CybersecurityWho is to blame when iCloud is "hacked" – you or Apple?

By Grant Bollmer

Published 4 September 2014

A hacker’s release of personal photos of actress Jennifer Lawrence and other female celebrities on the Internet on the weekend has again drawn our attention to the security of our personal information online. Apple may wish to absolve itself of responsibility when individuals lose control of their personal data, yet understanding the control of data as a personal matter disregards how iCloud and similar services actually operate. If Apple and other cloud-based services want our trust, then they have to acknowledge the role their products play in perpetuating anxieties of data-out-of-control.

A hacker’s release of personal photos of actress Jennifer Lawrence and other female celebrities on the Internet on the weekend has again drawn our attention to the security of our personal information online. Are we really aware of what we upload? And how can we make sure the information we intend for private viewing remains private?

With new devices incorporating features for recording personal data, such as the health monitoring technologies used in Samsung’s Gear and the Apple Health app, should we be even more concerned about our ability to control our private data?

Most of the hacked images were reportedly obtained through Apple’s iCloud service which can automatically back up personal data from Apple products to its servers.

Cloud confusion
How iCloud works is baffling even to some computer security experts.

The response from Apple has been unequivocal. While the tech giant said it was “outraged,” the official response noted: “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”

So individual users were responsible for any failure to take the proper precautions to make sure personal data remains in personal control.

The blame game
Like those who defend the hackers of stolen photos, Apple is blaming the victims of the attack without acknowledging the role its service plays in opening up private data to these attacks. This position is indefensible for several reasons.

Social media and services such as iCloud present us with countless examples of personal data doing things that seem counter to the will of the individual.

In a study I published last year, Facebook users sometimes feared their data to have a “life” that does not correspond to that of the person who “owns” the data generated.

Like our Facebook profiles, we assume what we backup with any cloud services to be “our” data. Yet the Terms and Conditions of whatever you upload to iCloud state:

[…] you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display.

These words mirror similar statements in Facebook’s Terms of Service.

At the same time, Apple is clear to claim:

[…] you, and not Apple, are solely responsible for any Content you upload, download, post, email, transmit, store or otherwise make available through your use of the Service.

Merely using iCloud means that Apple can do what it wants with your data, but you — and only you — are responsible with what happens to that data.

Placing the blame on the individual, as Apple does, results in a common response whenever data are thought to be beyond the control of the user: delete all of your personal information online, shared intentionally or not.

This response simply is not good enough given how cloud services operate. They make multiple copies in multiple locations, stored on multiple servers and hard drives across the globe.

These files are uploaded automatically and are built into new features of our mobile devices. When an individual deletes a file, this does not mean that it is actually deleted, simply by virtue of how computer storage works.

All about trust
Apple may wish to absolve itself of responsibility when individuals lose control of their personal data. In legal terms, Apple places all burden on the individual for the management of their data.

Yet understanding the control of data as a personal matter disregards how these services actually operate. If Apple and other cloud-based services want our trust, then they have to acknowledge the role their products play in perpetuating anxieties of data-out-of-control.

They must refuse to place sole responsibility on their users – the victims of these attacks.

Grant Bollmer is Lecturer of Digital Cultures at University of Sydney. This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).