Clouding the issue

Following the Jennifer Lawrence photo scandal, Robin Tudge takes a closer look at how Apple has sidestepped its data-storing responsibilities.

Nicolas Raymond under a Creative Commons Licence

The raid and dissemination of personal images of actress Jennifer Lawrence from her iCloud account, among others, is appalling. To say people should not upload their most personal pictures to cloud storage (or anywhere else) in case it gets hacked could be said to be victim-blaming.

People should be allowed to do such things without fear of having their privacy so grossly violated. But it’s also horribly true that all and any data stored remotely from users’ computers or phones or memory sticks can be stolen, lost, corrupted or hacked and can go viral instantly. That is why Apple, in its iCloud users’ terms and conditions (T&Cs), has this big fat disclaimer in capital letters to disabuse users’ expectations that their data is safe and sound:

APPLE DOES NOT REPRESENT OR GUARANTEE THAT THE SERVICE WILL BE FREE FROM LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, OR OTHER SECURITY INTRUSION, AND APPLE DISCLAIMS ANY LIABILITY RELATING THERETO.

That’s them covered, atop an almost 9,000-word contract in which lurk innumerable potentially violating ends for our data and content – from users as young as 13 years old, or children as they’re known – in the hands of Apple and friends, ends to which we users consent.

Advert

Surely providers can far more clearly explain to technically inept users – that’s most of us – whether their data is uploaded to the cloud by choice or default. Maybe that is somewhere in the iCloud’s novelette contract, for example, but even the coolest, most tech- and legal-savvy minds can only make their judgement based on the T&Cs, ‘last revised: September 18, 2013’, because ‘Apple reserves the right at any time to modify this Agreement and to impose new or additional terms or conditions’. And that’s not all: ‘For more information, please read our full privacy policy – which then shows how your rights vary according to your location. Seriously, who has the time to read and process all this? (more shifting goal posts can be seen here).

Apple and its T&Cs are by no means unique, but here’s some more from Apple’s novelette: ‘Apple may collect, use, transmit, process and maintain information related to your Account and related registered devices’, to better Apple’s products, but also ‘this information may be transferred to the United States and/or other countries for storage, processing and use by Apple, its affiliates, and/or their service providers’. I’d assume all my data had already gone to the US-based National Security Agency (NSA) anyway – but who are these un-named affiliates? Where are they? How will they get my data? ‘Apple may transmit your Content across various public networks, in various media, and modify or change your Content to comply with technical requirements of connecting networks or devices or computers.’

Apple also has the right to ‘access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate, if legally required to do so or if we have a good faith belief [to do so]’ to comply with legal requests, to protect others’ property rights, and to enforce this Agreement.

So any un-named third party may get your content, for as little and as Kafkaesque a reason as Apple wondering aloud if its own agreement is being stuck to. Further, Apple has ‘a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify ... publicly perform and publicly display such Content on the Service’, without payment, as long as it’s not unlawful conduct or is ‘obscene, objectionable, or in poor taste’ – wholly subjective criteria which surely requires some Apple hack to come sniff out?

I’ve barely scratched the surface. People get exercised when, for example, the state seeks to take all our personal data out of separate state department silos and hoard it all onto a single database, a reckless endeavour that NO2ID has long campaigned against. Maybe people become upset because they perceive the state to be innately dictatorial, and by threatening the sanctity of their personal data, it threatens their personal sovereignty and autonomy. But with the private companies dealing with our emails, texts, the tax returns we compute and store on cloud and the precarious selfies we upload, people overlook those same dangers. Maybe it’s because they choose to use these companies’ services as a means to exercise their autonomy, to engage in the here and now, and that not only obscures any abstract threat posed by far-flung hackers but, far worse, blinds us to the potential violations that we blithely sign up to in the first place.

Robin Tudge is the author of the No Nonsense Guide to Global Surveillance and is the Newcastle co-ordinator for the anti-database state campaign group, NO2ID.

The opinions expressed in this article are solely those of the author. Meanwhile the Electronic Freedom Frontier group has given the following suggestions as per enhancing security:

The best way to secure your data in the cloud is to use a good password. That doesn’t mean it has to be super-complicated with lots of symbols and random numbers and capital letters; you can be just as secure using a password made up of four or five totally random words strung together (as long as they don’t form a coherent sentence). For even more security, you can use a totally random password and make use of a password safe like Keepass or Mitro. If your cloud service supports it, you should also enable two-factor authentication on your account – then when someone tries to change your password (or even login, depending on the service), they’ll have to enter a code that gets sent to your phone via SMS or a phone call. That way, a thief would not only have to know your password, but also have physical access to your phone (which is a lot harder).