I’m warming to this new Commissioner

The German politician was named as the next digital chief on September 10, and immediately found himself under fire for stating that celebrities who had their naked photos stolen and posted on the internet were “stupid”.

“The fact that recently there have been an increasing number of public lamentations about nude photos of celebrities who took selfies – I just can’t believe it,” he said.

“If someone is dumb enough as a celebrity to take a nude photo of themselves and put it online, they surely can’t expect us to protect them.

“I mean, stupidity is something you cannot – or only partly – save people from.”

Agreed the job shouldn’t exist, the institution shouldn’t exist, but if both are to then why not have someone sensible doing it?

116 comments on “I’m warming to this new Commissioner

  1. The problem with this stance is that it comes across as “victim blaming”, even if it expresses an important truth. Putting compromising pictures on the cloud probably exposes you to greater risk from hackers than storing physical copies of them in your house risks a burglar getting hold of them. And if you’re a high value target you can expect more people will target you. Authorities can’t protect someone from having a weak password.

    But without losing accuracy, he could have rephrased what he said to state that many celebrities had shown a lack of basic security education, which made it difficult for the EU or anyone else to protect them, but that the hackers themselves are scum on whom the moral blame lies and authorities should take every step to identify and prosecute. I think that would get the balance about right, though no doubt there are still some people who would class that as blaming the victims because it mentions the advisability of people taking steps to protect themselves…

  2. “If someone is dumb enough as a celebrity to take a nude photo of themselves and put it online, they surely can’t expect us to protect them.”

    And what if someone took a nude photo, put it in a safety deposit box and someone broke in and stole that box? Would we expect to protect people then? What’s different about an online locker to a real one?

  3. I am struck by how on this issue, as so many others, all sides seem to come out with nothing but stupid. On the one side we’ve got the Feminists claiming that stealing the selfies is a hate campaign against women by Teh Patriarchy, which it isn’t. And on the other side you’ve got people saying, “it’s their fault they were stolen”, which is equally untrue.

    The selfies were in cloud storage of various types. Many nerds consider this unreliable in terms of security, but average punters just use it and expect that stuff which is private will remain private. The photos were not published online. They were stolen.

  4. And what if someone took a nude photo, put it in a safety deposit box and someone broke in and stole that box? Would we expect to protect people then? What’s different about an online locker to a real one?

    Because an online account isn’t anything like the equivalent of a safety deposit box. In practice, it is far closer to printing your nuddy pics as postcards and sending them through the mail.

    Anybody in the know / industry who is willing to break a few rules / laws will be able to get access.

    Hence, amongst other things, the existence of this nym.

  5. SE,

    “Because an online account isn’t anything like the equivalent of a safety deposit box. In practice, it is far closer to printing your nuddy pics as postcards and sending them through the mail.”

    No, that’s the transmission of the pictures, which is incidentally far safer than sending through the post as it would be encrypted.

    “Anybody in the know / industry who is willing to break a few rules / laws will be able to get access.”

    OK, as you know so much, how do you breach the security of iCloud?

  6. I’m not exactly overwhelmed by this whole nude celebrity stolen pics thing. In fact, I couldn’t give a shit at all.

  7. Stigler, as I best understand it, the majority of the photos were on accounts with passwords that were (as an example) the highly public peoples birthdays. As such, they were as good as published online. You cannot easily protect such people from the consequences of their own idiocy although one can make mandatory “hard”passwords….and put up with the constant stream of people trying to remember passwords.

    the other part to consider is that these photos were indeed actually supposed to be discovered. Part of the cult of celebrity is publicity and this gives them plenty of “sympathetic” (although I’d leave off the “sym” part myself) publicity. With these people, nothing is too stupid or foolish to be outside the possibility of just another publicity stunt.

    I, for one, have zero, zip, nada, concerns for these people at all. As for their faux emotional reactions, it’s all a game to them anyway, it’s ALL a game. So don’t play and ignore them.

  8. It’s the same as the NSA and Snowden; it’s the same as Tiny Rowlands accusing Al-Fayed of breaking into his safety deposit box at Harrods. Your secrets/valuables are only safe insofar as you trust the guardians. Smartphone users trusted Apple, just as the NSA trusted Snowden and all his colleagues.
    Moral of the story: even smart people working with good systems make mistakes. And if something is valuable enough, that safe will be broken into.

  9. I’m inclined to agree with My Burning Ears.
    I think it’s stupid to say it’s stupid to transmit or store sensitive data online. I don’t think this kind unnuanced view is what we want from a ‘digital commissioner’.
    I don’t think ordinary people are necessarily stupid for trusting Apple – it’s not a fly-by-night operation, it has a fairly good reputation, it’s trusted brand and whatnot. Some people might not have realised/understood the photos were being backed up to iCloud. If it’s true that the celebs were fooled by phishing, well a lot of people have fallen for that – again not necessarily stupid, gullible perhaps, and maybe a digital commissioner would like to release some information about how to mitigate the risks from that. If it was brute force guessing, a digital commissioner might like to advise the public and companies how to mitigate the risks from that. There are some popular companies that haven’t made their services as secure as they could and ordinary people aren’t necessarily au fait with up-to-date security or where those particular companies fall down. Perhaps a digital commissioner should take a more educational/helpful stance.

  10. The Stigler

    “..use a safety deposit box.”

    How about “they went and put it in the library under smut”; the really secure part of the library that is, the room that had a key on the door and said “private”..

    “OK, as you know so much, how do you breach the security of the locked room in the library that says private?”

    Locksmith.

  11. All the corporations are heavily pushing “cloud” storage at the moment, as are most of the tech journalists and media. It is not an act of stupidity to use it.

  12. Many ages ago, when dinosaurs walked the earth, users who logged on to the internet-that-came-before-the-world-wide-web had a saying: “Information wants to be free”
    Any information, stored anywhere, in any format will propagate.
    If you don’t wish it to – don’t create it. Don’t store it.

  13. Ian B

    “All the corporations are heavily pushing “cloud” storage at the moment, as are most of the tech journalists and media. It is not an act of stupidity to use it.”

    Ian, why?

    I don’t care too much that corporations are pushing it, and particularly those with commercial vested interests.

