- Are you automatically backing up your smartphone photos to the cloud?
- Are you sure?
If you answered “no” and “yes,” congratulations: Your selfies are probably safe from the sort of hack that exposed nude photos of actress Jennifer Lawrence, model Kate Upton, and several others this past weekend.
If you answered “yes” and “yes,” you might want to read on. And if you answered anything else—including “I have no idea”—you should stop reading right now and find out the answer before you go any farther.
(On an iPhone, go to “Settings -> iCloud -> Photos.” If “My Photo Stream” is on, you’ve been backing up your photos to the cloud. On an Android phone, open the Photos app and select “Settings.” If “Auto Backup” is on, your photos are on the cloud.)
It’s still not fully clear exactly how all the celebrity photos published this weekend were leaked and assembled. One theory is that at least some were obtained by hackers using a “brute-force” attack on the victims’ Apple iCloud accounts. That means they used specially designed software to guess hundreds, thousands, or even millions of common passwords for each targeted celebrity, and eventually the software guessed right. If accurate, this suggests some serious negligence on the part of Apple’s security team. It also implies that millions of other Apple customers would have been vulnerable to similar attacks, had someone decided to target them.
Another possibility is that the hackers somehow sussed out the celebrities’ passwords or security questions themselves, perhaps through individually tailored phishing schemes. Either way, once they were in, the hackers would have had access to all the files that were stored on those accounts.
The most disturbing part is that, in many cases, the victims probably didn’t even realize they had racy photos stored on remote servers. I think this quote from a May red-carpet interview with Lawrence is typical of how a lot of Apple users relate to the company’s iCloud service.
JLaw: "My iCloud keeps telling me to back it up, and I'm like, I don't know how to back you up. Do it yourself." http://t.co/kIsOsy8VOs-- nilay patel (@reckless) May 13, 2014
That’s understandable. Many of us are still struggling to understand what the cloud is, let alone how and when to use it. And big tech companies have worked hard to train us simply trust in their software without understanding how it works. Apple in particular proudly eschews instruction manuals for its high-tech gadgets.
These companies want us to feel confident storing all our files on their remote servers so that we can use them on all our different devices. “Seamless” is a favorite word of tech PR types. That’s why Apple backs up your files to iCloud by default. It wants you to be able to see the same photos on your MacBook that you see on your iPhone, and it doesn’t want you to have to worry about it. “You barely have to do a thing,” Apple brags.
This weekend’s hacks are a reminder that you should worry about it, at least a little. Think of it this way, suggests security blogger Graham Cluley: When you’re backing something up to the cloud, you’re essentially backing it up to someone else’ computer.
In general, it’s true that Apple and the other above-named tech companies work hard to secure the data that we store in the cloud. Security breaches are bad for their business. But it’s also bad for their business when their users get confused, or have to do more work than they’re accustomed to in order to gain access to their own data. For instance, two-factor authentication—which requires you to type in a second special code along with your password whenever you log in from a new device—can be a hassle. And so there’s a temptation to err on the side of convenience rather than security.
I’m not saying you should never back up your photos to the cloud. Cloud storage is an incredibly handy tool for all sorts of purposes, including backing up files you don’t want to lose. To be clear, I’m also not blaming the victims in this case—they did nothing to deserve this illegal privacy invasion.
What I am saying is that we should all think twice before allowing any service to back up our photos to the cloud automatically on an ongoing basis. Once you’ve allowed that, it’s very easy to forget that you’ve done it, and upload something you’d really rather keep private. Auto-backup is a one-size-fits-all solution, and not all data is created equal.
Rather, storing something to the cloud should be an intentional act, like attaching it to an email or posting on Facebook. Choose certain types of files and photos to live in the cloud and make sure you choose the appropriate level of encryption for each. Two-factor authentication is a must for any account that includes potentially sensitive data. And try to be aware when you’re using a cloud-based service like Gmail or Dropbox that, despite those companies’ best efforts, anything you store there is potentially vulnerable, not only to far-away hackers but to any friends, colleagues, and loved-ones who might have or guess your password.
Storing everything locally isn’t foolproof either, since your phone or computer could always be lost or stolen. But at least if that happens, at least you’ll know you’ve lost it and can take steps to defend yourself.
Previously in Slate: