Now, it’s users of the photo sharing app Snapchat whose risqué pictures are on display. Reports indicate that 100,000 personal pictures and videos have been stolen and posted publicly. Many of these are images of partially or fully undressed minors, which fall into the category of child pornography.
Besides the – apparently not-so-obvious – suggestion that storing, posting, or sharing risqué photos online is never a good idea, there are some other takeaways for everyone to consider.
But first, here’s a quick look at each of these examples.
In the case of the celebrity incident, Apple said the hack was not due to a breach in any of Apple’s services, but rather from a targeted attack against celebrities that focused on finding their user names, passwords and answers to their security questions.
In other words, Apple says it’s the user’s fault, and posted the following advice: “To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.”
For Snapchat users, this follows on the heels of two other incidents. The first incident at the end of last year involved a true hack of Snapchat (instead of a 3rd party app) that exposed the user names and phone numbers for 4.6 million account holders. Then, in May, Snapchat was forced to acknowledge in an FTC settlement that they deceived consumers when they claimed that user’ photos and videos actually ‘disappear forever’ and that user images ‘aren’t saved’. The company was also found at fault for a slew of other misrepresentations.
Who should know more about securing data, consumers or technology companies?
Digging deeper into the ‘blame’ game raises concern regarding corporate responsibility, and building consumer facing products with consumer’s best interests at heart.
Looking at Apple’s comments, they cited consumer’s weak passwords, lack of 2-step authentication, and social engineering for the celebrity hacks.
- Why does Apple allow users to create weak passwords? Companies know users struggle with this, so why aren’t they helping users out with tips, suggestions – and requirements for strong passwords that won’t easily be hacked. Learn more: Password Perfect – Make Strong Passwords Every Time
- Why doesn’t Apple require 2-step authentication? Most users don’t see the opportunity, or understand the need, for stronger authentication, but the company does understand this. So, why have they not helped users by making this mandatory? Learn more: Two-Factor Authentication Is Only as Strong as YOU Make It.
- Why does Apple use insecure security questions? An insecure question is one where a hacker can easily collect the information – either through a search on records, or by social engineering for answers to known questions. It is far safer to have users come up with their own questions so a social engineering hacker can’t know what to ask about, and give users advice about strong questions and very private answers.
In the case of Snapchat, consumers had every reason to believe their images disappeared after 10 seconds. They were specifically told that the company did not store the images, and they weren’t informed that their images and videos were accessible to others through means that allowed recipient’s to retain the images.
- Why did Snapchat allow 3rd party apps access to receive images from their service? If Snapchat knew that this posed a risk to their users, allowing this access is outrageous – as is failing to adequately warn their customer base.
- If they weren’t going to block access to/from 3rd party apps, why didn’t Snapchat alert users if their images were about to be sent to a 3rd party app? They could have easily created an alert that would pop up and warn users that the images would not disappear, explain the risk, and ask the sender if they wish to continue.
Technology companies own the responsibility in these incidents
Yes, consumers should take greater security precautions, but technology companies own the real responsibility in these incidents. If they had truly built products with consumer privacy, security, and safety as core requirements, their consumers wouldn’t be in the positions they find themselves. Both cases represent breaches of personal images, but they also represent far greater breaches of consumer trust.