    I am always reminded of that advice: when someone says cloud, always think “someone else’s computer” before you take any decision. Ie, what are the precautions one might take before putting that content on someone else’s computer.

  14. Ian B – “All the corporations are heavily pushing “cloud” storage at the moment, as are most of the tech journalists and media. It is not an act of stupidity to use it.”

    I have a hard time reconciling the second sentence with the first sentence. Surely there is a stray “not” in that second one?

    It is wrong to blame people to thinking their storage would be safe. It is not wrong to blame celebrities for using passwords based on things like their birthdays or their pet dog’s name (as Paris Hilton did – speaking of which, the leaking of her sex tape was a much more serious crime and yet no one was charged). That is just dumb.

    However the real question is, if you back something up on the Cloud, who ultimately owns it? As TW is inclined to point out, if it is free, you are the product. Why does Apple want people to use the Cloud? They are selling something.

  15. MBE: …but that the hackers themselves are scum..
    Agreed
    ..on whom the moral blame lies…
    Agreed
    …and authorities should take every step to identify and prosecute.
    Ah. A pity. Why should the rest of us employ and pay for investigations and prosecutions of these people who may certainly be disagreeable but they are opportunists rather than vicious criminals.

    Also, every step really strikes me as being a good many steps too far. What’s more, there’s not room enough in the Ecuadorian embassy for all the drooling hackers.

    As to the victims (and they are victims), as with ‘victims’ of hate porn (and they really aren’t victims) what did they think they were doing? Can anyone tell me the point of a nude picture of oneself? Is this some form of extreme vanity or a proclivity for unimaginative lovers?

  16. Another complication with the cloud is the legal issues about which jurisdiction the stored data falls. You can be pretty certain that if it a service provided by an American corporation the US Government can demand access to it wherever it is stored in the World. Even the most libertarian minded corporation is going to hand it over, when the alternative is executives doing serious jail time. There has been a legal judgement on this in the States IIRC. OK that’s a different level of threat to a private hacker, but you have to assume that anything you put in the cloud can be read by the US Government and the Government of the country in which it is stored.

    But for most people though I think by far the biggest threat is their data might be lost. I don’t mean this week, or even next year, but will it be there in say twenty years when companies/corporations have gone bankrupt/nmerged etc. Or just plain incompetence.There are already precedents for this. My advice is if it’s photos put hard copies in an album, or be sorry.

  17. Ed Snack,

    “Stigler, as I best understand it, the majority of the photos were on accounts with passwords that were (as an example) the highly public peoples birthdays. As such, they were as good as published online. You cannot easily protect such people from the consequences of their own idiocy although one can make mandatory “hard”passwords….and put up with the constant stream of people trying to remember passwords.”

    No, but you can punish people who take advantage of other people’s stupidity. If you leave the keys in your car and someone steals it, that’s still theft.

  18. > If someone is dumb enough as a celebrity to take a nude photo of themselves and put it online, they surely can’t expect us to protect them.

    So Tim now supports someone who thinks we should have separate standards of law enforcement for famous people. WTF?

    The guy’s a fuckwit. The whole thing about many of these photos (there are different batches) is that the people who took them didn’t put them online. In many cases, the photos had been deleted. The holes that have been revealed in Apple’s security as a result of this are shameful, and this new Commissioner’s statement shows that he is entirely ignorant of that and therefore not fit for his job.

    Accusing the victims of having shit passwords is simply ignorant, since it turns out that, even if you follow Apple’s advice and go for two-factor authentication, Apple’s own systems allow that to be bypassed:

    “Signing into iCloud in order to access say, your backed up photos, does not require two-factor authentication,” mobile security firm Lookout explains in a blog post. “In this case, enabling two-factor authentication would not have helped anyone involved in this latest leak.”
    ….
    Security experts faulted Apple for failing to limit password reset guessing attempts, a defence against brute force hacking tactics apparently in play, among other factors. This is a particular problem for celebs because their answers to password reset questions (eg pet’s name, where did you graduate) are the stuff of trivia.

    So you could choose a fucking excellent password and 2FA, and Apple’s systems would allow hackers to trigger password resets easily and to bypass the 2FA.

    And, look, if someone snuck into my house and stole my stuff, would that be OK if it turned out my door wasn’t locked? Would a senior politician with responsibility for law enforcement consider saying so? No, obviously not.

    Ed Snack,

    > the other part to consider is that these photos were indeed actually supposed to be discovered. … I, for one, have zero, zip, nada, concerns for these people at all. As for their faux emotional reactions, it’s all a game to them anyway, it’s ALL a game.

    So you know, for a fact, that every single one of the victims deliberately engineered this. Wow.

    How about when tabloid reporters posed as doctors in order to get into Russell Harty’s hospital ward when he was dying of AIDS? That was OK, right, because he was a celebrity? You have, presumably, zero, zip, nada concerns for such people. How brave of you.

    Look, either someone’s a victim of a crime or they’re not. If you want to start saying it’s OK for certain classes of people (classes defined by you, of course) to be victims of crime, you are part of the problem.

  19. @IanB
    “All the corporations are heavily pushing “cloud” storage at the moment, as are most of the tech journalists and media. It is not an act of stupidity to use it.”
    And the guy on the corner’s selling heroin cut with rat poison.
    It’d be stupidity not to use it?
    If one had some information, say revealing pictures of oneself, ones which one would really, really not want circulated but which for some strange reason one insisted on retaining (to get out & look at, once in a while? A question that’s never asked or answered.) one would buy a safe, rent a safe deposit box… Anyone who uploaded them to a storage service for easy access & dissemination (which is the point of cloud storage) should be regarded as clinically insane. Especially if the service they’re using is free to user. For you do, in life, get what you pay for.

  20. Bison,

    > Can anyone tell me the point of a nude picture of oneself?

    Why even ask the question? It’s their body, to do with as they wish.

    But here are a couple of reasons I can think of.

    First of all, if you’re in a line of work where the look of your body matters, you might want to check it from time to time. If you’ve been asked to change your shape or size for a role, you might need to check that. I’m sure all good-looking actresses get asked to do nude scenes constantly, and some do decide to. I imagine they check whether they think they’re up to it first. Some ask for body doubles for nude scenes, again presumably after deciding their own bodies aren’t good enough for the public’s enjoyment. I’d be amazed if some of Jennifer Lawrence’s photos weren’t for the purposes of the X-Men films.

    I’m pretty sure there are a lot of soldiers in Afghanistan right now with nude pictures of their wives or girlfriends back home. I think most people would agree that women sending such pictures to their husbands is actually a rather nice thing to do. If any of those women turns out to be a stunner and her pictures get hacked and distributed, we might see a somewhat different reaction from the public and a different assessment of whether they had it coming cause they were stupid.

    But either it’s wrong or it isn’t. Regardless of what the victim does for a living.

  21. S2,

    “Er, Apple? Free? Seriously?”

    iCloud is free for the first 5GB, paid afterwards. But looking at the prices and considering infrastructure, I don’t know if they’re making much money.

    The main benefit to Apple is tying people in. If you’ve got all your stuff on Apple’s servers it’s going to take more effort to move to Android.

  22. > iCloud is free for the first 5GB, paid afterwards.

    No, iCloud comes with no further charge on top of the extortionate price of the hardware for the first 5GB. They’re not giving it away, as can be clearly seen from their annual profits.

  23. S2,

    Well, OK, not free, included with the phone. But they aren’t making money off the cloud itself, just using it to help keep selling expensive phones.

    That said, the new £399 Mac Mini seems like a pretty good bit of kit for the price.

  24. @”“Stigler, as I best understand it, the majority of the photos were on accounts with passwords that were (as an example) the highly public peoples birthdays. ”
    Is that true? If so then they were stupid, however if the passwords were cracked by brute force then apple etc are responsible for not having delays when people put an incorrect password in.

  25. David,

    Apple had no limit on guesses for security questions when users were trying to trigger password resets. So the strength of the password was effectively immaterial.

  26. Stigler,

    > Well, OK, not free, included with the phone. But they aren’t making money off the cloud itself, just using it to help keep selling expensive phones.

    Sorry, this is nonsense. They’re a hardware firm and record company. Everything they do is to sell hardware and to sell MP3s. You could as well say that they make a loss on iTunes because it’s free to download, or on iOS because they provide free OS updates to existing users.

  27. S2,

    Well, in and of itself, are they? I doubt it. They make money because it’s part of a bigger service, like McDonalds don’t make money from providing toilets, but if they don’t provide toilets they won’t sell as many burgers.

  28. How about when tabloid reporters posed as doctors in order to get into Russell Harty’s hospital ward when he was dying of AIDS?
    That reminds me of all the NHS data losses, e.g. missing files, memory sticks etc or computers sold on eBay, and illegitimate accesses, e.g. journos/investigators socially engineering access to medical records of well known people. I suppose patients are “stupid” for allowing medical staff to write things down…

  29. Mr Bison:

    Ah. A pity. Why should the rest of us employ and pay for investigations and prosecutions of these people who may certainly be disagreeable but they are opportunists rather than vicious criminals.

    Well they are certainly criminals. And they’re not opportunists in the same way as a binman who notices naughty pics chucked out in the rubbish and flogs them down the pub would be an opportunist. They are actively seeking out the material, they aren’t chancing across it by happenstance. Vicious is debatable – mercenary sounds more likely, since as I understand it the original idea was flogging off pics for bitcoins – but I don’t think lack of viciousness should be a bar for prosecution. Theft and TWOCing are not particularly “vicious” crimes either. I’m as little inclined to be full of sympathy for a ‘sleb blub story as the next chap, but I can understand that the unauthorised and illegal publication of personal and intimate photos would be very hurtful for someone who has already had to reduce their expectations of privacy.

    Moreover, stories like this make people ever more suspicious of interacting with or adopting technology, in the same way that scare stories about internet spam put a lot of older people off of starting to use email for business or contact with family. Since we generally agree that the educated adoption of technology is a force of social progress (technophobic exceptions belonging mostly either to the Luddite or conspiracy-paranoid schools) then tech crime is a Bad Thing and Something Ought To Be Done about it. That Something including consumer education, not just ridiculing people for being stupidly unaware of stuff currently known (like the deleted photo bug) by only a minority of our techie overlords.

    Also, every step really strikes me as being a good many steps too far.

    In reality, every economist agrees that “the socially optimal level of crime is not zero.” Which sounds a particularly harsh statement if reduced to its equivalent forms (“the economically optimal level of paedophile rape-murders is at least one”; see also Chris Dillow’s probing satire on the optimal number of dead migrants to wash up in the Med) but when put in stark economic terms, there comes a point at which the marginal social cost of the policing/intelligence/judicial/punitive resources required to detect, prevent or punish the next crime, exceed the social cost of the crime.

    To put it mildly, this is not a politically astute thing to admit. So we shouldn’t expect politicians to – why hold them to that impossible standard? I’d rather they threatened to deploy the full range of tools at their disposal, which at least gives a bit of consumer reassurance (Fear Of Crime is an economic bad so best if politicians didn’t stoke it) and if we’re very lucky may even put the occasional spotty teenager off from exercising their curiosity about what happens if you try logging in to some else’s account.

  30. Ian B, who is not shy to point out feminist bullshit and the like, is bang on.

    Tim is entirely wrong. It’s fine that the commissioner is happy to admit that there’s no defence against stupidity, but before applying that to a case he needs to understand what, if any, stupid was involved.

    This commissioner doesn’t understand what cloud storage is. Given that it’s one of the most significant things he should know to do his job, he’s completely unfit for purposes. If someone with an economics brief made such an error he’d be (rightly) lambasted for it.

    If these people had shitty passwords, then people should point out that they were guilty of having shitty passwords and, as a result, put themselves at risk. But if that’s the case, then it was the shitty passwords that were the problem, not the act of using a mobile phone in a perfectly legal and proper way without engaging the level of skepticism that an educated nerd might.

    If we accept the position that everything that’s accessible via the internet (aka everything that’s on a computer connected to it) is for public consumption, then that’s a bit of a killer blow to a hefty chunk of the modern economy.

  31. Mr Ears:

    thank you for taking the trouble to write so fully. We’re on a fairly similar page over this, I think.

    There’s no question of the criminality of the action and its general grubbiness but at the same time there’s a lack of prudence on the part of the victim in creating the image and gullibility or naivety in storing it beyond their personal control which must make them at least partly complicit in their subsequent embarrassment.

