Apple’s been in the news this week because hackers apparently forced their way into various celebrities’ iCloud accounts and stole photos, which have now been released to the public. It’s still not clear exactly how the hacks were perpetrated, although that hasn’t prevented plenty of clueless reporting on the topic. In the absence of clarity about exactly what happened, I think it’s useful to focus on a few general points about privacy and security that provide some context for this sort of news.
If Apple really is at fault, it needs to remedy the situation fast
If it becomes clear, as has been reported, Apple’s systems for securing accounts are inadequate in that they either lack rate limiters or are otherwise open to brute force attacks, they need to fix this ASAP. As others have pointed out, these are basic precautions any online service ought to put in place and if Apple hasn’t had them, that’s a massive oversight. There should be (and almost certainly is) an internal review under way at Apple right now looking at all the potential vulnerabilities in Apple’s online sign-on systems and patching them as soon as possible.
The impact to Apple will be very limited
Every time a story like this blows up, I get calls from journalists asking whether this will (A) damage the company concerned, (B) make people warier of similar services in future, (C) dramatically change behavior. And every time, I tell them no to all three questions, for one simple reason: people have extremely short memories when it comes to this sort of thing. Just look at the Google Trends data for the search term “privacy”:
What you see is interest in the topic is actually declining over time, though there are periodical spikes in interest, usually triggered by specific news stories such as the one this week. Interestingly, there’s no spike this month even though the equivalent Trends data for the word “hack” has spiked enormously as a result of the news story. In other words, overall concerns about privacy as measured by this data remain low (and are in fact falling) and although there are brief spikes in interest, they don’t last. As such, this story will likely blow over like all the others before it, and there will be little to no lasting impact on Apple.
What is certain is that, if you were looking to orchestrate a campaign to hobble Apple’s announcements this coming week, this would be about as good an attack vector as you might conceive of. It hits Apple where it’s thought to be weakest (cloud services) ahead of what’s likely to be a series of announcements about particularly sensitive data sets (health, home and financial). But my guess is by this time next week it will be forgotten – the public has a very short memory when it comes to this sort of thing.
Privacy attacks are very targeted
One reason why these attacks tend to blow over so quickly is they affect so few people. This particular attack, like most of them, was very targeted – the Guardian reports only around a dozen celebrities were affected and a total of around 400 photographs and videos leaked so far. The overall scope of the hack may have affected “over 100 individuals” and their personal data. That’s a tiny, tiny fraction of the overall populace, and what all these people have in common is they’re famous.
All of these attacks require three things to be a threat: motive, means and opportunity. And, unlike the sort of financial hacking that has affected Target and others in recent months, all three simply don’t apply to most members of the general population. There’s little motive for hackers to access my personal photos or videos, because the market for images of my kids is non-existent outside my own family. These attacks take considerable time and it’s simply not worth the means required if there’s no payoff. There’s also little opportunity because the kind of personal data necessary to perform social engineering for someone who isn’t famous is hard to come by.
As such, though celebrity photos make for big news stories, most people can easily brush them off since they’re unlikely ever to be affected by them. Financial hacking stories, on the other hand, have far more wide-reaching effects, and the likelihood that many ordinary individuals will be affected is far higher. But that doesn’t apply to this sort of very targeted and therefore, limited, hacking.
The difference between careless and deliberate privacy invasions
Another thing to bear in mind is there’s a very important difference between personal information obtained by third parties despite the best efforts of a provider, and information actively shared with third parties by a provider. I’ve written previously about how business models either create alignment between users and those paying the bills or tensions between them, and the implications that has for security. What’s most damaging with these sorts of stories is when they start to create in people’s minds a pattern of breaches, and that’s far more likely to happen when a company’s business model depends on enabling sharing of personal data than when a company is doing everything it can to protect users’ data from third parties.
What no one is accusing Apple of here is deliberately pushing the boundary on sharing personal information with third parties, and in fact Apple has spent the past week clarifying developer guidelines around HealthKit, HomeKit, Extensions and other functions in iOS 8 which have the potential for privacy invasions and violations. One of the things I was most struck with as I watched some of the individual sessions from WWDC was how carefully Apple has thought through some of the privacy implications of HealthKit. One example I’ll highlight that’s representative: apps can check whether they have write permission for HealthKit data, but not whether they have read permission, because the very fact a user has denied an app read permission to their blood sugar data might be an indication they are storing such information and therefore they’re diabetic. That kind of attention to detail is critical if Apple is to gain the trust of its users around HealthKit, HomeKit and whatever payment solution it will launch next week. The details that have emerged this week about the limits placed on what developers can do with HealthKit and HomeKit data are further illustrations of how seriously Apple is taking all of this. I don’t know if the timing is a coincidence – if the iPhone launch weren’t next week, I’d say it might have been moved up, but I suspect it’s just fortuitous timing.
