Partner Article
The protection of digital assets- Cloud security
As personal devices offer increasing functionality and become increasingly embedded in individuals’ daily lives, it seems inevitable that people will digitally capture ever more of their private life. The celebrity iCloud leak (involving numerous high profile figures) has demonstrated this point.
Increased use of enhanced functionality, such as digital camera video content, has fuelled greater consumer demand for solutions that expand data storage capacity beyond that provided by their physical device. By offering public cloud solutions, businesses are able to meet this market demand via an efficient, scalable, and low-cost model that increases the amount of consumer data that is accessible from a device by storing such in the cloud.
However, there remains a widespread lack of awareness as to the risks posed by storing data in the cloud. Many individuals fail to understand that backing up to the cloud means their data is stored otherwise than on the physical device via which they amassed such data, and that low-cost public cloud solutions may provide lesser security protections and options for recourse.
The Leak Itself
The celebrity iCloud leak is thought to have originated from online deviant forum “AnonIB”; an offshoot of image-based bulletin board “4chan.” AnonIB’s “/stol/” board is noted for serving as a global meeting hub for skilled hackers who acquire and share stolen pornography, fostering an underground trading ring in which stolen celebrity photographs are traded between individuals in return for other celebrity photographs and/or bitcoins.
Apple has suggested that the leaks did not arise as a result of vulnerabilities in their iCloud system, but instead derived from a “targeted attack on user names, passwords, and security questions”, namely by hackers:
determining whether a username was active using Apple’s iForgot password reset form;
for active usernames, either:
guessing passwords or security questions: (i) based on factual information, or (ii) that take a generic form (such as “123456”); or
using specialist “brute-force” password-cracking tools (which attempt all password variances until the correct password is found) to obtain the relevant password; and
either:
simply logging into the user’s iCloud and downloading the relevant photographs; or
impersonating the user’s device using a forensics recovery tool, and downloading the device’s full backup (containing videos, application data, text messages, and contacts).
Legal Considerations
There are a number of legal points which must be considered in respect of a breach of this sort:
Cloud Terms: cloud terms to which consumers have to sign-up tend to be heavily supplier-biased and non-negotiable due to the “one-to-many”, low-cost and highly-scalable nature of public cloud solutions, in turn leaving affected users with little recourse against suppliers. This is especially true in relation to:
security: there are often no: (i) valuable clauses or service levels accounting for detection, reporting, and management of security breaches, or (ii) terms allowing users to check suppliers’ handling practices, in each case leaving consumers with little to rely on to ensure suppliers promptly inform them of, and resolve, any potential breach;
intellectual property: most commonly the consumer will continue to own all data (and the intellectual property rights in such), and will license such to the supplier. However, this only reconfirms consumers’ ownership of content they have created, and the complexity and cost of seeking to enforce such rights on a potentially global basis may mean these terms are of limited use;
liability: as cloud services are provided for little or no money, suppliers tend to disclaim all liability under cloud agreements or, where not possible, limit this to only the amount paid by the consumer for such services. Even if a consumer was able to bring a claim against a supplier under a cloud agreement, the amount recoverable would be so negligible that it would not be cost-effective to bring such claim;
Data Protection: section 4(4) of the Data Protection Act 1998 requires the data controller to comply with certain principles, including ensuring that appropriate technical and organisational measures are taken against unauthorised or unlawful processing, or accidental loss, of personal data. In the event of a breach, the UK Information Commissioner’s Office may levy significant fines against the breaching data controller, with such fines increasing as greater amounts of personal data are acquired by hackers;
Breach of Human Rights: the Human Rights Act 1998 provides a “right to respect for private and family life”. Further to recent case law, including Max Mosely v News Group Newspapers Ltd, the Courts have held that there would have to be a very high public interest to justify any publication of private photographs. There are, however, limits to this cause of action, including a reluctance to grant injunctions when a photograph becomes so widely publicly available (for example, as a result of re-posting and re-tweeting) that such grant would be futile;
Breach of Confidence: this can be used to prevent disclosure of personal information (including details of sexual conduct disclosed to a friend) provided that such information was imparted to the defendant in circumstances that import an obligation of confidence;
Copyright: the first owner of copyright in a photo will usually be the person who takes it and, therefore, each time the photo is posted online and shared by individuals other than the owner it will: (i) be copied, and (ii) infringe that copyright. Internet service providers and social media website operators may also copy the photo as part of providing their service, and may also be liable for copyright infringement unless they fall within certain defences provided under the Electronic Commerce Regulations 2002. The Court may award damages, or more likely grant an injunction compelling the website operator to take down the photo (provided the service provider has actual knowledge of another person using their service to infringe copyright).
Other Causes of Action: include:
if a photo is published without authorisation in a way that suggests the subject of the photo endorses a product, the “tort of passing off”; and if the photo is posted online in a derogatory manner that is likely to harm the reputation of the subject, defamation.
Practical Considerations
Prevention is better than cure, and users should therefore consider the following practical steps to protect their information from the outset:
strengthening passwords by using longer alphanumeric codes that cannot be associated with the user;
choosing random answers to security questions;
enabling 2-factor authentication, which adds a second layer of security that applies the first time an account is accessed using a new device; and
backing up particularly sensitive data to either: (i) internal memory, or (ii) to private cloud solutions, rather than relying on default public cloud backup solutions (such as iCloud).
The Future
With an increase in data hacks, including this celebrity iCloud leak, it is possible that the security applied to data stored using public cloud solutions will be subject to greater scrutiny and consequently improved. However, this improvement is likely to be marginal given the economics of providing a low-cost solution to consumers and the cost of implementing and maintaining robust security controls; although we will undoubtedly see a rise of more secure services targeted at persons who are willing to pay more.
Another possibility is that a change in law may take place in the near future, with stronger Data Protection Regulations being forecast to apply across Europe in 2015 and a potential standardisation in cloud terms to offer a more balanced consumer agreement. The combination of these laws may force businesses to comply with a higher standard of data security, and therefore result in a more beneficial position for consumers using cloud solutions.
Andy Moseby
Kemp Little LLP
This was posted in Bdaily's Members' News section by Kemp Little .
Enjoy the read? Get Bdaily delivered.
Sign up to receive our popular morning National email for free.
Our Partners
Driving skills forward with near £100,000 boost
What pension rule changes could mean for you
North East can't be an afterthought in AI future
Understanding the impact of the Procurement Act
Is the UK losing ground in life sciences investment?
Construction workforce growth can't be a quick fix
Why it is time to give care work a makeover
B Corp is a commitment, not a one-time win
Government must get in gear on vehicle transition
Growing a biotech business in the North East
A legacy in stone and spirit
Shaping the future: Your guide to planning reforms