    I’m not convinced by Squander’s reasons for such images being taken and kept but of course there’s no question that everyone has a perfect right to take images of their own body.

  32. So the cloud is free (up to several million photographs).

    Remember the old saying “If you’re not paying for it, you are the market.”

  33. @”Squander Two
    October 17, 2014 at 11:42 am
    David,

    Apple had no limit on guesses for security questions when users were trying to trigger password resets. So the strength of the password was effectively immaterial.”
    Well I suppose if you have a 30-40 character password you are ok. However not using Apple would be a good work around.

  34. Squander Two said: “So Tim now supports someone who thinks we should have separate standards of law enforcement for famous people. WTF?”

    The digital commissioner may have been blunt but people can do more to protect themselves. Celebrities take their own physical security seriously. They appreciate that people may target them. Some have clearly overlooked the security of their digital data and that of their partner.(I have a suspicion that it has generally been the phones and storage of boyfriends that gets hacked.) They didn’t do anything wrong but they did behave naively.

    I am sure that it is easy for people sending pictures to each other to forget that all their data passes through computers that can be accessed by others. As the phone hacking trials are showing, mobile phone network centres are vulnerable targets and I expect cloud servers will be too.

  35. David,

    > Well I suppose if you have a 30-40 character password you are ok.

    No, it would make no difference in this case. It was the password reset security questions that were Apple’s weak point.

    Gareth,

    > I am sure that it is easy for people sending pictures to each other to forget that all their data passes through computers that can be accessed by others.

    No, this is a red herring, as data is supposed to be encrypted. I use Mozy’s cloud backup, and they issue unequivocal warnings that, if you opt to use a password to encrypt your data, and you then lose your password, they literally cannot help you. If the data is encrypted, all they have in your account is a load of zeroes and ones. The idea that storing stuff in the cloud automatically means that that stuff is accessible from other computers is not necessarily true. When it is true, it is an operational decision made by the cloud’s operator.

  36. Ears,

    > if we’re very lucky may even put the occasional spotty teenager off from exercising their curiosity about what happens if you try logging in to some else’s account.

    I think that’s the salient point. When a senior politician announces that the victims of a given crime are to blame and that authorities shouldn’t bother protecting them, what criminals aren’t giong to interpret that as carte blanche?

  37. S2,

    The problem with XKCD’s design is that he calculates it based on characters, but if you’re working with say, 4 random words out of 100,000 words, you’re only looking at 1e20 combinations.

  38. That xkcd cartoon sparked a lot of debate in IT security circles. There are a lot of improvements you can make to his idea, the easiest one being deliberate misspellings such as doubling the third letter of each word or something. A lot of experts out there disagree with his solution, but I find most agree with the problem he identifies, which is my point: if the celebrities (or anyone) were to follow the official password advice, they would end up with a weak and easily hacked password, so it is ridiculous to criticise them for having bad passwords. And a lot of the people making that criticism themselves have shite passwords which they think are strong.

  39. Don’t forget that passwords are often limited to 8-16 characters so having a phrase or combination of words as per XKCD would not be possible anyway for many site log-ins. Which can hardly be the fault of the user…………………

  40. Why are you all talking about password complexity? A three tries & suspend log-on regimen prevents brute-force password attacks, doesn’t it?

  41. There is no such thing as perfect computer security.
    Anyone banging on about how Apple should have a three tries and suspend rule misses the point – what if some evildoer guesses it first time?
    There is a finite number of possible passwords so the probability of a correct guess on the first or second try is non-zero.
    Incidentally the Cloud is, by definition, online.
    if you don’t want anyone to see the photograph don’t take it in the first place and if you don’t want outsiders to see it don’t store it on a computer.
    Of course it is criminal to hack computers or mobile ‘phones but for as long as corrupt journalists will pay large amounts of money for “scoops” it is going to happen and YES it is stupid to believe “Oh, it won’t happen to me”.
    So Herr Oettinger is right.

  42. Is there any folly or impulse that can be pointed out for what it is – or must nowadays put it in respectful oblique even obsequious comment – always.
    Most of you sound like dills.

  43. ukliberty – “I suppose patients are “stupid” for allowing medical staff to write things down…”

    Patients are stupid to sit by while the government turns what had been private communication between a patient and a doctor into a massively expensive database that can be accessed by pretty much anyone.

    The NHS IT project is the greatest intrusion into privacy for quite some time. And no one is objecting. But yes, people are stupid to think that spotty teenagers inside and outside the civil service won’t be accessing their medical records.

    ukliberty – “I think if you delete your data you have a reasonable expectation that it has been deleted.”

    And yet that never happens. No data is deleted when you delete it. Not on your computer. Not on your phone. Not on the Cloud. It is only over-written when they need the space.

  44. bnis,

    > Why are you all talking about password complexity? A three tries & suspend log-on regimen prevents brute-force password attacks, doesn’t it?

    I’m talking about it in response to those who smugly blame the victims of this crime for having shite passwords.

    As repeatedly pointed out above, Apple were allowing multiple guesses at security questions for password resets without suspending. And security questions are way easier than even the easiest passwords. So Apple blew a huge fucking great hole in their own users’ security.

    Jim,

    > Don’t forget that passwords are often limited to 8-16 characters

    Word of IT advice: Never use sites with such restrictions. The only conceivable reason to have a maximum number of characters in the password is that it’s being stored as is, without being hashed first. That’s inexcusably bad security. Amazing how many companies are still doing it, though.

    john77,

    > if you don’t want anyone to see the photograph don’t take it in the first place and if you don’t want outsiders to see it don’t store it on a computer.

    That’s asinine. Obviously, one takes photos because one does want someone to see them, even if that someone is only oneself. And how do you not store a photo on a computer these days? I suppose you could use film and develop it yourself. Otherwise, either a computer or a third party is going to be involved.

    > YES it is stupid to believe “Oh, it won’t happen to me”.
    So Herr Oettinger is right.

    That’s not all he said, though. What he said, quite clearly, was that authorities shouldn’t bother trying to protect victims of crime if he thinks they’re stupid to have become victims.

