Don’t blame Apple for leaked nudes

Leonid Bershidsky

What do you do if you’re a celebrity and nude pictures you happened to store in the cloud are suddenly all over the Internet? We’ve seen the full spectrum of possible reactions, only one of which makes sense.

There’s denial, as in former Nickelodeon star Victoria Justice’s tweet: “Those so-called nudes of me are FAKE people.” It’s irrelevant: Morons on this Reddit thread will still salivate over the pictures. For their purposes, there’s no such thing as fake porn.

There’s righteous anger, exemplified by “Death Proof” star Mary Elizabeth Winstead’s tweet: “To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.” No, they won’t be ashamed: To the creeps, you’re just a starlet who set herself up for this.

Then, of course, there’s the call to your lawyer, who will be outraged on your behalf and threaten to sue everyone caught spreading the pictures, as lawyers for Oscar winner Jennifer Lawrence and model Kate Upton have done. That will prompt the few mainstream news media and blogs that have published the stolen pics to take them down, and links to the hacker’s trove disappearing from Reddit, only for new ones to appear within minutes. The Internet never forgets, and there are more onanists than lawyers.

The one reasonable reaction I have seen came from Kirsten Dunst, star of Lars von Trier’s “Melancholia.” “Thank you iCloud,” she tweeted, adding the emoji icons for a slice of pizza and a smiling turd. If you need a translation of the rebus, Dunst’s opinion of Apple’s cloud service is unfavorable.

ICloud fully deserves abuse for two reasons. One is that the hackers who stole the pictures apparently used a glaring vulnerability in the Find My iPhone feature: It did not have so-called brute force protection. Most major web services won’t allow a user to enter wrong passwords thousands of times: The account locks if someone tries it. That wasn’t implemented in Find My iPhone, so passwords could be picked by what coders call “brute force” - an exhaustive check of possible combinations. Apple has now patched the vulnerability; a too-late resolution to one of the silliest mistakes a company with hundreds of millions of cloud service users could have made.

The other reason is still around, in iCloud’s terms of service:

“You are solely responsible for maintaining the confidentiality and security of your Account and for all activities that occur on or through your Account, and you agree to immediately notify Apple of any security breach of your Account. You further acknowledge and agree that the Service is designed and intended for personal use on an individual basis and you should not share your Account and/or password details with another individual. Provided we have exercised reasonable skill and due care, Apple shall not be responsible for any losses arising out of the unauthorized use of your Account resulting from you not following these rules.”

In plain English, as long as Apple can prove that it took care to prevent unauthorized access - and even despite the Find My iPhone vulnerability, it will always be able to prove it - any hacks are the user’s fault after clicking that “Accept” button.

To be fair, Apple isn’t alone in imposing such terms on users of its cloud service. Google Drive’s terms of service include a similar formula: “You are responsible for the activity that happens on or through your Google Account.” Amazon’s wording is different, but its meaning is the same: “You are responsible for maintaining appropriate security and protection of your files.”

“We take user security very seriously,” Apple says now - and will repeat it in court, if necessary. As far as all the big Internet companies are concerned, your security is your responsibility. It cannot be otherwise: Cybersecurity is a game of cops and robbers, and neither side’s victory can be guaranteed. All a user can do is make sure, to the best of her ability, that the protections afforded are state of the art. A simple test is whether you’re able to get into your significant other’s account without knowing the password in advance.

Only a small number of users read the legalese when they subscribe to a service. Once something happens that pushes the small print to front and center, all we can do is what Dunst did - offer sarcastic thanks, and maybe take more care in the future.

Given the share of responsibility web giants are willing to take for our data - none, according to the service terms - it makes sense to keep personal stuff such as those nude pictures, bad poetry, love letters, etc., out of the cloud. Not being a Hollywood star or a world-class beauty provides a measure of protection, but only until someone develops an acute interest in you - stalkers, governments and other unwanted watchers obsess on the unlikeliest people every once in a while.

* The author is a Bloomberg View contributor. He is a Berlin-based writer, author of three novels and two nonfiction books.

BY Leonid Bershidsky