Since the major revelations of Edward Snowden about the illegitimate mass surveillance practices of uncontrollable secret services, not much has changed. There is no No-Spy agreement between the US and Germany (some say there never was, besides words). The NSA and BND continue to share data and to tap into the data of internet citizens. Because of this situation, media and critical activists came to the fatalist conclusion, that the NSA scandal simply is too abstract, too obscure to mobilize large scale support for reform amongst the general public. The lack of public outrage and minimal support for campaigns against the mass surveillance practices of NSA, GCHQ and BND were explained with their faceless nature: the scandal simply had no prominent face, no visual example that showed the horrors of uncontrolled mass surveillance practices that targets every piece of data and everyone in the digital age. People do not fear surveillance because they do not know how it feels like to have their privacy violated. When Angela Merkel’s phone was tapped in October 2013 the same argument was put forward, but now slightly differently: die Zeit titled, that the attack on Merkel’s phone gave the radical and uncontrollable surveillance a prominent and necessary victim. She became the first celebrity to be known as a target and with that, by accident, made visible the uncontrollable nature of intelligence agencies that do not even hesitate to monitor a head of state of a close NATO ally. The Merkelphone incident also showed what happens when privacy is not private anymore because it is actively circumvented by individuals with a certain agenda.
Currently we are witnessing another scandal. This time it is about nude images of celebrities that were stolen out of the cloud by criminals with dubious intentions. Merkelphone and the current celebrity leak share some similarities that are worth exploring. They both show how privacy is endangered in the digital age.
In the current case, the unknown crackers used targeted attacks on celebrity iCloud accounts in order to gain access through the front door. According to Apple, there was no breach in the integrity of their system. Instead, weak passwords that were easy to circumvent were at the core of the problem. The attackers did not need to pick the lock, because they basically looked under the door mat and found the key to the victim’s house. Attacks like this happen quite often and not just to celebrities. In 2012, the account of a journalist was cracked in a similar manner. Often, security questions that can be easily circumvented with a little knowledge about a person are the weak links. It is relatively easy to find out the mother’s maiden name or the name of the first pet from a celebrity. It is all in the yellow press. Weak passwords are one element of the story, another is the human component. We tend to choose easier passwords in cases were we have to use them constantly and we tend to change them not often enough. During the last year, we had a series of issues that forced us to change our passwords, for example the ‘heart bleed bug‘ or several data breaches were hacker got millions of passwords and Email addresses. But many people simply did not follow the advice of the experts because of laziness and the annoyance of having to change your passwords every two months because of yet another security breach at web service. Experts argue that most of the future malware attacks will not break any security systems but rather will target the human weaknesses (called social engineering). These trends make clear that these security breaches are here to stay, especially since more and more people use online storage services increasingly store our personal data in cloud services such as Dropbox or iCloud. This development makes the cloud a viable target for crackers.
What makes these leaks interesting is their resemblance to the NSA surveillance and the informations we got from Edward Snowden. The primary element of this story is the disregard of privacy and the dignity of the individual human. We know from the Snowden files, that the NSA is actively compromising the security of cloud storage providers. We also know, that the NSA is actively looking for material that can harm persons like dissidents. Porn-watching behavior is registered in case it must be used to discredit opposition. People can be blackmailed with dirty details about their private lives, for example their fetishes or their nude images. It is curious, that in the current case the nude pictures actually got leaked to the internet and have not been sold or used to generate profits. There is a systematic interest for secret services and criminals to break into your privacy. This is a serious issue. Snowden said in an interview, that NSA members pass around nude images of surveillance targets for personal amusement:
You’ve got young enlisted guys, 18 to 22 years old, they’ve suddenly been thrust into a position of extraordinary responsibility where they now have access to all of your private records. Now in the course of their daily work, they stumble across something that is completely unrelated to their work in any sense. For example, an intimate nude photo of someone in a sexually compromising situation, but they’re extremely attractive. So what do they do? They turn around and they show their coworker. And their coworker says ‘Oh hey, that’s great. Show it to Bill down the way.’ And then Bill sends it to George, George sends it to Tom, and sooner or later this person’s whole life has been seen by all of these other people.