    SMFS,

    > Patients are stupid to sit by while the government turns what had been private communication between a patient and a doctor into a massively expensive database that can be accessed by pretty much anyone. The NHS IT project is the greatest intrusion into privacy for quite some time.

    I think you’ve missed the point here. The crime being discussed is stealing people’s private data. It’s stealable whether it’s on a big central database or a large number of small local computers or on paper. Either it’s wrong to steal it or it isn’t. Either the response to victims of such crimes is “It’s your own stupid fault for allowing the data to be recorded” or it isn’t.

  45. Squander Two – “What he said, quite clearly, was that authorities shouldn’t bother trying to protect victims of crime if he thinks they’re stupid to have become victims.”

    Well in all fairness police have largely given up trying to protect victims of crime unless the crime is serious enough. They won’t bother for a stolen mobile phone. They won’t even bother for a house breaking in London these days.

    “I think you’ve missed the point here.”

    I don’t think I have. I made my views on that clear earlier.

    “Either the response to victims of such crimes is “It’s your own stupid fault for allowing the data to be recorded” or it isn’t.”

    Well there is still a Curse on Both Their Houses approach. As I originally said, yes it is a crime and these people, as vile as they are (although I have to warm to someone who goes on national TV and talks about her mortification at her maid discovering her butt plug collection), are victims. On the other hand they are really stupid victims. I can agree that people should not be assaulted. On the other hand, a skinhead who walks into a Pakistani Gay pub, and I guess there must be one or two, is really stupid.

    If Jennifer Lawrence has not figured out that there are hundreds of thousands of young men, some with advanced computer skills, who want to see her naked, and that storing photos of herself naked is a very strong temptation, then she is stupider than I think.

    A relative of mine used to cite that old cliche, never do anything you would be ashamed to see on the front page of a tabloid tomorrow morning. Words to live by.

  46. Squander Two said: “No, this is a red herring, as data is supposed to be encrypted. I use Mozy’s cloud backup …”

    It’s not a red herring, it ties into naiviety and picking the right services for your needs. Different cloud providers operate in different ways. If you pick a service where access is recoverable it will be more vulnerable than one that is not recoverable. If you pick a service where access is not recoverable you risk losing that data if you lose access. People *can* take responsibility for where they store their data.

    Squander Two said: “I think that’s the salient point. When a senior politician announces that the victims of a given crime are to blame and that authorities shouldn’t bother protecting them, what criminals aren’t giong to interpret that as carte blanche?”

    The digital commissioner has not been quoted saying anything like this. He has said we can’t fully protect people from their own stupidity. He has said nothing about not prosecuting people who access private data without permission. It is entirely possible to say victims of some crimes could have done more to prevent it *without* suggesting that the perpetrators have done nothing wrong.

    ukliberty said: “I think if you delete your data you have a reasonable expectation that it has been deleted.”

    There is alleged to have been an underground trading network through which celebrity private pictures have been traded for a while. I would guess that pictures were copied before the user deleted them and have then resurfaced when the trading network was exposed.

  47. @ Squander Two
    If you cannot be bothered to read what Herr Oettinger said, your comments lack validity.
    “I mean, stupidity is something you cannot – or only partly – save people from.”
    Your criticism of him for something that clearly did not say deserves the condemnation that you wrongly apply to him.
    FYI I have no photographs stored on my computer [OK, that’s partly because there are very few flattering photographs of me (I have do have one flattering photo, supplied to me by the local paper in hard copy only; I am not sure whether there is a second)].
    If you are a narcissist or have a particular reason to want a photograph so that you can see something you can transfer a digital photo to a computer while it is off-line and print it out. There is absolutely no need to put a photo that you want others not to see in the Cloud. I never back up any data into the Cloud lest I get into a habit and accidentally back up something confidential. But then, “stupid” is not the usual insult that I receive.

  48. @ SMFS
    Don’t fall for Squander Two’s mis-statement. Herr Oettinger did not say that.
    See Gareth’s latest post.

  49. I know nothing of the original story, but I do know that on my wife’s new Samsung ‘backup to cloud’ is the default setting and you have to go to some trouble to turn it off.

  50. If you are a narcissist or have a particular reason to want a photograph so that you can see something you can transfer a digital photo to a computer while it is off-line and print it out. There is absolutely no need to put a photo that you want others not to see in the Cloud

    And then you can send it by the Penny Post or carrier pigeon. For heaven’s sake.

    This whole line of argument is desperate and tips into the absurd. There is no blame on a person who gets their account hacked, and that really is the end of the matter.

  51. Ian B: your tone is unpleasantly peremptory and your position is hard to agree with since it amounts to an absurd declaration that nobody bears any responsibility for their own security .

  52. Meissen-

    The accounts were broken into. How fucking hard is this to grasp? Ever suffered a burglary? Well, like that. A bunch of wiser-than-thous doing all this “I keep my photographs sealed in solid concrete on an island surrounded by man eating sharks, anyone who doesn’t is a fool” stuff is just silly.

  53. @ Ian B
    Obviously I am a dinosaur
    I don’t take photographs of myself and I don’t take photographs that I don’t want other people to see but that is not the point.
    “There is no blame on a person who gets their account hacked, and that really is the end of the matter.” Tell that to the FCA you idiot. If I saved market-sensitive data onto the Cloud and it got hacked I could banned for life.
    I am *not* the FCA and I *can* feel a little sympathy for the victims of hacking BUT Herr Oettinger cannot protect people from their own stupidity. If someone waits until the traffic lights are green before jaywalking can Herr Oettinger protect them?

  54. On the question of why people take selfies, I can only direct the questioners to like 50,000 years of human emotions. I think this deserves another “fer heaven’s sake”, fer heaven’s sake.

    The sad thing reading this thread is that people are seriously, and persistently arguing, the idea that somebody who gets an account hacked is to blame for it. I am truly lost for words.

    If someone waits until the traffic lights are green before jaywalking can Herr Oettinger protect them?

    It’s more like someone who waits until the lights are red, looks both ways, does their Green Cross Code and SPLINK, ensures all the traffic has stopped… and then somebody deliberately drives onto the pavement and runs them over. And you’re like, “well serves them right for not staying away from the road, the stupid fools”.

  55. It has to be said, there is a bizarre smell of “just punishment for vanity” hanging around this thread like one of those farts that just won’t clear.

