, , , , , ,

Parody screenshot of a phone with poor security

In case you're wondering, the missing line says "areyoukiddingmewhatseriously?" It's not my password.

As any celebrity – and certain governments and law firms – will tell you, there are risks as well as benefits in being connected to publicly accessible networks.  Individuals and collectives such as Wikileaks, Anonymous and LulzSec have embarrassed the US government, the law firm ACS:Law, and now Scarlett Johannson and Jessica Alba by exposing their private, err, “data”  online for public consumption.

This is not a new phenomenon, but still far few of us take data theft and cyber (or “digital”, if the word “cyber” scares you) threats seriously.  Perhaps it’s because we don’t really understand them.  Hacks happen for different reasons – which is perhaps the best insight into how to prevent them in the first place – different targets experience different damages, and different victims have different tools at their disposal to try to fix what has gone wrong.    For example, secretions of government data are often carried out in the name (or at least under the pretense) of civil rights and accountability;  disclosures of usernames and passwords, credit card details, and private photos, on the other hand, are often carried out opportunistically to humble a giant or for no more than purient voyeurism.

The US government has responded to Wikileaks in its own way, but actions by celebrities usually follow a different, and by now predictable, routine:

  1. Celebrity has something, be it a voice mail or a photograph or video, on a device that is connected, at least some of the time, to a network which can be accessed by the general public;
  2. Member of the public uses his or her knowledge of IT systems and of the celebrity to access that device and to copy the private data.  In some cases (e.g. the News of The World phone “hacking” scandal), all that is required is for the “hacker” to punch in a default passcode to access the device’s secrets.  Other times, an educated guess at how to answer the security questions (date of birth, ZIP code, where you met your spouse) will be enough, as was the case when Sarah Palin’s Yahoo! email was hacked;
  3. Celebrity finds out about the hack after it has gone public, and their lawyers write cease and desist letters to everyone involved, alleging that the data in question was obtained in breach of privacy or confidence and that the celebrity owns the copyright in the work.

The strategy has worked as well as can be expected for individuals.  (It’s a non-starter for the US Government since it cannot assert copyright in its own works.)  Most websites take the materials down without much argument as they don’t want to fall foul of the DMCA in the USA (see 17 U.S.C. §512 especially) or the E-Commerce Directive in Europe (see Article 14 especially), which could leave the site’s owners liable for damages awards that would easily bankrupt them.  Of course, the fact that you’d never be able to trace a bank account for many other of these websites, even if you could assert jurisdiction over their owners, is the same whether you allege copyright infringement or some other tort.

But aside from that, I wonder has anyone ever ignored these cease and desist letters and got so far as to argue in front of a Judge either: that an image whose photographer simply pointed the camera at some part of their anatomy and pressed a button lacks sufficient originality to warrant copyright protection; or that there is a fair use defense?  The damage to any person’s privacy would weight heavily against the alleged “fairness” of any use of private pictures or videos, but I wonder has it ever been argued?  Maybe only pro se?  If the copyright argument was no longer considered watertight, would we see celebrities forum shopping throughout the US, to take advantage of the most generous unpreempted State law of privacy and widest injunctions against ISPs?  It’d be interesting to find out.

Of course, no-one wants to spend their life worrying about what might (but most likely won’t) happen to our personal information, but even the following basic measures will put you in far better stead if someone does want to hack you.

  1. First, if you really cannot do without keeping something secret on a device connected to the Internet, use your own passwords and not the factory defaults;
  2. Second, use wrong answers for your “forgotten password” answers.  Anything from misspellings to opposites might be just enough to frustrate the hacker or, after enough wrong answers, to prompt your service provider to temporarily block access to your account;
  3. Third, move sensitive material off connected devices whenever possible;
  4. Fourth, don’t use the same password for connected accounts.  For example, if a hacker accesses your LinkedIn account and finds links to your Facebook and Twitter accounts, you can guarantee they’ll try them, starting with the password they just used to access your LinkedIn account.  So you’ll end up being hacked three times instead of just once; and
  5. Fifth, remember – if it’s easy for you, it makes it easier for the hacker.

The bottom line is prevention is better than damages, since even the finest legal remedies can’t put every cat back in the bag and force everyone to forget about what they have read or seen.  Much better to take practical steps to avoid being in this position in the first place, than to have to remain “unavailable for comment” until the whole episode blows over.  Mind you, “no comment” would have been a better response than the one Rep. Anthony Weiner hastily adopted earlier this year.  He didn’t even need a hacker to expose himself all over the Internet (he sent a public instead of a private tweet), and lying about it afterwards cost him his job, and has now cost the Democrats a previously safe seat.  He doesn’t tweet anymore (at least, not publicly).