On an almost semi-weekly basis, there is something printed about yet another set of photos released to
the public, much to the embarrassment of the person who got exposed. And of course, the photos always seem to contain some salacious view of the individual(s). The articles are also usually very quick to point out the more should have been done by the individual and that their security was lax and they were not paying attention to their security posture.
In most cases, the victims of these leaks were not trained in cyber security or computing and would not know a security posture from a yoga posture. The people involved in these unauthorized exposures apparently took prudent measures as instructed by the system they were using. The passwords used must have passed the checks in place or they would not have been able to set them. Quite a few cloud storage systems check password length, complexity, etc. during the initial automated checks.
The failure lies with the protection mechanisms…they were not up to the level of the information being protected. That is not the users’ fault. They were using market standards, represented as being secure. For instance, it is admitted that Apple products were among those involved (and that is the example in some of the links).
Unfortunately, many computer professionals (and too many others, outside the profession) have the mindset that crimes on computers are somehow the fault of the victim (and this has been the case for many years). We must stop blaming the victims in cases such as this, especially when what they were doing was not illegal. We see criticism of their activities instead of the privacy invasion.
If we give users lousy technology and tell them it is safe, they use it according to directions, and they do not understand its limitations, they should not be blamed for the consequences. That is true of any technology. The fault lies with the providers and those who provide vague assurances about it. Too bad we let those providers get away with legally disclaiming all responsibility.
We need to do a better job of building strong technology and then deploying it so that it can be used correctly. We need to come up with better social norms and legal controls to hold miscreants accountable. We need better tools and training for law enforcement to investigate cybercrimes without also creating openings for them to be the ones who are regularly violating privacy. We need to find better ways of informing the public how to make cyber risk-related decisions.
Comments