  56. @ Ian B
    In my adult life I have been knocked over twice: once was on a zebra crossing, the other was on a road closed to traffic during the Harrow marathon (no prizes for guessing the make of car) so your false analogy is somewhat offensive as well as utter junk. Unlike me, the idiot celebrities did *not* take reasonable precautions.
    I am not and never have been blaming the victims: I am agreeing with Herr Oettinger that he cannot protect people from their own stupidity. You, and several others, seem to ignore a basic principle of English Law and think that he must be able to – idiotic nonsense – and that he should. Well, he has suggested that he will try but that he cannot always do so.
    A better analogy would be a requirement for airlines to provide parachutes to passengers in free-fall after they have jumped out of the plane.
    Of course I condemn the hackers – as I have already stated if you bothered to read it.

  57. If someone is dumb enough as a celebrity to take a nude photo of themselves and put it online, they surely can’t expect us to protect them.

    To state the obvious: “protect” here refers to what the authorities do after the fact, as no-one has suggested that the EC use their magical powers to somehow make hacking impossible.

  58. Roue,

    > on my wife’s new Samsung ‘backup to cloud’ is the default setting

    EXACTLY.

    The worst thing about IT traditionally has been the obnoxious attitude of its experts that non-experts deserve ridicule and disaster. But it’s got even worse the last few years, as that attitude is now being wielded by so many people who are not remotely experts, but like to talk authoritatively.

    Case in point:

    Gareth,

    > I would guess that pictures were copied before the user deleted them and have then resurfaced when the trading network was exposed.

    Why guess? Why not read up on the subject? It’s been extensively covered, and your guess is completely wrong.

    Apple apparently thought this was a feature, not a bug: they were offering people the ability to retrieve data that had been accidentally deleted. But they weren’t offering this service, they weren’t telling anyone about it, and there was no opt-in or opt-out.

    To sum up: You take a photo and your device automatically backs it up to the cloud without asking you. You later discover this and make the effort to delete it from the cloud. You also have a forty-character password with 2FA. A hacker then exploits Apple’s massive security hole to get access to your account by figuring out your mother’s maiden name and the name of your first pet, which means they can bypass both the 2FA and your password. Apple then allow them access to the pictures you had deliberately deleted. And that makes you a reckless ignorant fuckwit who deserves everything they get.

  59. SMFS,

    > A relative of mine used to cite that old cliche, never do anything you would be ashamed to see on the front page of a tabloid tomorrow morning. Words to live by.

    Complete bollocks. Most people would be upset to see intimate photos of them having sex with their own spouse on the front pages. There’s a difference between shame and privacy.

  60. @ ukliberty
    “they should not have taken those photos at all?” “should” is subjective; I never have, and never will take a nude selfie, not just because =========

  61. not just because I don’t look like a Hollywood star.
    That is not the point. Herr Oettinger said that he cannot protect celebrities from their own stupidity. I have asked a friend if he can ask a contact if one of the photographs she took during a race where I got it wrong and failed to finish will show me why I got it wrong. I am not going to put that anywhere anyone can see it. That is not rocket science.
    There are no hackproof computers unless you are Babbage and you have manufactured every component yourself.

  62. @ ukliberty
    No, I am saying that if they do not want someone else to see the photographs then they should not put them where that other person can see them.
    I repeat for the umpteenth time that I do not endorse criminal behaviour, but the price of liberty is eternal vigilance and if you leave a wad of £20 notes lying around in the street is it Herr Oettinger’s fault if some low-life steals them?

  63. @ Squander Two
    What is your first language – it is obviously not English?
    Protect and prevent mean stopping something happening not punishing the culprits after the event.

  64. john77,

    I am not going to put that [photo] anywhere anyone can see it. That is not rocket science.

    No, I am saying that if they do not want someone else to see the photographs then they should not put them where that other person can see them.

    When you say the person “puts” the photo online, that’s not strictly true is it? As in an action the user deliberately took? IIUC the iPhone automatically and by default, without notifying the user, automatically uploaded the photo to iCloud and, if the user wanted to delete the photo from his device, iCloud would contain an automatic backup. Also iiuc, at no point until this furore had Apple explained any of that, let alone the implications. It would be quite reasonable for an ordinary user to believe the photo is on her device and then on her sexual partner’s device, after she sends it, and be completely unaware the photo exists ‘online’. So it’s not stupid, is it? It’s ignorance, as in a lack of information, not stupidity.

    I repeat for the umpteenth time that I do not endorse criminal behaviour

    No-one in thread suggested otherwise.

  65. Ian B: The accounts were broken into. How fucking hard is this to grasp?

    It’s not hard to grasp and indeed it’s the underlying premise of this discussion.

    Since you ask, it was my bad luck to be burgled this year relying on technology (a padlock) that I thought I understood but which turned out to be woefully inadequate.

    Silly me.

    I’d contend that the less you understand a technology you mean to rely on the more you should distrust it and in the spirit of your exchanges throughout this thread I’d like to invite you now to boil your head.

  66. The worst thing about IT traditionally has been the obnoxious attitude of its experts that non-experts deserve ridicule and disaster. But it’s got even worse the last few years, as that attitude is now being wielded by so many people who are not remotely experts, but like to talk authoritatively.

    This.

    In general; the fact is that in consumer products, the onus is on the providers to ensure they are fit to consumer expectations and safety, precisely because consumers should not be expected to understand them. I used to be an electrician. It was my job to ensure that my installations were safe for clients, precisely because the clients do not understand electrics and reasonably expect that the installation will do what it is intended to do, safely. If somebody were injured by one, it would not do much good for me to say, “well people who don’t understand electricity should exercise more caution”. It is quite the opposite; because I know that they are forced (by ignorance) to trust my work, the onus is on me to do good, safe work.

    As providers, the onus was on Apple to ensure that their security systems are up to snuff. It is reasonable to blame Apple for security holes. Not the users.

  67. 77,

    First of all, Oettinger has been widely ridiculed in the German media for his second-rate English. It seems wiser to use a bit of common sense when interpreting his sentences than to be literal-minded about each individual word. Like maybe consider what he can and can’t do, what his job is, what he’s being asked about… you know: context.

