti-clerical, ethical weighting amidst self-effacement. Easy…innit!?
Trust is Apple’s pronto-mainstay. Not the protogeometry of Pavlovian news cycles.
And yet, Google still got “hacked”.
Go figure.
Joe
berult,
Is this the same Google that has created the malware ridden Android phenomena?
Good protection Google.
You’ve allowed fake imitation apps the freedom to “moon shot” on extortion ware.
“When a Google server gets a hold of a datum, it becomes Google owned, …and Google’s own.” And when a Google-OS smartphone gets a hold of a datum, it becomes owned by those who want to break in. In both cases, it’s believable that the user isn’t the one who Google really cares about.
As opposed to Apple, famous for instructing their iDrones to deny and refuse to help during a very real malware attack ?
http://bgr.com/2011/05/20/apple-instructs-support-reps-to-refute-malware-deny-assistance/
I remember one mid-autumn, I lit up our first fire of the season. Next thing I know flames are leaping out of the top of the chimney. I learned that a huge hornet’s nest had been built in my chimney. I was quite amazed. I had just had it cleaned and inspected not that much earlier (so I thought, it had actually been almost two months). I asked to no one in articular, when in the world did they build that? My wife just looked at me and said “Anytime. This is all they do, this is what they live for, to build nests.”
We should all always be on top of security, both the providers and the consumers, even to the point of pain, sadly. Why? Because these thieves (not even “hacks) exist for the sole purpose of breaking in. This is all they do. No matter how much better we get at security, they exist to break it.
But let’s not lose site that these guys, these thieves, are scum. They are the problem. They are worst than the first person who drove off from a gas pump without paying, and thus changed for the rest of the world how we all pay for gas. THEY are the reason _everyone_ has to up their game, constantly especially people who are most likely to be targeted, like celebrities.
Joe
i agree
the goal should not be to eliminate them, but to make it very expensive and difficult for any low level hacker to have access to people’s Data.
while many of you might disagree
It’s safe to say that Google is much better at protecting it’s user’s data in the cloud than Apple will never be, so they need to learn from them
Well, sure. Google has a 3 year head start since the Chinese hacked Gmail.
Joe
Gmail is one of the most secure mail service out there
you cannot compare the entire Chinese government hacking their Gmail service of their activist in their own country to the ICloud fiasco.
I beg to differ. This was not simply mischievous hacking, this was criminal intent. This was deliberate, black market stealing.
http://finance.yahoo.com/news/originalguy-full-story-icloud-hacker-081044692.html
This wasn’t just some hooligans trolling down the street looking for cars or houses with unlocked doors. These are professionals targeting a specific group of people looking for something in particular. There absolutely is a moral and professional equivalence. They weren’t breaking in and stealing because they can’t afford to feed their families.
Back to my point, it doesn’t matter how secure we make something, there are people who’s sole purpose in life is to break in, whether it is the Chinese government or OriginalGuy and his black market thugs. Gmail may be secure, but they still got broken into.
Joe
i never said otherwise.
However: contrary to popular belief IOS 7 and iCloud had a lot of bugs and holes that any low-level hacker can use to steal data from people that may or may not have been patched already
Kenny,
You win the Macarthur Genius Award for Google/Apple Research.
Pure genius.
What were you saying about Gmail?
http://www.macobserver.com/tmo/article/nearly-5-million-gmail-passwords-dumped-to-the-internet
Joe
Everything’s fine in neverland.
I know this because unlike you, I do not live in a Apple bubble to know that a lot of bugs and security issues have been reported for iOS 7 and OS X,
Sources? Or fairy tales?
Google is you best Friend
https://gotofail.com/
No, you choose to live in a Google bubble. Have you not heard that 97% of mobile viruses are on Android?
on rooted, non-playstore Android. Unrooted, PlayStore-only Android is as safe as iOS. Don’t believe the antivirus makers’ FUD, they only have product to sell on Android, not on iOS.
It is never safe to make an assumption with no data to back it up. You would not build houses on a weak foundation, the same is true for arguments.
So Kenny, I guess Google should apologize for enabling so much malware on its mobile system (and stop being arrogant too)
Unlike Apple Google has always been held responsible for these problems, as it should even though the majority of these malware come from people who deliberately bypass Google security measures to install applications outside the Play store.
besides
Apple and their apologist are often those who love bashing Google and Android for security issue and not the other way around.
Go buy a book on logic and reasoning.
I do not ague with IFan Boy,
go pray your IGod
Regarding the chart, I agree that this will be forgotten by the general public. Anyone doubting that can just go to their local Target store. However, the folks affected by this will likely not forget so quickly. It could be compared to something like the 2010 BP oil spill in the Gulf or a local natural disaster. The larger audience forgets and moves on, but people in that area don’t.
If we were talking about Android, the chart would definitely correlate for the same reason worldwide market share is relevant to Android but less so Apple. Apple’s audience is a subset of that wider general audience. And Hollywood, or celebrity land, is a subset of a subset.
(That all said, yeah, the chart still likely corresponds.)
I can hope (but admittedly, I may be too optimistic) that the decline in interest is because of increased awareness and not numbness or overload. I don’t think people will forget, but they are more likely to forgive, especially if they learn there is more they can do, such as enabling the two step processes. I can only blame other people so long before I have to admit that I need to deadbolt and steel frame my doors. Just leaving the door closed but unlocked is not going to fool the ones who really want to get in.
Joe
The current environment appears to be one of “blame the provider and not my poor choice”.
As I pointed out in the piece, the Target hack happened on a fundamentally larger scale. No ordinary folk (i.e. non celebrities) were part of the iCloud hack. That’s a huge difference.
Good work. Takeaway: Simpler, touch ID authentication will go a long way solve the problem.
And as with smart phones themselves, Apple does the hard work of innovation. The others just renovate.
An article on The Verge revealed that the sharing and trading of celebrity nudes has an incredibly long and sordid past that was only recently revealed because someone got greedy and broke “man law” by exposing a very popular subculture within the dark web.
A very interesting and compelling read: http://www.theverge.com/2014/9/4/6106363/celebgate-fappening-naked-nude-celebrities-hack-hackers-trade
This doesn’t exonerate Apple from any possible security inconsistencies in iCloud but it does support their claim that the attacks were extremely well targeted with a long and varied history of similar activity.
I don’t really fear for my security but you can bet that I’ve already increased the strength of my password as well as enabled two-step verification just in case. I have every intention of signing up for iCloud Drive storage space so I’m taking precautions now rather than later.
All your points are logical and well reasoned, but increasingly logic is becoming useless in the court of public opinion. I’m a big fan of how the internet allows high quality writers (like yourself) to reach their audience. Of course there is a downside to this transition. For every well reasoned article, there are dozens with an irresponsible, almost slanderous headlines. Unfortunately, the average reader is not qualified to make their own assessment, nor to be able to determine the quality of the opinion they are reading. I fear for the future.
One item stands out – Tim Cook personally responded, and quite quickly.
Steve would not have done that.
Thanks, Tim.
Maybe there’s a 6th type of impact, when you want to get into payments ?