The hack of celebrity nude selfies raises some interesting questions most notably, who is responsible for that last 10% of effort that is required to fully secure someone’s data?
It seems that the hack of the files was a combination of phishing, and exploitation of vulnerabilities in Apple’s photo backup. Weak passwords and user gullibility played a part in the compromised data making its way onto 4chan, but don’t we always blame the user for weak passwords or for not having taken sufficient care to protect themselves?
Comedian Ricky Gervais was castigated on Twitter for daring to joke about not putting your naked selfies onto cloud storage. Granted, hacking into personal accounts seems like a violation of the person that goes beyond the materials exposed, and we should sympathise with the users but should we expect more of users when it comes to security online?
First of all, since when are users supposed to be expert at this stuff? Why do we expect them to sign up for all of our services and apps and then tell them to be better at password usage and self-protection?
We want them to expose more of themselves and then we kind of get irate when they don’t have great passwords or aren’t better at figuring out how everything should be secured online.
This is a fundamental user experience issue and the answer is that the people who build software are going to have to get a lot better at figuring out security and that they are going to have get even better at figuring out how to make users better at security.
We cannot expect users to be cyber savants or password freaks or to devote a significant portion of their time to self-preservation. It’s just not how we work, by the way. We expect quick conversions and the shortest path to an online account. That leaves very little room for engagement on security education.
It shouldn’t be a problem to say to users that your data is never secure, truly secure, either. Perhaps online applications over promise and under deliver on what they can do to protect the user.
What is obvious is that we are trying to corral as many people as possible into our services and we want more of their information and personal data. It’s the lifeblood of online success. We expect our users to give us more and to trust us.
Frankly, it is untenable because that’s an awful lot of users and an awful lot of data and too many lines of code to verify and secure.
Our desire for overwhelming services that connect hundreds of millions of people are going to create massive points of failure. That seems logical.
You get a stress fracture in a car that results in an accident, it has a different impact than one in an airplane or cruise ship. That’s why, despite the statistics, a failure that results in a plane crash is overwhelming compared to one that results in an automobile accident. We fear flying but not getting into a car even though we are more likely to be in a car accident.
Online, we have a stress fracture that can bring down a huge number of people. The hack of Target customer accounts impacted 140 million people.
Ironically, we tend to forgive online catastrophes because, well, because they are so virtual. They seem to be ethereal problems. There are real consequences but mostly we chalk it up to inconvenience. Change your password, set up a new account, and things of that nature.
However, that is delaying an inevitable situation where the consequences may be really painful. We are giving up more of our own decision making processes to applications. These applications are not fully tested to deal with every situation and possible fault scenario.
The reason why Microsoft Windows has the Blue Screen of Death (BSOD) is not because Microsoft isn’t good at building an OS. It is because there are millions of lines of code and an infinite number of permutations of usage that cannot be fully tested and accounted for.
You get a BSOD on your laptop, and you reboot. I wonder what the BSOD of the Internet will look like. It certainly won’t look like a nude celebrity selfie.
Users are not responsible for what happens next. They cannot be expected to act as a frontline defense online. It is unreasonable, and unworkable.
Omid Rahmat has more than 20 years experience in senior management at high tech companies having heald executive positions in both Europe and North America. His company, Burnside Digital, is a leader in Agile development services and training programs. He currently resides in Southern California with his family where he publishes BreakingMuscle.com and TGDaily.com as well as develop software applications for digital media companies.
(Image Credit: Adam Fagen)