It’s now been 48 hours since the biggest leak of private nude photos of celebrities in history, an event dubbed “The Fappening”. Details are starting to appear about what had happened. At the same time, some are demanding blood and wanting to know “whose fault” this was. It’s more complex than that.

“Whose fault was it?”

That’s been the question I’ve heard the most regarding the enormous leak of nude photos this week. It’s a bit more complicated than denouncing hackers and thinking the world is nicely black and white. Yes, what they did – leaking the private photos – was illegal. But if the exact same thing had happened as part of a law enforcement investigation, the same leak would have happened legally.

To top that consideration off, we know that employees at the NSA are routinely intercepting nude photos in transit, passing them around, considering looking at others’ private photos a fringe benefit of the job.

So it’s not as easy as saying that the people who leaked the photos are criminals, when others can do it legally, and others still at government agencies are doing it all the time, including right now. The difference here was not one of action, but one of who took the action. Does that make it wrong? Yes. Would it still be wrong if the NSA did it? Yes. But it would be legal. Or at least legal enough. Was it wrong of Apple to provide so sloppy security so that both the NSA and the hacker could easily get at the nude photos? Aha, now we’re getting somewhere.

This is a story playing out on moral, technical, and legal levels at the same time.

At present, the archive with images from The Fappening is the most-shared and most-seeded torrent on The Pirate Bay across all categories, sporting a record 36,738 seeders. This demonstrates quite clearly that whatever goes on the net, stays on the net.

What happened was that a new interface from Apple, one called “Find My iPhone”, allowed for an unlimited number of failed password attempts with no time limit between them. This allowed people to literally try millions and millions of passwords of their intended targets, all on automatic, until they stumbled on the one password that happened to be correct. Once they had that, they were able to download the entire contents of their targets’ iPhones to their own computers.

It’s safe to assume there was more than photos that were leaked. We’ve only seen the tip of the iceberg.

Apple, meanwhile, reacts to this by saying that people who had their photos leaked should have stronger passwords, and two-factor authentication. While technically true – you should always use two-factor authentication as it helps to thwart these kinds of attacks – it’s nowhere near enough good from Apple in this case. You don’t blame the victims of your own sloppy security, even if your victims could have done a better job, too.

The NSA are actually even more to blame here. They have confused “keeping us safe” with “needing to hack into any system”, and therefore, all of a sudden, they have forgotten their initial mission, being blinded with the ability to penetrate systems and networks. But NSA safeguarding their ability to penetrate means that systems stay vulnerable, and that we are considerably less safe as a result. The Fappening is an excellent example: if the NSA had done their job, they would discovered the vulnerability and informed Apple in no uncertain terms that this was not secure. But that’s not what they do; they do the exact opposite. They discover the vulnerability and let it stay hidden.

And then, Apple blames its victims. The only thing they can be blamed for is having a bad sense of information hygiene, for trusting Apple with their unencrypted data, and for having sensitive data unencrypted in a cloud service at all.

Victim-blaming, even partially, is not something you should ever do lightly. At the same time, lack of basic security practices does have real-world implications. If you’re reckless with the PIN number to your ATM card, the fault is placed squarely on your shoulders and yours alone if somebody uses your ATM card with your PIN – even if the theft is solidly illegal, and a police report can be filed, it’s still considered your fault that it happened. We need to come to a similar understanding with sloppy protection of private data, while at the same time holding corporations liable who don’t take responsibility for private data entrusted to them.

Overall, the fault here lies primarily with Apple and not its (yes, Apple’s) victims. No company should have as sloppy security as to allow millions of password attempts in a short timespan without raising any kind of red flag. Apple should definitely have formal liability here. At the same time, it denies all such liability, and not only that, it tries to divert attention to its newest phone which also wants to be a wallet. A bit of trust issue, there.

now that Apple is saying they're not liable for protecting you against well known attacks…here, have a new phone that wants to be a wallet — davi (((德海))) (@daviottenheimer) September 3, 2014

Your stance, meanwhile, need to be that you must protect yourself from not only sloppy companies, but also from legal leaks of your private data. Consider that point carefully: you need to protect your private data from legal seizure by law enforcement, which will effectively make it public. If you do this, you are going to protect yourself from illegal leaks as a pure bonus. In other words, encrypt everything.

Some people are expressing that The Fappening wouldn’t be a problem if we didn’t consider women’s bodies and casual nude photos to be something to hide in the first place. That does have some truth to it; things that everybody does eventually lose their taboo:

“Yes, but I didn’t inhale.” — Bill Clinton, 1992

“Of course I inhaled. That was the point!” — Barack Obama, 2006

However, this observation dodges the real issue – that there will always be private data that, when leaking, can be used against the individual concerned. It’s possible that nudes won’t be sensitive in the future, but it doesn’t matter. There has always been, and will always be, private data that can be used in political or financial extortionate situations if it leaks. Consider that the attack vector used here was against a positioning service. Whoever got phone data also got a complete log of the victims’ movements. I’d say that’s a whole lot more sensitive than casual nude photos.

Information hygiene – awareness of how you store and transmit your data – is not something that can be ignored anymore. It’s mandatory. In some areas, it’s literally a survival skill. At the same time, media keeps ignoring these fundamentals of security: at the end of the day, it’s remarkably disheartening that a catastrophic privacy leak only gets the media attention it deserves if somebody is masturbating to it.

Unencrypted data which is stored on or sent through somebody else’s computer is not your data anymore. It’s as simple as that.

Privacy remains your own responsibility.