Both Apple and Microsoft have taken advantage of Google’s focus on advertising to hammer it over privacy invasions. Microsoft’s Scroogled campaign was a good example of this strategy and it works because it reminds users of the inherent tension that exists between the needs of users and advertisers. Both Apple and Microsoft have been highlighting their commitment to keeping user data private, as I mentioned in my business models piece. While this week’s iCloud story may hurt Apple for a few days, it’s in a fundamentally different category from the regular stories about Facebook and Google privacy invasions, because those are about deliberately shifting the boundaries between what’s personal and what’s not. While Apple bears responsibility if poor security precautions allowed the iCloud hack to take place, it’s certainly not leaking that data deliberately to third parties.
Users are always the weak point in security
Lastly, we as the end users are always the weak point in security. That’s not to absolve tech companies of blame: in fact, it’s a key challenge they should all be working to overcome, while managing the balance between removing the barriers to good security and maintaining strong protections for users. I’ve had good discussions on Twitter about this over the last few days, and several themes have emerged:
- The vast majority of users will always seek the path of least resistance when it comes to security – this means simple, often reused passwords and an aversion to things like two-factor authentication which might strengthen security
- TouchID and other new forms of authentication can be very helpful in this respect, but they only go so far, as long as PIN codes and passwords are used as alternatives, and as long as they’re only used for on-device security, leaving the web as a whole, and non-enabled devices back in the current username-password model
- Two-factor authentication which automates one of the factors – e.g. by using a fingerprint sensor or iris scanner on a device to authenticate on the web, or for mobile payments, could be a significant step forward. Two-factor authentication is being held back by its sheer awkwardness: waiting for an SMS or opening an app, manually entering a code etc. and something which makes the second factor easier to confirm could increase adoption.
There are no easy solutions in security, which is characterized by constant tradeoffs between ease of use and prevention of breaches. But better security and privacy protections are essential focus areas for all technology companies, and we can do much better than we currently are.
A technology provider is always responsible for any secure issue when it come to their user, no matter what.
Apple and they apologist need to stop being arrogant and step up their game when it come to iCloud before it becomes a joke
Indeed – your first sentence mirrors my first point precisely. If Apple really is at fault, they obviously need to fix it pronto.
I also agree with Kenny.
Google protects their users’ data as though they were their very own…for they surreptitiously, and unquestionably are. When a Google server gets a hold of a datum, it becomes Google owned, …and Google’s own. Neither God nor the Devil can lay claim to what has become proprietary material to Google’s singularity quest. The conflict of interest melts, to the rhythm of a user’s private data melting into a proprietary whole.
Apple, business model ‘oblige’, must reconcile two, by definition hard-to-reconcile for antithetical, idealistic elements: absolute security and absolute privacy. They aim at colonizing the extreme middle-ground territory within a realm of extreme interests. This is where reside, in all comfort, human dignity, solidarity, and fruitful collaboration. No clerical melting here. Just anti-clerical, ethical weighting amidst self-effacement. Easy…innit!?
Trust is Apple’s pronto-mainstay. Not the protogeometry of Pavlovian news cycles.
And yet, Google still got “hacked”.
Go figure.
Joe
berult,
Is this the same Google that has created the malware ridden Android phenomena?
Good protection Google.
You’ve allowed fake imitation apps the freedom to “moon shot” on extortion ware.
“When a Google server gets a hold of a datum, it becomes Google owned, …and Google’s own.” And when a Google-OS smartphone gets a hold of a datum, it becomes owned by those who want to break in. In both cases, it’s believable that the user isn’t the one who Google really cares about.
As opposed to Apple, famous for instructing their iDrones to deny and refuse to help during a very real malware attack ?
http://bgr.com/2011/05/20/apple-instructs-support-reps-to-refute-malware-deny-assistance/
I remember one mid-autumn, I lit up our first fire of the season. Next thing I know flames are leaping out of the top of the chimney. I learned that a huge hornet’s nest had been built in my chimney. I was quite amazed. I had just had it cleaned and inspected not that much earlier (so I thought, it had actually been almost two months). I asked to no one in articular, when in the world did they build that? My wife just looked at me and said “Anytime. This is all they do, this is what they live for, to build nests.”