It is not clear how many persons are working for the NSA (clever people counted 18000 cars in front of Fort Meade) since there are a vast number of sub-contractors, pretty much like Edward Snowden was. He said, that around 500.000 persons can access the NSA data storage, which means you have potentially a large number 18-22 year old male workers who might have personal interest in your data and nude images. Everyone of them can be a potential leaker. From a technical side, there is not a big difference between an NSA contractor breaking into your cloud photo album or Angela Merkel’s phone or any other criminal that does the same. In the iCloud case, it even is identical on the technical level, since the attackers found the key under the door mat with a software tool that is used by law-enforcement for the very same purpose: to break into cloud storages. The leak was possible because of a surveillance tool used by law-enforcement agencies to actively break our privacy. This is the very issue at stake here.
The primary criminal act is not the publication of the pictures, but the breaking into a secured system that is supposed to be private. The real scandal is not one case were someone broke into the private space of another individual who happened to be famous (although I am sorry for them), the issue is, that this happens constantly with potentially everyone of us. The message is clear: to the present date, privacy in the digital age is dead, unless we start to take it serious again. Of course one can argue, like many commentators of the celebrity leaks do, that you should not upload your nude pictures to the cloud since everyone theoretically can access it or that you should not talk state-business on your phone since someone might be watching/listening. Although this argument has some truth to it is simple victim-blaming that tackles the wrong issue. It is misguided because the dimension of access becomes blurred if actors actively try to circumvent security systems and encryption. Many cloud providers say that they encrypt your data, but at the same time are forced to cooperate with secret services under section 215 of the P.A.T.R.I.O.T.-Act. There are mechanisms in place that force cloud providers like Google, Apple and Microsoft to hand over your data that is supposed to be private to the public sector (i.e. the government). Secret services are actively working on weakening encryption and thus cyber-security for all of us. These mechanisms actively prohibit the very idea of privacy because they are built around the paranoid concept, that private is secret and secret is bad, because only bad guys have to hide something. Hence the pseudo-argument: why fear surveillance if you have nothing to hide? If you translate this logic to the real world, the government could force your landlord to hand over his spare-keys so that it can access your house and look for your dirty photographs in your photo books, hidden under your bed. In this case, no one would argue, that you should not take analog nude pictures or buy the latest issue of Playboy because it might get into the wrong hands. The very core essence of privacy is, that you should have the right to take nude pictures of yourself without having to fear that someone is trying to steal them from you and to use them against you in the worst case of events. That is the reason why I disagree with Christopher Soghoian’s argument (in his otherwise excellent article), that Apple and others should build a private photo function. In fact, every photo you take should be private unless you choose to publish it. To publish means to open access to a third party. Privacy means, that in your own home you can be naked as long as you want and if you decide to use the services of a third party, say a hotel, you expect that you can be naked in the hotel room as well, even though it is not your private home. Privacy also means that you have the right to have secrets. The same should apply to the cloud: if you decide to use a cloud service, your privacy and your data should be covered by the contract you make with the company and as a result, any breach of this privacy against your explicit consent (!), no matter for what purpose, is an illegal act that must be persecuted by law enforcement. If you have a deposit box at a bank, you trust your bank that it keeps the items stored in this box safe and that no one, not even the government can crack it open to see what is in it (unless it is substantial evidence that requires an opening, e.g. when it is about tax fraud). Be aware that it does not matter how good the security system in place is, be it a weak lock, a weak digital password or the curtains that prevent gazing into your home while you are naked. The physical status of the mechanism securing your private life is not the issue here: it is theoretically possible that a skilled locksmith can open almost every door and even strong encryption can be broken with enough time and computing power. The potentially ambivalent status of every security system should never prevent you from expressing your privacy, whether it is being naked or communicating in private. This means that no one should argue that: “you should not be naked or talk about private things because your front door is relatively insecure and facing a lively street with many potential criminals walking by”. You should instead argue: no one has the right to look into your private life unless you allow them to. Talking about weak security systems, passwords, locks or curtains reverses our understanding of privacy and focuses on the wrong issue, which is the right to an expression of privacy which is guaranteed by most of the Western constitutions. It also puts a false emphasis on the victims: it is not their fault that someone took their photos. It is the fault of those who did it.
Merkel and the leaks of the celebrities point to the same issue that is at stake here: our increasing misunderstanding and neglect of the concept of privacy. As such, they have become prominent faces for what is at stake and what happens if someone, whether criminal or secret service contractor (or both), is violating our very privacy. Nevertheless, maybe the leak teaches the next generation of digital natives a lesson regarding their privacy in the age of digital surveillance. But maybe it shows them what it is worth fighting and arguing for: your fundamental rights.