Security Trade-Offs

The single-worst piece I’ve seen regarding last week’s iCloud celebrity photo leak is, by far, this one from David Auerbach at Slate. To see where Auerbach is coming from, let’s skip ahead to his conclusion first:

But whether or not any of these problems were directly responsible for the leak, Apple users, from Jennifer Lawrence to corporate executives to laptop musicians to you, should be out for blood, and other companies should use this as a lesson to double- and triple-check their own security stories. Apple will probably survive though. IPhones [sic] are so cool and pretty.

The old “Apple customers are shallow fools drawn to shiny things, and easily swayed by popular opinion” angle.

Here’s the problem with Auerbach’s piece:

Whether or not this particular vulnerability was used to gather some of the photos — Apple is not commenting, as usual, but the ubiquity and popularity of Apple’s products certainly point to the iCloud of being a likely source — its existence is reason enough for users to be deeply upset at their beloved company for not taking security seriously enough. Here are five reasons why you should not trust Apple with your nude photos or, really, with any of your data.

Don’t trust Apple “with any of your data” isn’t just wrong because it’s a hyperbolic overreaction, it’s wrong because it’s potentially dangerous. What has been mostly overlooked in the reaction to this photo leak scandal, and completely lost in Auerbach’s argument, is that backups are a form of security — in the same sense that life insurance is a form of security for your children and spouse.

Over the years I’ve received numerous emails from past and former Genius Bar support staff, telling similar stories of heartbreak. Customer comes in, their iPhone completely broken, or lost, or stolen, and they had precious photos and videos on it. The birth of a child. The last vacation they ever took with a beloved spouse who has since passed away. Did they ever back up their iPhone to a Mac or PC with iTunes? No. In many cases they don’t even know what “iTunes on a PC” even means. Or maybe they connected the iPhone to iTunes once, the day they bought it and needed to activate it, and then never again.

This happened to thousands of people. It’s why Apple made cloud-based backups one of the fundamental pillars of iCloud. It still happens, today, to people who haven’t signed up for iCloud and enabled iCloud backups. It’s heartbreaking in most cases, and downright devastating in some. I’ve heard from Genius Bar staffers who eventually left the job because of the stress of dealing with customers suffering data loss. Once it is determined that the photos and videos are irretrievable from the device and have never been backed up, the job of the Genius staffer turns from technician to grief counselor. Bereavement is not too strong a word.

iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off:

Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service.

Your data is more at risk of being stolen if it is synced/backed up, regularly, to a cloud-based service.

Ideally, the companies that provide such services minimize the risk of your account being hijacked while maximizing the simplicity and ease of setting it up and using it. But clearly these two goals are in conflict. There’s no way around the fact that the proper balance is somewhere in between maximal security and minimal complexity.

Further, I would wager heavily that there are thousands and thousands more people who have been traumatized by irretrievable data loss (who would have been saved if they’d had cloud-based backups) than those who have been victimized by having their cloud-based accounts hijacked (who would have been saved if they had only stored their data locally on their devices).

It is thus, in my opinion, terribly irresponsible to advise people to blindly not trust Apple (or Google, or Dropbox, or Microsoft, etc.) with “any of your data” without emphasizing, clearly and adamantly, that by only storing their data on-device, they greatly increase the risk of losing everything.

The problems here are multifaceted and complicated; “don’t trust anything in the cloud” is simplistic and, in its own way, dangerous.

Postscript: And what about email and messaging? If one doesn’t trust Apple or other cloud-based providers with backups, how can you trust them with email or messages, both of which often contain photos? Further, as Charles Ying pointed out, Apple is set to improve on this very thing in iOS 8 with self-destructing attachments in iMessage.