We should all always be on top of security, both the providers and the consumers, even to the point of pain, sadly. Why? Because these thieves (not even “hacks) exist for the sole purpose of breaking in. This is all they do. No matter how much better we get at security, they exist to break it.
But let’s not lose site that these guys, these thieves, are scum. They are the problem. They are worst than the first person who drove off from a gas pump without paying, and thus changed for the rest of the world how we all pay for gas. THEY are the reason _everyone_ has to up their game, constantly especially people who are most likely to be targeted, like celebrities.
Joe
i agree
the goal should not be to eliminate them, but to make it very expensive and difficult for any low level hacker to have access to people’s Data.
while many of you might disagree
It’s safe to say that Google is much better at protecting it’s user’s data in the cloud than Apple will never be, so they need to learn from them
Well, sure. Google has a 3 year head start since the Chinese hacked Gmail.
Joe
Gmail is one of the most secure mail service out there
you cannot compare the entire Chinese government hacking their Gmail service of their activist in their own country to the ICloud fiasco.
I beg to differ. This was not simply mischievous hacking, this was criminal intent. This was deliberate, black market stealing.
http://finance.yahoo.com/news/originalguy-full-story-icloud-hacker-081044692.html
This wasn’t just some hooligans trolling down the street looking for cars or houses with unlocked doors. These are professionals targeting a specific group of people looking for something in particular. There absolutely is a moral and professional equivalence. They weren’t breaking in and stealing because they can’t afford to feed their families.
Back to my point, it doesn’t matter how secure we make something, there are people who’s sole purpose in life is to break in, whether it is the Chinese government or OriginalGuy and his black market thugs. Gmail may be secure, but they still got broken into.
Joe
i never said otherwise.
However: contrary to popular belief IOS 7 and iCloud had a lot of bugs and holes that any low-level hacker can use to steal data from people that may or may not have been patched already
Kenny,
You win the Macarthur Genius Award for Google/Apple Research.
Pure genius.
What were you saying about Gmail?
http://www.macobserver.com/tmo/article/nearly-5-million-gmail-passwords-dumped-to-the-internet
Joe
Everything’s fine in neverland.
I know this because unlike you, I do not live in a Apple bubble to know that a lot of bugs and security issues have been reported for iOS 7 and OS X,
Sources? Or fairy tales?
Google is you best Friend
https://gotofail.com/
No, you choose to live in a Google bubble. Have you not heard that 97% of mobile viruses are on Android?
on rooted, non-playstore Android. Unrooted, PlayStore-only Android is as safe as iOS. Don’t believe the antivirus makers’ FUD, they only have product to sell on Android, not on iOS.
It is never safe to make an assumption with no data to back it up. You would not build houses on a weak foundation, the same is true for arguments.
So Kenny, I guess Google should apologize for enabling so much malware on its mobile system (and stop being arrogant too)
Unlike Apple Google has always been held responsible for these problems, as it should even though the majority of these malware come from people who deliberately bypass Google security measures to install applications outside the Play store.
besides
Apple and their apologist are often those who love bashing Google and Android for security issue and not the other way around.
Go buy a book on logic and reasoning.
I do not ague with IFan Boy,
go pray your IGod
Regarding the chart, I agree that this will be forgotten by the general public. Anyone doubting that can just go to their local Target store. However, the folks affected by this will likely not forget so quickly. It could be compared to something like the 2010 BP oil spill in the Gulf or a local natural disaster. The larger audience forgets and moves on, but people in that area don’t.
If we were talking about Android, the chart would definitely correlate for the same reason worldwide market share is relevant to Android but less so Apple. Apple’s audience is a subset of that wider general audience. And Hollywood, or celebrity land, is a subset of a subset.
(That all said, yeah, the chart still likely corresponds.)
I can hope (but admittedly, I may be too optimistic) that the decline in interest is because of increased awareness and not numbness or overload. I don’t think people will forget, but they are more likely to forgive, especially if they learn there is more they can do, such as enabling the two step processes. I can only blame other people so long before I have to admit that I need to deadbolt and steel frame my doors. Just leaving the door closed but unlocked is not going to fool the ones who really want to get in.
