Many commentators have been searching for someone to blame after last week’s celebrity photo thefts, in which hackers posted intimate images of more than a dozen starlets on sites such as 4chan and Reddit. While the culprits remain unidentified and the scope and timeline of the intrusions are still hazy, it seems clear that a major point of failure was Apple’s iCloud, one of the massive corporate data clusters we now use to remotely store our files, photos and other digital property. The timing is awkward for Apple, which is expected to announce its latest iPhone and a new smartwatch today at an event in Cupertino, California. The company released a statement claiming that iCloud did not suffer a systemic breach, but it did not explicitly deny that the attackers exploited specific vulnerabilities. Security researchers pointed out that the stolen images came from a large and mysterious porn-hacking underworld whose members utilize various methods to rip photos from private file lockers — many of which would not have worked had Apple rectified longstanding security oversights in iCloud. In other words, whether or not you call it a breach, Apple’s outdated security practices appear to be at least partly at fault for the stolen pictures. And yet as the story broke, misogyny-laced voices began blaming the breach’s mostly female victims, declaring that they shouldn’t have taken nude photos of themselves in the first place and, further, that they were foolish to trust their photos to the cloud. The first argument is a nonstarter: Women have a right to take as many nude selfies as they please, and they should have the sole authority to delegate which (consenting) adults do and do not have access to those photos. But what about the latter statement? Can anyone — celebrity or civilian — really be blamed for trusting cloud services with intimate data? Or should we simply accept that people want the cloud and work to replace it with something that gives us more control of our data without sacrificing convenience?

Insufficient security

Over the last decade, the tech industry has consistently overstated the promise of cloud computing, and one can’t really fault consumers for buying into it. The public has embraced cloud storage because it’s easy and convenient to simply put things online and not have to worry about corrupted files and failing hard drives. While companies such as Google and Dropbox tout the cloud as safe, secure and reliable, they are rarely up front about the risks of remote storage — nor are they usually held accountable when intrusions occur. That needs to change. But in the long term, we should also start thinking about life beyond the cloud and demand alternatives to the current system of centralized corporate stewardship. It’s easier said than done. Today the boundaries between what is “online” and what is “offline” have become virtually nonexistent. Our lives now unfold as much on Facebook and Twitter as they do in what some insist on calling the real world, and actions in one inevitably produce consequences in the other. Storing data in the cloud has become a perfunctory activity, and much of what we do on our devices is kept online for the sake of convenience (and in the case of data-driven behemoths such as Google, to be scanned and analyzed for the purpose of generating revenue from targeted ads). A major factor in the celebrity photo thefts was the fact that unless a user opts out, all photos taken on an iPhone are automatically backed up to iCloud — nude selfies and all. Even if you delete photos from your phone, copies remain on Apple’s servers. Apple does not make users aware of this. And even if it did, it has frequently been established that users tend not to change default settings. Such defaults used to distinguish Apple’s views on privacy from Google’s and Facebook’s, at least momentarily when Steve Jobs was in charge. “Privacy means people know what they’re signing up for. In plain English and repeatedly,” Jobs said in a 2010 interview with Walt Mossberg. “Some people want to share more data than other people do. Ask them. Ask them every time … Let them know precisely what you’re going to do with their data.”

The events of the past week should serve as a portrait of our precarious reliance on distant databanks and a window into what we can gain by getting our digital property back into our own hands.

Jobs was right: People can’t be expected to intuitively understand what’s happening to their data. Once it enters a corporate cloud, after all, that data is at the mercy of those who administer it. We trust that the companies’ security will repel hackers and criminals, even as they allow known vulnerabilities to go unpatched for months. In May it was revealed that Apple’s Find My iPhone feature does not limit login attempts, allowing hackers to run brute force attacks — a crude technique that uses automated scripts to try millions of password combinations until access is achieved. Many suspected this was a significant factor in the celebrity photo theft, but it wasn’t until after the story broke that Apple implemented changes. (The company has since patched the exploit but claimed it found no evidence the hackers had used it.) There’s also the problem of those insufficient security questions used for password resets, which attackers can often guess by doing research on the target. Even worse, for iCloud, Apple didn’t enable two-factor authentication, a common security measure that defeats many forms of intrusion by having users input a second access code. The company also failed to notify users when backup files were accessed from an unrecognized machine. Ars Technica warned about this as far back as May of 2013; Apple finally implemented the changes on Friday. Even then, there are privacy problems beyond companies’ control. National Security Agency whistleblower Edward Snowden’s revelations have illustrated as much. We now know that using the cloud requires that we forgo legal protections against warrantless government searches, our Fourth Amendment rights effectively suspended the moment our data is sent to a third-party server, whether that’s a website or a storage locker like iCloud. This despite the fact that, as noted by Supreme Court Justice Sonia Sotomayor, most data is now generated and transferred as a byproduct of carrying out mundane tasks, from hailing a cab to checking email — a far cry from the 1980s, when electronic privacy laws were last updated.

Life beyond the cloud