When is being hacked your own fault?

Instead of blaming victims for the leak, it's time to take responsibility for the future of privacy.

Mar 1, 2020, 7:21 pm*

Internet Culture

 

Gillian Branstetter

As with any major release of personal data, the recent leaking of hundreds of thousands of Snapchat messages has quickly become less a game of whodunit and and more of a blame game.

Snapchat released a statement placing blame on Snapchatters’ “use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.” Others, like Wired’s Andy Greenberg, have shifted responsibility to these so-called “parasite” apps that promise to securely save Snapchats from their self-destructive nature.

Law professor Woodrow Hartzog, however, sees Snapchat itself as the perpetrator, blaming what he sees as an ineptitude by the service to make users appropriately wary of such apps as Snapsaved. “Good data security means effectively educating users so they can work with companies to protect information,” argued Hartzog. “Technologies that promise relative privacy must provide better data security than traditional social media.”

While Greenberg and Hartzog are correct in assessing third party apps as shifty and Snapchat as blaming the victim, respectively, they miss the main lesson events like “the Snappening” and Celebgate before it should be teaching us.

Users of all web services are desperately naive when it comes to web security and placing the onus on Snapchat or even smaller app developers is begging to make them more unaware of the dangers they themselves can avoid. We as digital citizens must take control of our own security and the task involves more than proper password maintenance.

In the case of the Snapchat leaks, Snapsaved has, in fact, taken full responsibility for the leaked images but promises no user data made it into the perpetrators’ hands, just the images. That said, this is a major problem for Snapchat users and not a new one. Way back in May of 2013, programmer Yuki Izuki produced a copy-and-paste rewiring of Snapchat’s API that allowed any program to remotely collect photos sent from the phone.

Rather than a hack, this is how apps like Snapsaved actually work. They silently sit in the background and collect the photos. While there is certainly an argument to be made for Snapchat closing such an obvious loophole, it’s the users who take the jump and trust a relatively unqualified and unknown third party with photos and messages that, by their very definition as a Snapchat, are meant to be erased from history.

It’s yet another milepost along the storied road of users’ flippant attitudes toward their own security. Any time you send something to a messaging app or cloud service, you are responsible for verifying the security of where you’re sending it. In the same way you wouldn’t put your money in an unheard of bank with no vault, you shouldn’t be rerouting your sexts to a small Danish company about which you know nothing.

When we send a photo over a service, we typically wipe our hands of the responsibility that may come with protecting it. If your photos are stolen from iCloudas many of the nudes associated with Celebgate are believed to have been—you may rightfully see yourself as the innocent victim of a crime.

Except you not only should but actively need to have an invested role in the security of data you store online. Most people are woefully unaware of what that even means, and it openly endangers even those of us that do take the appropriate measures to protect ourselves.

With Celebgate, the idea that a “brute force” attack found these images is almost certainly false. Access to the accounts of Jennifer Lawrence and Ariana Grande likely came in the form of a guessing game with iCloud’s security questions. While most people likely imagine hackers typing away at mountains of impressive-looking code, they were likely pouring over public interviews with Lawrence to find the name of her first pet.  

In fact, the passwords such security questions are meant to protect should be well on their way out. Security expert for Square mobile payments Diogo Mónica, in a ludicrously informative blog post, detailed how most hackers access your personal accounts and how our total view of password security is completely wrong.

While most layman advice centers on choosing original passwords and changing them often, Mónica argued that “choosing a password is something you should do very infrequently.” Most hackers find your password the more common it is (such as one the most popular computer passwords of all time, the word “password”). So if you have a weak password, you endanger everyone else with a weak password.

Because of this, he instead suggested we should all rely on password managers, which randomly generate passwords for you and hide them behind a more secure system as a whole. “This solves both the strength and memorability problems of 95 percent of your passwords,” Mónica said.

This might come as a shock to even the savviest Internet user among us, especially if that savvy comes from any of the thousands of blog posts about how to choose the perfect password. But it’s precisely this naive mindset that has led to the hacks of sensitive data we’ve seen today.

The theme here is, in the words of Christopher Null, that “people are the easiest thing to hack.” The more we adjust security systems to the whims of users or even the easier we convince them it is to be secure, the less secure they will be.

We as a society are way past the point of surprise at how much of our lives exist online. To list the activities of a typical Internet user would be to list the contents of public life itself. Yet most of us are woefully undereducated about keeping those activities safe from prying eyes. This is not to blame the victims of the Snapchat or iCloud leaks. It still took an active evil-doer to route these photos out and the problems in each case do stem from a shortfall on the part of the respective administrators.

But to ignore proper precautionary advice shows a deluded lack of self-interest. If users want to safeguard themselves against having their data spread across the Internet, they need to take a far more active interest in doing what they can to protect themselves. We, as users, must stand up where tech companies fall and take control of our own security.

Photo via devdsp/Flickr (CC BY 2.0)

Share this article
*First Published: Oct 15, 2014, 11:00 am