Joe
The current environment appears to be one of “blame the provider and not my poor choice”.
As I pointed out in the piece, the Target hack happened on a fundamentally larger scale. No ordinary folk (i.e. non celebrities) were part of the iCloud hack. That’s a huge difference.
Good work. Takeaway: Simpler, touch ID authentication will go a long way solve the problem.
And as with smart phones themselves, Apple does the hard work of innovation. The others just renovate.
An article on The Verge revealed that the sharing and trading of celebrity nudes has an incredibly long and sordid past that was only recently revealed because someone got greedy and broke “man law” by exposing a very popular subculture within the dark web.
A very interesting and compelling read: http://www.theverge.com/2014/9/4/6106363/celebgate-fappening-naked-nude-celebrities-hack-hackers-trade
This doesn’t exonerate Apple from any possible security inconsistencies in iCloud but it does support their claim that the attacks were extremely well targeted with a long and varied history of similar activity.
I don’t really fear for my security but you can bet that I’ve already increased the strength of my password as well as enabled two-step verification just in case. I have every intention of signing up for iCloud Drive storage space so I’m taking precautions now rather than later.
All your points are logical and well reasoned, but increasingly logic is becoming useless in the court of public opinion. I’m a big fan of how the internet allows high quality writers (like yourself) to reach their audience. Of course there is a downside to this transition. For every well reasoned article, there are dozens with an irresponsible, almost slanderous headlines. Unfortunately, the average reader is not qualified to make their own assessment, nor to be able to determine the quality of the opinion they are reading. I fear for the future.
One item stands out – Tim Cook personally responded, and quite quickly.
Steve would not have done that.
Thanks, Tim.
Maybe there’s a 6th type of impact, when you want to get into payments ?
At this time it appears like WordPress is the top blogging platform available right now. (from what I’ve read) Is that what you are using on your blog?
Hello there I am so delighted I found yourweb site, I really found you by error, while I was searching on Bing for something else, Regardless I am here now andwould just like to say thank you for a remarkable post and a all round exciting blog (I also love the theme/design), I don’t have time to gothrough it all at the moment but I have book-marked it and also added in yourRSS feeds, so when I have time I will be back to read more, Please do keep up the excellent work.
Hi! This post couldn’t be written any better! Reading through this post reminds me of my good old room mate! He always kept talking about this. I will forward this article to him. Pretty sure he will have a good read. Many thanks for sharing!
Hey there! Do you use Twitter? I’d like to follow you if that would be ok. I’m undoubtedly enjoying your blog and look forward to new posts.
Hey there! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains. If you know of any please share. Thanks!
delta 8 cafe chicago
Hi nice blog you have! Hopefully more people will see it. Watch also my blog https://asiangirlsonly.net/asian-camgirls-on-cam/
You have a great site! I found another great site where you can get adult toys for free. Have a look at https://www.freesextoys.info/product/g-spot-vibrator/
Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated
Superb post however I was wanting to know if you could write a litte more on this topic? I’d be very grateful if you could elaborate a little bit more.
I just like the helpful info you provide to your articles.
I will bookmark your blog and take a look at once more here frequently.
I am somewhat sure I’ll be told a lot of new stuff proper here!
Best of luck for the next!
First of all I want to say terrific blog! I had a quick question in which I’d
like to ask if you do not mind. I was curious to know how you center yourself and clear
your thoughts prior to writing. I’ve had a difficult time clearing my thoughts in getting my thoughts out.
I do enjoy writing however it just seems like the first 10 to 15
minutes are wasted just trying to figure out how to begin. Any ideas or
tips? Thanks!
Good post. I learn something totally new and challenging
on blogs I stumbleupon on a daily basis. It will always be interesting to read content from other
writers and practice a little something from their web
sites.
I am truly glad to glance at this webpage posts which includes lots of helpful data, thanks for
providing these data.
If some one wants expert view on the topic of blogging and site-building after
that i advise him/her to visit this weblog, Keep up the nice work.
Great beat ! I wish to apprentice while you amend your
site, how could i subscribe for a blog website? The
account aided me a applicable deal. I have been tiny bit acquainted of this your broadcast provided bright clear concept
My brother suggested I might like this website.
He was totally right. This post actually made my day. You can not
imagine just how much time I had spent for this information! Thanks!