    The EC make laws. If you break the law, you are punished. Oettinger has literally no other way of protecting people. You are aware that the criminal justice system protects you from burglary by threatening burglars with jail time, right? You get that, if burglary weren’t criminal, there’d be more of it? And that this is a completely standard use of the word “protect” in the context of politics and law-making?

    If he really meant “prevent”, perhaps you could explain to us what exactly he was on about. How could an EC Commissioner prevent a hack?

    He also stated that he doesn’t even understand why anyone has even complained about these crimes.

    He doesn’t understand what the crimes even are, and — like most of the people on this thread, it seems — he has no idea what the victims have done, but assumes it’s their fault they’re victims. He’s not fit for office.

  68. Bison,

    Did the builder of your house take some of your stuff out of your house without informing or asking you and put it in their own warehouse with a crappy padlock on it? Did they then ignore repeated attempts to break the padlock?

    That would be a better analogy.

  69. It’s still up to the client to decide whether he trusts the provider and his offering.

    For want of being able fully to understand the human psyche, you might nonetheless not get a babysitter on his or her simple assertion that they were reliable.

    But if you did and the child, say, was abducted, it would not be much good for you to say “well he said he was a babysitter” which is the obverse of your contention above.

    If we are bound to take on trust everything that we don’t understand the future is rather depressing: personal responsibility and freedom of choice vanish in a world of increasing technological complexity.

  70. The above in reply to Ian B.

    S2: that doesn’t work for me either. If the builder rips me off, I’ve chosen badly.

    You can’t get away from the fact in all these increasingly bizarre tableaux that the victim makes a choice which is unfortunate.

  71. So basically, what I’ve learned today is that anyone who has anything stolen is to blame for it, since the theft is proof that they chose their degree of security unwisely. Fascinating.

    I am loathe to bring up the rape analogy, since these days it borders on Godwinisation, but nonetheless it leaves us to conclude that every rape victim is to blame, since she failed in her self-protective choices. We may as well just abolish the law entirely, and whatever violation occurs, just tell people it was their own fault for being vulnerable.

  72. Since you ask, it was my bad luck to be burgled this year relying on technology (a padlock) that I thought I understood but which turned out to be woefully inadequate.

    No-one’s talking about “luck”, we’re talking about stupidity, blame and fault.

  73. Fascinating thread!

    Ian B’s electricity analogy: I know how to move the light switch up and down and how to put a plug into a socket.

    A problem with computers has always been that people actually use them without really knowing what they are doing.

    Hence, and I accept this is not black and white, I used to see it not so much like “driving a car without knowing how the internal combustion engine works”, but “driving a car without ever having had any driving lessons or passing a driving test”.

    Not such a problem perhaps in some deserted back water, but down right dangerous in the middle of a city. The internet is increasingly resembling the urban version, is incredibly complex, and yet so many of its users don’t adequately understand the functionality on these products.

    I totally accept what S2 says with regards to Apple’s processes / default settings etc; and yet, how many users even bother to look at (never mind properly digest) any user guide type information first, and hence may not even understand that there are default settings relating to cloud or other functions.

    The argument that we are moving towards consumer products that just work and anyone can use, without any training or understanding (because default settings are always robust and safe, ie like a light switch), I am not convinced is actually deliverable. And, even if it might be one day, it just isn’t the case today.

    And yes, sure, it’s against the law, and hackers should always be chased to the fullest extent and brought to account… And yet, compare the current police response / clear up rate for burglary, and which usually has a minimal cross border element to complicate things. The hacker could be anywhere – how does one (seriously) attempt to prosecute say the Russian or Chinese hacker of a US (or Zimbabwean) based cloud company.

  74. And what I’ve learned is that there really are people prepared to believe that no victim of a crime – yes, crime – can ever be complicit in the bad things that happen to them resulting from the choices they made.

    Lesson learned, goodbye to this thread.

  75. “In general; the fact is that in consumer products, the onus is on the providers to ensure they are fit to consumer expectations and safety, precisely because consumers should not be expected to understand them. I used to be an electrician. It was my job to ensure that my installations were safe for clients, precisely because the clients do not understand electrics and reasonably expect that the installation will do what it is intended to do”

    Yeah, fair ‘nough Ian. But I’m suspecting there was some sort of transaction going on there. like you got paid.
    Trouble with the interweb thingy is that late adopters (ie those didn’t start via dial-up/message board) have got the notion everything is & should be free. Totally ignoring that everything has to be paid for, somehow.
    How’d you feel about a couple guys come round, offer to wire up your house for zilch? “No charge Guv! Coz of….mumble mumble…something or other” Or “Today’s special offer. Free housewire with every toaster!!
    I mean. What’s actually valuable here? Your piece of electronic bling or your data?
    Amazes me. There’s actually people stupid enough to entrust important e-mail & embarrassing pics to give aways.
    But i do get a warm happy glow every time I hear of one being hacked. Their loose security has f*****d up a perfectly good internet. if it wasn’t for them, hacking wouldn’t be a paying career. Plague on their houses.

  76. And what I’ve learned is that there really are people prepared to believe that no victim of a crime – yes, crime – can ever be complicit in the bad things that happen to them resulting from the choices they made.

    To be complicit, doesn’t the person require knowledge of the act and turning a blind eye to it or actively participating in it?

    Usually, householders aren’t complicit in burglaries.

  77. bnis,

    Again, we’re talking about people who bought top-end iPhones. They’re not free. They’re very expensive.

    (Yes, you can go through Apple’s accounts and work out that particular departments, if considered as individual entities, make money and others lose it, but that’s academic when those departments are not in fact independent entities. I know some building projects are similar — they install the roof at below cost, say, which doesn’t matter because they still make profit on the building as a whole. And I don’t think we’re about to say that anyone who buys such a house is an idiot for expecting the roof to keep the rain out, are we?)

    Ian,

    A better analogy than rape here is groping. What people are talking about boils down to how easy it is to commit the crime. Well, it’s much easier to grope a woman’s arse if she’s wearing a short skirt than if she’s wearing a long dress or trousers. So it’s her own stupid fault, right? She should know that obviously there are lots of men who want to touch her arse, so the onus is on her to make that impossible.

