Five Thoughts on Privacy and Security

on September 4, 2014

Apple’s been in the news this week because hackers apparently forced their way into various celebrities’ iCloud accounts and stole photos, which have now been released to the public. It’s still not clear exactly how the hacks were perpetrated, although that hasn’t prevented plenty of clueless reporting on the topic. In the absence of clarity about exactly what happened, I think it’s useful to focus on a few general points about privacy and security that provide some context for this sort of news.

If Apple really is at fault, it needs to remedy the situation fast

If it becomes clear, as has been reported, Apple’s systems for securing accounts are inadequate in that they either lack rate limiters or are otherwise open to brute force attacks, they need to fix this ASAP. As others have pointed out, these are basic precautions any online service ought to put in place and if Apple hasn’t had them, that’s a massive oversight. There should be (and almost certainly is) an internal review under way at Apple right now looking at all the potential vulnerabilities in Apple’s online sign-on systems and patching them as soon as possible.

The impact to Apple will be very limited

Every time a story like this blows up, I get calls from journalists asking whether this will (A) damage the company concerned, (B) make people warier of similar services in future, (C) dramatically change behavior. And every time, I tell them no to all three questions, for one simple reason: people have extremely short memories when it comes to this sort of thing. Just look at the Google Trends data for the search term “privacy”:

Google Trends privacy

What you see is interest in the topic is actually declining over time, though there are periodical spikes in interest, usually triggered by specific news stories such as the one this week. Interestingly, there’s no spike this month even though the equivalent Trends data for the word “hack” has spiked enormously as a result of the news story. In other words, overall concerns about privacy as measured by this data remain low (and are in fact falling) and although there are brief spikes in interest, they don’t last. As such, this story will likely blow over like all the others before it, and there will be little to no lasting impact on Apple.

What is certain is that, if you were looking to orchestrate a campaign to hobble Apple’s announcements this coming week, this would be about as good an attack vector as you might conceive of. It hits Apple where it’s thought to be weakest (cloud services) ahead of what’s likely to be a series of announcements about particularly sensitive data sets (health, home and financial). But my guess is by this time next week it will be forgotten – the public has a very short memory when it comes to this sort of thing.

Privacy attacks are very targeted

One reason why these attacks tend to blow over so quickly is they affect so few people. This particular attack, like most of them, was very targeted – the Guardian reports only around a dozen celebrities were affected and a total of around 400 photographs and videos leaked so far. The overall scope of the hack may have affected “over 100 individuals” and their personal data. That’s a tiny, tiny fraction of the overall populace, and what all these people have in common is they’re famous.

All of these attacks require three things to be a threat: motive, means and opportunity. And, unlike the sort of financial hacking that has affected Target and others in recent months, all three simply don’t apply to most members of the general population. There’s little motive for hackers to access my personal photos or videos, because the market for images of my kids is non-existent outside my own family. These attacks take considerable time and it’s simply not worth the means required if there’s no payoff. There’s also little opportunity because the kind of personal data necessary to perform social engineering for someone who isn’t famous is hard to come by.

As such, though celebrity photos make for big news stories, most people can easily brush them off since they’re unlikely ever to be affected by them. Financial hacking stories, on the other hand, have far more wide-reaching effects, and the likelihood that many ordinary individuals will be affected is far higher. But that doesn’t apply to this sort of very targeted and therefore, limited, hacking.

The difference between careless and deliberate privacy invasions

Another thing to bear in mind is there’s a very important difference between personal information obtained by third parties despite the best efforts of a provider, and information actively shared with third parties by a provider. I’ve written previously about how business models either create alignment between users and those paying the bills or tensions between them, and the implications that has for security. What’s most damaging with these sorts of stories is when they start to create in people’s minds a pattern of breaches, and that’s far more likely to happen when a company’s business model depends on enabling sharing of personal data than when a company is doing everything it can to protect users’ data from third parties.

What no one is accusing Apple of here is deliberately pushing the boundary on sharing personal information with third parties, and in fact Apple has spent the past week clarifying developer guidelines around HealthKit, HomeKit, Extensions and other functions in iOS 8 which have the potential for privacy invasions and violations. One of the things I was most struck with as I watched some of the individual sessions from WWDC was how carefully Apple has thought through some of the privacy implications of HealthKit. One example I’ll highlight that’s representative: apps can check whether they have write permission for HealthKit data, but not whether they have read permission, because the very fact a user has denied an app read permission to their blood sugar data might be an indication they are storing such information and therefore they’re diabetic. That kind of attention to detail is critical if Apple is to gain the trust of its users around HealthKit, HomeKit and whatever payment solution it will launch next week. The details that have emerged this week about the limits placed on what developers can do with HealthKit and HomeKit data are further illustrations of how seriously Apple is taking all of this. I don’t know if the timing is a coincidence – if the iPhone launch weren’t next week, I’d say it might have been moved up, but I suspect it’s just fortuitous timing.

Both Apple and Microsoft have taken advantage of Google’s focus on advertising to hammer it over privacy invasions. Microsoft’s Scroogled campaign was a good example of this strategy and it works because it reminds users of the inherent tension that exists between the needs of users and advertisers. Both Apple and Microsoft have been highlighting their commitment to keeping user data private, as I mentioned in my business models piece. While this week’s iCloud story may hurt Apple for a few days, it’s in a fundamentally different category from the regular stories about Facebook and Google privacy invasions, because those are about deliberately shifting the boundaries between what’s personal and what’s not. While Apple bears responsibility if poor security precautions allowed the iCloud hack to take place, it’s certainly not leaking that data deliberately to third parties.

Users are always the weak point in security

Lastly, we as the end users are always the weak point in security. That’s not to absolve tech companies of blame: in fact, it’s a key challenge they should all be working to overcome, while managing the balance between removing the barriers to good security and maintaining strong protections for users. I’ve had good discussions on Twitter about this over the last few days, and several themes have emerged:

  • The vast majority of users will always seek the path of least resistance when it comes to security – this means simple, often reused passwords and an aversion to things like two-factor authentication which might strengthen security
  • TouchID and other new forms of authentication can be very helpful in this respect, but they only go so far, as long as PIN codes and passwords are used as alternatives, and as long as they’re only used for on-device security, leaving the web as a whole, and non-enabled devices back in the current username-password model
  • Two-factor authentication which automates one of the factors – e.g. by using a fingerprint sensor or iris scanner on a device to authenticate on the web, or for mobile payments, could be a significant step forward. Two-factor authentication is being held back by its sheer awkwardness: waiting for an SMS or opening an app, manually entering a code etc. and something which makes the second factor easier to confirm could increase adoption.

There are no easy solutions in security, which is characterized by constant tradeoffs between ease of use and prevention of breaches. But better security and privacy protections are essential focus areas for all technology companies, and we can do much better than we currently are.