The Fappening: Ultimately, who is responsible for the security of content stored in the cloud?

2014-Fappening
Image credit

On August 31st, hundreds of explicit pictures and videos of celebrities—including nude pictures of Hunger Games star Jennifer Lawrence, swim suit model Kate Upton, 2012 Olympic gold medallist McKayla Maroney, and around 20 other famous women—were posted on 4chan, one of the most popular English-language Internet imageboard communities in the world.

The release of these images was as since been named The Fappening after a subreddit with that name was created for submissions of leaked celebrity nude photos “Fappening” is a portmanteau of “fap,” meaning masturbation, and “happening.” According to Reddit Metrics, The Fappening gathered more than 50,900 subscribers in its first 10 hours and was the fastest growing subreddit of the day. Mainstream media coverage of The Fappening is calling the incident Celebgate.

Allegations quickly emerged suggesting that the images contained in The Fappening had been stolen through a breach of Apple’s iCloud service that allows users of iPhone, iPad, and Mac devices to synchronize data, including images, between devices and to store their content online. One popular theory posited that a hacker tool called iBrute was used to conduct a brute force attack—repeated attempts to enter a system by trying every possible password—on Apple’s Find My iPhone service. Once Find My iPhone is breached, hackers can gain access to information in their victim’s iCloud account. Apple now limits users to five password attempts on the Find My iPhone service effectively neutralizing iBrute.

While it has yet to be confirmed that The Fappening resulted from a breach of iCloud, Apple issued a statement stating that it is “actively investigating this report.” Jumping on the ambiguity bandwagon the FBI released a statement that the Bureau “is aware of the allegations (and) is addressing the matter.”

Several dozen Twitter users have had their accounts suspended for posting pictures from The Fappening, and reposts of The Fappening on forums and file sharing sites are being systematically taken down.

The response from celebrities exposed in The Fappening has been varied. McKayla Maroney claimed the photos were fake although she now claims to hold their copyright, Mary E. Winstead tweeted that she’s “going on an Internet break,” while Jennifer Lawrence has threatened legal action against anyone who publishes her photos from The Fappening.

Attempts are also being made to do some good with the attention surrounding The Fappening with one Reddit thread urging Redditors to donate to the Prostate Cancer Foundation (PCF) claiming that actress Jennifer Lawrence had donated to prostate cancer research in the past. To the eternal glory of the Internet, Redditors posted links to research that showed that “fapping” may also help prevent prostate cancer. At one point “Reddit The Fappening” as the top fundraiser for the foundation. However, the PCF turned down the donation saying that they “would never condone raising funds for cancer research in this manner.” The PFC said that all donations made because of The Fappening would be returned.

Redditors also set up a page to donate to Water.org but they, too, were not interested in money raised through The Fappening and the donation page was immediately closed.

Whatever your personal views about The Fappening, the situation raises again concerns about the safety of our personal information in a connected world. Today we carry devices that allow us to capture and share all kinds of information and we certainly have the greatest burden of responsibility in governing and curating our content. But what about the services that connect us and handle our information—Apple, Google, Microsoft, Facebook, Twitter and so many more? In exchange for their service we allow them—sometimes unknowingly—to inspect, filter and record our data, for periods stretching long after we ourselves have deleted our content, possibly forever.

These companies all offer statements about the security of their services but there is little consequence to them when their claim are repeatedly proven untrue. We don’t know how they manage our data and how it is protected, yet we repeatedly choose to accept their Terms of Service as though we can completely trust them and even surrender our ability to seek damages when they fail to live up to our trust.

How do we balance the rewards with the risk of living in a connected world? Tell us in the comments.