By now we all know a hacker accessed the personal iCloud accounts of dozens of A-list celebrities and leaked nude photos of stars such as Jennifer Lawrence, Kate Upton, Kirsten Dunst, and Victoria Justice. The anonymous hacker[s] posted the nude images first on 4Chan, but, the photographs spread quickly and went viral.
This cyber-incident has sparked a significant debate on various topics, ranging from our privacy laws, to speculation over who may have committed this deplorable act, to emotionally charged disagreements over whether the celebrities themselves should bear some of the blame. The scattershot debate has left the average person wondering “what does this mean for me?” and “what can I do to protect myself?” Below are three takeaways everyone should consider.
1. You Can’t Un-Ring the Bell
Unfortunately, for individuals who find their embarrassing moments, confidential information, or indiscretions strewn across the Internet, there is little hope of putting the genie back in the bottle. As much as we talk about the Internet as a singular object, it is in an amalgamation of millions of computers, servers, and websites, all controlled by different people located across the globe. As a result, the Internet has a long memory that is impossible to erase.
…there is little hope of putting the genie back in the bottle.
Compounding these structural difficulties is a cultural/legal mindset in the U.S. that generally values the free flow of information over personal privacy. The First Amendment allows the free flow of information, while relying on tort law, primarily libel, and invasion of privacy, to protect individuals’ rights. Search engines and Internet providers enjoy robust protections from liability for the content they provide unless they have direct knowledge it is false or violates copyright law. As a result, individuals cannot realistically seek redress against the thousands of websites that may contain embarrassing information and are stymied by various protections preventing the public from forcing the large content providers to block access to embarrassing content.
There is, however, a ray of hope for those who want greater privacy protections. In contrast to the U.S., the European Union and its member nations have chosen to follow a path where the privacy rights of individuals receive greater protections. Following a landmark decision by the European high court earlier this year, numerous search providers must consider individuals’ requests to remove links that they say infringe on their privacy. The decision has resulted in what is commonly referred to as the “right to be forgotten” movement. Currently, each nation in the E.U. has a data protection agency through which citizens can appeal for help in erasing their online histories. Whether the “right to be forgotten” movement takes hold in America remains to be seen.
2. The Law Offers Little Solace
For anyone looking to the courts for justice, they will likely find that the patchwork of 50 divergent laws and the absence of comprehensive federal legislation render an adequate judicial remedy a long shot at best.
Putting aside the breadth of the state and federal laws, there are several initial obstacles that must be overcome before one could consider legal action. First and most obvious is the inability to identify who stole or released your information. Hackers work in the shadows of the Internet, adopt catchy “street names,” and take extraordinary steps to hide their location. Even if the hacker can be identified, there are significant jurisdictional limitations that constrain cybercrime prosecution or litigation.
…it is very difficult to determine where a cybercrime was committed because the perpetrator, the victim, and the data at issue may be located in different jurisdictions.
The legal concept of jurisdiction involves territory, with the reach of a law being limited by the boundaries of the state or country. Thus, to apply a particular state law, the crime or tort must have occurred within the territorial boundaries of that state. Unfortunately, it is very difficult to determine where a cybercrime was committed because the perpetrator, the victim, and the data at issue may be located in different jurisdictions. This raises many questions, which largely remain unanswered: Where did the crime occur? Which state has jurisdiction over the crime? And, where is the hacker subject to personal jurisdiction?
These issues have sparked a push for comprehensive federal legislation governing cyberattacks, data breaches, and victims’ rights. Due to deep philosophical divisions in Washington, D.C., however, this much-needed legislation has failed to make any serious progress. Currently, hacking victims can invoke the Communications Decency Act of 1996 (“CDA”), but the CDA is drafted in a way that protects service providers and website operators more than the public. Section 20 of the CDA states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Therefore, unless the provider, for example 4chan, was directly involved in the hacking and release of the racy photographs, it is not liable for damages.
Until the laws are updated, a criminal and civil remedy appears elusive.
3. Don’t Look to Your Cloud Provider
Much of the anger resulting from the celebrity hacking scandal has been directed toward “big Internet companies” generally, and Apple specifically. The arguments rest on the assumption that if the celebrity photographs were taken from a cloud, the operator of the cloud must be responsible. While this position holds a certain simplistic charm, it is unlikely to carry the day in court.
Although the exact method used by the hackers has yet to be identified, the response from Apple has been both swift and consistent with the position adopted by other cloud providers. Apple has vigorously denied its systems have been compromised and suggests the hackers accessed the accounts after obtaining the celebrities’ email and passwords. The implication of this argument is to suggest the celebrities’ computers were hacked, not Apple’s iCloud servers. As the party bearing the burden of proof in a civil trial, the celebrities will need to refute Apple’s argument by demonstrating how the hack occurred and that the hack could not have occurred but for an issue with Apple’s security protocols. This will be no easy task.
…if the celebrity photographs were taken from a cloud, the operator of the cloud must be responsible. While this position holds a certain simplistic charm, it is unlikely to carry the day in court.
Even if the celebrities manage to establish the hacker’s method, the ability to obtain any meaningful compensation will be severely limited by their cloud service agreements. Cloud providers often limit direct damages by capping the aggregate dollar amount for all claims under the service agreement. In the case of Apple, its cloud service agreement—which is ignored by most users—states that Apple cannot be “LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES… .”
With little ability to undo the damage caused by an embarrassing data breach, nearly insurmountable obstacles precluding a civil/criminal prosecution, and a cloud service agreement rendering a contract action against the provider illusory—what is the average person to do? The answer is as unsatisfying as it is simple. Keep your most confidential, valuable, and embarrassing items in a location that is not accessible to the Internet.