Celebrity Nude Photo Hack Exposes Flaw In How We Think About Privacy and the Cloud

The celebrity photo hacking scandal has once again put personal information privacy in the spotlight. Apple certainly has egg on their face for their failure to implement a simple level of security on their iCloud service. But some commentators, bloggers, and Twitter users are pointing fingers at the victims of the hack for keeping such photos to begin with. Do we all need to be Internet security experts to use an iPhone?

Extreme measures are not the answer. Instead, our current system of data privacy is based on a fundamental flaw. We are all supposed to be solely responsible for our personal information, but at the same time we are all part of a social network of family, friends and services with whom we are expected to share.

Our systems are set up to make us entirely responsible for safeguarding our data. We toggle innumerable privacy settings that are constantly being updated. We navigate many different online services and platforms, each with their own complications. We are told to back up our data to hard disks and clouds, and exhorted to change our passwords regularly.

At the same time, we are expected to share, share, share. Parents post photos of their kids online so that distant grandparents can follow along. Young travellers start blogs to record their adventures for friends back home. Even nude selfies are rarely taken for the subject’s enjoyment but are shared with their loved ones far away. Indeed, hacked actress Mary Elizabeth Winstead described her leaked photos as ones that “I took with my husband.”

A wide variety of technological services – not just iCloud but also Dropbox and Google Drive – have grown around this requirement for social sharing. Social mores have kept up with the trend. Now, grandparents join Facebook with the expectation that they’ll see photos of their grandchildren. To resist posting is to be a bad parent.

When you fail at this delicate balance of privacy and sharing, friends and strangers alike will line up to tell you that it’s your fault. But how can you keep control over a video of your kids when you post it for your parents? How can you stop a friend at a party from syncing a photo of you to iCloud and uploading it to Instagram, or auto-tagging you using facial recognition on Facebook or Picasa? And when a photo that you text to your friend with an iPhone now belongs both to your pal and to Apple, who is to blame when the photo leaks?

Security experts will claim that the solution to the current hack is better password protection. But even two-stage security – systems that ask for a personal fact about you like a birthdate or pet name in addition to a password – fails to account for the fact that most information about us is readily available online. Children’s names, graduation dates and old addresses are only a search term away.

An alternative view is emerging from a study I’m conducting with colleagues at Princeton University and Yahoo! labs. We are learning that our data systems ask us to be individually responsible but fail to account for how and why we share data with each other. They assume our data is personal, when in reality it is interpersonal. We are caught between opting out entirely and managing an impossible number of changing services with finesse. We do all this with our most important relationships at stake.

Let’s call this what it is: data is only “personal” when it is leaked. That’s why blaming the victims doesn’t help. The next time this happens, it won’t be the celebrities who are hacked for their photos: it will be their friends, their parents, their boyfriends and girlfriends. Everyone is vulnerable.

Keeping each other’s data safe is everyone’s responsibility. It’s time that our devices and services live up to it.

Janet Vertesi is assistant professor of sociology at Princeton University, where she is a faculty fellow at the Center for Information Technology Policy. She is a 2014 recipient of a Yahoo Faculty Research Engagement Program grant to study personal data privacy practices.