How we all benefit if celebs sue Apple over nude photo hacks (Wired UK)


Wired


David Vladeck believes Apple will likely be sued after hackers
grabbed nude photos that celebrities stored on the company’s iCloud
service.

Vladeck, the former director of the FTC’s Bureau of Consumer
Protection and a professor of law at Georgetown University,
acknowledges that such suits have had little success in the past,
but he and other legal and cybersecurity experts also say that a
lawsuit over the high-profile hack may be just the thing to push
Apple and other online companies to more aggressively protect the
people using their services.

Apple hasn’t said much about the hack — in which someone
pilfered nude photos of dozens of celebrities, including Jennifer
Lawrence, Kirsten Dunst, and Kate Upton. In a brief statement, the
company called the incident “a very targeted attack on user names,
passwords and security questions, a practice that has become all
too common on the Internet,” and not a breach of any Apple systems,
including iCloud and FindMyiPhone. But, regardless of Apple’s
debatable definition of a breach, some experts believe the hack
could inspire a change in the way courts and regulators treat such
incidents.

Traditionally, data breach lawsuits rarely make it to trial.
They’re typically settled or dismissed. The United States, unlike
the European Union, has no overarching law dictating the security
of a technology company, unless of course, it operates in health,
finance, or another regulated sector. That, combined with the fact
tech firms often disavow all liability in their privacy policies
and end user license agreements, makes it difficult for courts to
find them at fault.

But Vladeck and other experts believe that may change as
regulators and courts realise our legal system puts consumers at a
fundamental disadvantage against the businesses with which they
entrust their digital lives. If Apple were to appear in court,
these experts say, the case could finally set precedent for how
tech companies must behave. Some, including Google, have made major
security improvements in recent years to guard against such
hackers. But many, including Apple, are behind the curve.

“We’re in this legal mess where the contracts companies are
relying on to protect them from liability are functionally the
emperor’s clothes of contracts. It’s a poorly kept secret that no
one understands them, and that’s not a tenable position,” says
Andrea Matwyshyn, who recently served as senior policy advisor and
academic in residence at the Federal Trade Commission. “We’re
seeing a trust erosion happening, and the digital economy is
entirely predicated on people trusting these products, and being
willing to engage with this technology.”

If people no longer trust their information to these companies,
she says, they’ll alter their behaviour. And that could imperil the
entire internet economy — which is precisely why she and others
believe now may be the time to set some legal ground rules. “I
wouldn’t be surprised if we saw a case come out of this that made
some good law around trying to fix some of these power imbalances
that exist between consumers and providers,” Matwyshyn says.

What we know about the attack

To understand how this could play out, it’s important to understand
how the hack happened. Though details are still emerging, many
believe the hacker or hackers gained access to victims’ usernames
and passwords using a brute force attack, in which hackers, often
using software, repeatedly guess passwords until they get them
right, or by guessing the answers to security questions in Apple’s
password reset functionality.

In some cases, as Wired’s Andy Greenberg recently explained, the credentials stolen
with those techniques may have been combined with law enforcement
software that enabled hackers to impersonate victims’ phones and
download their data.

This means that, unlike a situation in which a business’s
servers are compromised, any legal case or regulatory action would
revolve around iCloud’s user interface and whether Apple offers and
encourages users to implement reasonable security measures at log
in. For instance, if a brute force attack occurred, that might
indicate Apple failed to set reasonable limits on the number of
login attempts that could be made before a user is locked out.
Another question might be whether Apple’s optional two-factor
authentication truly could have protected victims’ accounts, even
if they had activated it.

“Apple’s argument will be: ‘We’re not responsible. Somebody else
got the credentials.’ But it’s Apple that decides what the
credentials can be,” says Fred Cate, professor of information
security law at Indiana University, Bloomington. That caveat could
encourage a lawsuit from the victims that accuse the company of
negligence.

According to Vladeck, such a suit is highly likely, considering
the high-profile nature of the hack and the deep pockets of the
victims. Whether they’ll be successful, however, is a different
story. “Those cases have, by and large, foundered on the question
of whether the individual has been harmed,” Vladeck says.

Indeed, Cate says there’s never been a successful lawsuit
against a company for failing to impose strict enough login
credentials. But he believes a high profile suit could change
attitudes. “I think this could be just that sort of case,” he says.
“It takes egregious cases to move the law along.”

How the courts could change

In such a case, the question also would arise as to whether the
victims willingly agreed to a contract with Apple in which Apple
disclaims liability. “Apple will claim that when we click ‘yes’ on
those very long agreements in tiny fonts that are written by
lawyers for lawyers that we fully understand those risks pertain,
and we’re choosing to engage with them anyway,” Matwyshyn says.

While such agreements have protected companies in the past,
Matwyshyn says, courts increasingly are ready to reassess them,
accounting not only for the language in the contract, but for the
user’s interpretation of the contract.

Another possibility is the Federal Trade Commission would
investigate whether Apple has provided reasonable security
measures, given the sensitivity of the data and the risks involved.
The question then will be whether the hack was based on a known
security flaw that was not fixed. “Unfortunately, that’s still the
bulk of our industry,” Matwyshyn says. “Those are the types of
problems where you’ll see private sector litigation and enforcement
activity from the FTC.”

Indeed, a brute force attack very well could constitute a known
risk. After all, Twitter experienced a similar hack in 2009 and quickly shored
up its sign in. Even Apple referred to the attack in its statement
as an “all too common” practice on the internet. Whether the FTC
would view that as evidence that Apple failed to respond to a known
threat, though, is unclear. And as Cate notes, such action “doesn’t
usually put money in the hands of anyone who’s hurt, but it can
provide substantial penalties, so the companies want to behave
better next time.”

Apple’s Catch-22

None of this means Apple is in grave danger. The company’s privacy
policy very well may serve as adequate disclosure to users. And
Apple certainly could argue that just because users give their data
to a third party source does not mean users completely relinquish
responsibility to protect that data. If the victims didn’t use a
sophisticated password, Apple could argue the victims were the ones
being negligent.

According to Cate, Apple also will likely argue that forcing
stricter log in credentials on users would threaten its business,
because hardcore security measures could confuse or irritate the
average consumer. “Whenever a company raises the security bar, the
public hates it,” he says. “So they’re sort of in a Catch-22. We
hate them when they make us use top security, but we hate them when
they lose our data.”

That’s one reason why Cate, Vladeck, and Matwyshyn agree the
United States is in desperate and growing need for laws that at
least set basic ground rules for data security. The fear, of
course, is that the rate of innovation in the tech sector will make
any laws obsolete almost as soon as they’re passed. And yet,
Matwyshyn notes that in other areas of contract law, rules have
been created to guarantee basic standards for service. For
instance, she says, “Your landlord can’t just turn off your heat in
the middle of winter. That’s a basic agreement, no matter what your
contract states.”

“For consumers,” she says, “data security is increasingly viewed
like heat in winter.”

This article originally appeared on Wired.com

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

5 September 2014 | 9:35 am – Source: wired.co.uk

Leave a Reply

Your email address will not be published.