In nude photo hack, security experts see dark side of ‘the cloud’

Getty Images

The theft of hundreds of intimate celebrity photos should wake people up to the dangers of using “the cloud” to store personal information, experts say.

While nude photos of Jennifer Lawrence, Kate Upton, Kirsten Dunst and other Hollywood stars have captured more headlines than most cyber intrusions, experts say the actresses are no more at risk of cyber theft than anyone else.

ADVERTISEMENT
“There’s recognition that the cloud isn’t really ours and that there are threats, so those threats might need to be addressed, whether it’s through legislation or whether it’s companies saying, ‘Here’s the things we’re not going to do,’ ” said Justin Brookman, the head of the Center for Democracy and Technology’s Consumer Privacy Project.

“You’re seeing adjustments out there,” he added.

The release of the photos, which appear to have been stolen from the celebrities’ Apple iCloud storage accounts, prompted an investigation by the FBI, threats of lawsuits and could lead to an inquiry from the Federal Trade Commission.

The hackers are suspected of using the “brute force” method to nab the photos, which involves using software that repeatedly guesses passwords, until it stumbles upon the right one.

Apple claimed this week that the incident was a “very targeted attack” on specific people’s accounts — “a practice that has become all too common on the Internet” —and did not affect the security of its iCloud system as a whole.

In other words: It could have happened to anyone.

“Your online accounts aren't any more secure than Jennifer Lawrence's,” American Civil Liberties Union principal technologist Christopher Soghoian wrote on Twitter. “But it's unlikely that anyone is trying to brute force your password.”

“These celebrities exhibited behavior that is perfectly normal,” he added in a blog post.

“For the victims whose privacy has been violated, this experience is awful,” Soghoian wrote. “For the rest of us, it can be a teaching moment and an opportunity to think about what we expect from the companies that build the devices and online services we trust with our most private information.”

To some extent, companies have already stepped up to better protect people’s information, both from hackers and — in the wake of disclosures from former NSA contractor Edward Snowden — from the prying eyes of government agents.

Google, for instance, announced plans earlier this summer to allow people to encrypt their emails from the moment a message is sent until it is opened by the recipient, a process called “end-to-end” encryption.

The company is also going to start prioritizing websites that are equipped with better security, in an effort to get more sites to use protective methods by default.

Recent high profile Web security glitches and major hacks could also inspire people to move away from using simple, easy-to-guess passwords across multiple websites.

The spread of the “Heartbleed” bug, for instance, which affected sites across the Internet, caused more than one-third of people in a Pew Research Center survey to change their passwords.

“I think there’s going to be a natural adjustment for companies, for consumers and ultimately — probably the slowest — from lawmakers to have some sort of rules that we have trust in these services,” said Brookman.

Lawmakers have taken some interest in online data security, though the focus has yet to yield much progress.

Legislation that would ensure information stored in the cloud has the same legal protections as documents in a drawer has the support of more than half of the House, but has yet to move forward.

Multiple congressional committees also broached the issue of data security earlier this year while investigating Target’s massive data breach that exposed the information of up to 110 million shoppers.

House Energy and Commerce Committee Chairman Fred Upton (R-Mich.) — who is also Kate Upton’s uncle — has suggested that Congress should “consider whether the current multi-layer approach to data security ... can be more effective, or whether we need to approach the issue differently.”

Now, his committee “is continuing to monitor these latest breaches,” spokeswoman Charlotte Baker said.

“These incidents further underscore why data security legislation is needed, and the committee is continuing to work toward a workable and bipartisan solution,” Baker added.

Sen. Ed Markey (D-Mass.), for his part, said on Tuesday that the celebrities’ hack should lead to “a big debate” about how children’s data is stored on similar cloud networks, an issue which he tried to address with a bill earlier this year.

“Next time it won’t be celebrity secrets but students’ educational records that rain down from the cloud for the world to see,” he said.

More in Cybersecurity

Cellphone chip maker confirms U.S., UK hack, denies theft

Read more »