This post presents clear idea for the new people of blogging,
that really how to do blogging and site-building.
https://withoutprescription.guru/# real viagra without a doctor prescription usa
I am extremely inspired together with your writing abilities and also with the structure for your
blog. Is this a paid theme or did you modify it
yourself? Either way stay up the excellent high quality writing,
it is rare to peer a great weblog like this one
nowadays..
http://edpills.icu/# online ed pills
doxycycline order online: doxycycline – generic doxycycline
It’s not my first time to pay a visit this site, i am visiting this
web site dailly and get fastidious information from here daily.
https://canadapharm.top/# pharmacy canadian superstore
buy doxycycline cheap: doxycycline 50mg – price of doxycycline
https://mexicopharm.shop/# п»їbest mexican online pharmacies
Wow, amazing weblog layout! How long have you ever been blogging for?
you make blogging glance easy. The whole look of your web site is
fantastic, as well as the content!
https://edpills.monster/# medicine for erectile
buy Levitra over the counter Levitra 10 mg best price Buy Levitra 20mg online
http://kamagra.team/# sildenafil oral jelly 100mg kamagra
I’m not that much of a internet reader to be honest but your blogs really nice,
keep it up! I’ll go ahead and bookmark your site to come back later.
Many thanks
Cheap Levitra online Vardenafil online prescription п»їLevitra price
http://edpills.monster/# natural ed medications
Hello i am kavin, its my first time to commenting anyplace, when i read this paragraph i thought i
could also create comment due to this good piece of writing.
Hello very cool web site!! Guy .. Beautiful .. Amazing ..
I will bookmark your site and take the feeds additionally?
I am happy to search out a lot of useful information right here in the
submit, we’d like develop extra techniques on this regard, thanks
for sharing. . . . . .
cheap kamagra sildenafil oral jelly 100mg kamagra buy kamagra online usa
http://tadalafil.trade/# cheap 10 mg tadalafil
http://edpills.monster/# best non prescription ed pills
Kamagra 100mg price Kamagra Oral Jelly cheap kamagra
http://kamagra.team/# п»їkamagra
п»їkamagra: Kamagra Oral Jelly – п»їkamagra
tadalafil soft gel tadalafil for sale in canada tadalafil pills 20mg
https://edpills.monster/# ed drugs compared
https://edpills.monster/# cheapest ed pills
zithromax 250 mg zithromax z-pak zithromax online no prescription
ciprofloxacin over the counter: Ciprofloxacin online prescription – cipro ciprofloxacin
doxycycline 100mg price: doxycycline buy online – doxycycline hyc 100mg
buy ciprofloxacin over the counter: Ciprofloxacin online prescription – ciprofloxacin 500mg buy online
buy cipro online canada ciprofloxacin without insurance ciprofloxacin over the counter
buy cipro cheap: buy ciprofloxacin over the counter – buy cipro cheap
lisinopril from mexico: prescription for lisinopril – zestril cost price
lisinopril generic brand Lisinopril 10 mg Tablet buy online lisinopril 5 mg prices
doxycycline: Doxycycline 100mg buy online – doxycycline canada brand name
lisinopril 0.5 mg Over the counter lisinopril lisinopril 40 mg tablets
doxycycline 50mg tablets: Buy Doxycycline for acne – buy doxycycline 100mg capsules
http://amoxicillin.best/# where can i buy amoxicillin over the counter
buy cipro Ciprofloxacin online prescription ciprofloxacin 500mg buy online
doxycycline cost uk: Buy doxycycline 100mg – buy doxycycline mexico
can you buy amoxicillin over the counter canada buy amoxil amoxicillin from canada
ciprofloxacin: Ciprofloxacin online prescription – buy cipro online canada
world pharmacy india: reputable indian online pharmacy – india online pharmacy
canada pharmacy online: trust canadian pharmacy – canadian pharmacy meds
ordering drugs from canada certified canadian pharmacy canadian pharmacy sarasota
canadian online pharmacy: accredited canadian pharmacy – best rated canadian pharmacy
online pharmacy india: india pharmacy – indianpharmacy com
buy online prescription drugs buy prescription drugs online canadian pharmacy prescription
canada medications: cheapest online pharmacy – canadian pharmacy order
mexican drugstore online: top mail order pharmacy from Mexico – pharmacies in mexico that ship to usa
Paxlovid over the counter: Paxlovid without a doctor – paxlovid for sale
https://wellbutrin.rest/# wellbutrin no prescription
neurontin 600 mg coupon: generic gabapentin – neurontin 100mg tab