  78. “To be complicit, doesn’t the person require knowledge of the act and turning a blind eye to it or actively participating in it?”
    Legally, it would seem not.
    Leave your car keys in the ignition & the door unlocked & you can say goodbye to an insurance theft claim. And open yourself up to criminal sanction if people are harmed in process of its theft. Some police/courts seem to think leaving keys in the ignition is an offense in itself. Depends how they interpret “in-charge” of a vehicle. Much the same applies to access to dangerous plant & machinery. One has a duty of care, even if the access is obtained illegally. The kids on building sites problem.

  79. @SQ2
    When you find the punter bought their iFondle on the security of its Cloud storage, let me know.

  80. bloke (not) in spain,

    “To be complicit, doesn’t the person require knowledge of the act and turning a blind eye to it or actively participating in it?”
    Legally, it would seem not.
    Leave your car keys in the ignition & the door unlocked & you can say goodbye to an insurance theft claim. And open yourself up to criminal sanction if people are harmed in process of its theft.

    Does the insurer accuse the person of being complicit?

  81. Just remembered that oil companies sell petrol at cost in the UK. Anyone who puts that stuff in their car only has themselves to blame if it wrecks the engine?

  82. bnis,

    > when you find the punter bought their iFondle on the security of its cloud storage

    I honestly have no idea why you might think that was relevant.

    > One has a duty of care

    It is actually hilarious that you are using that phrase in this thread.

  83. @ Squander Two
    Are you blaming Herr Oettinger for *your* failure in English?
    Are you trying to tell me that mobile ‘phones can’t be stolen? Are you saying that celebs transmit photos to their sexual partners from their iPhones without using telephones or computers/
    Or are you just just bullshitting for the fun of it?

  84. @ Squander Two
    “Just remembered that oil companies sell petrol at cost in the UK. Anyone who puts that stuff in their car only has themselves to blame if it wrecks the engine?”
    Yes, if it’s a diesel car!
    At cost is just not true and your analogy is totally false anyhow – if they gave it away for free (despite paying the government a few £billion for the privilege) then you might be able to say that – but you can’t..

  85. “If he really meant “prevent”, perhaps you could explain to us what exactly he was on about. How could an EC Commissioner prevent a hack? ”
    Well, maybe if you remember that he said that he couldn’t!!
    One may prevent a crime either by building an impenetratable barrier around the victim/object/whatever or by having universal continuous surveillance by a force that will grasp the perpetrator by the collar at the instance when he/she starts to commit the crime, thereby stopping him/her.
    Punishing the criminal has some deterrent effect [and that is proven] but it doesn’t prevent thye crime for which he/she has been punished.
    It amazes me that anyone can pretend not to understand this.

  86. Are you trying to tell me that mobile ‘phones can’t be stolen? Are you saying that celebs transmit photos to their sexual partners from their iPhones without using telephones or computers/

    What’s that got to do with the context?

  87. @ ukliberty
    He/she was saying that the celebs should believe that photos on a iPhone should be totally secure because Apple allegedly didn’t tell all buyers that they were saved onto iCloud. Not having bought an iPhone I don’t know what Apple tells buyers but just about everyone knows that ‘phones get stolen.
    SO taking a naked selfie on a mobile ‘phone is taking a risk that some criminal will steal it.
    Is that clear?
    There is no risk-free way to transmit a nude selfie to a friend unless you are Schwarzenegger in Terminator 1 and you print it out then destroy both phone and computer (or negatives), deliver it by hand (that’s where you need to be Terminator 1 for security) and watch him/her destroy it after seeing it.

  88. No-one suggested taking a naked selfie is or should be risk-free – we’re arguing about “stupidity”, blame and fault.

    “If you don’t want to be a victim of X then don’t do some connected Y”
    don’t have a car if you don’t want to be a victim of car cloning
    don’t have a GP or visit a hospital if you don’t want your medical records to end up on a usb stick on a train, on a computer sold on eBay or in a soon-to-be-hacked-wide-open central database
    don’t have tax records if you don’t want to be snooped on by some nosey parkers at HMRC for personal reasons
    don’t be a vulnerable young woman with records on council databases if you don’t want a rapist to search for people like you so he can rape you
    etc etc

  89. @ ukliberty
    Er, NO
    We are talking about whether Herr Oettinger can protect people from having files stolen and whether it is stupid to think that he (or anyone else) can.
    I am not talking about blame or fault (on the part of the victim – I blame the culprit, of course) although most of his critics on this thread are talking about blaming him for telling an obvious truth.
    If Herr Oettinger introduced capital punishment (not appealable to ECHR) for hacking nude photos, that would act as a deterrent but wouldn’t stop it completely. Do you want him to send hit squads to Shanghai, Los Angeles, St Petersburg and Mumbai to eliminate hackers?

  90. Oh, apparently, he was speaking in German and we’re reading translations. So I was wrong about his English being a factor, but still right that it is sensible to apply context when reading his remarks in English.

    Wenn jemand so blöd ist und als Promi ein Nacktfoto von sich selbst macht und ins Netz stellt, kann [man] doch nicht von uns erwarten, dass wir ihn schützen.

    Pretty sure the Germans use “schützen” the same way we use “protect”. Perhaps John could tell them to stop because he doesn’t believe it.

    Browsing the German media a bit, they all seem to think that “ins Netz stellt” means “put on the Web” (and they should know), and that therefore Oettinger’s remarks indicate that he doesn’t know what he’s talking about.

  91. “oh, apparently, he was speaking in German and we’re reading translations. So I was wrong about his English being a factor,”
    After mo

  92. “Oh, apparently, he was speaking in German and we’re reading translations. So I was wrong about his English being a factor”
    After more than one hundred posts on this thread Squander Two notices that his/her attack on Herr Oettinger has NO FACTUAL BASIS.
    Excellent
    Is it too much to ask that he/she deletes all his/her comments that are based on his/her error?
    No?

  93. I don’t think this is an unreasonable translation:

    “If someone is dumb enough as a celebrity to take a nude photo of themselves and put it online, they surely can’t expect us to protect them.”

    Which was in the OP.

  94. @ ukliberty
    Yeah,so?
    As I Implied earlier Herr Oettinger is not Obama or Putin. Do you want him to protect celebrities from hackers outside the EU?
    If he could, I should support it but no-one can do so.

  95. > After more than one hundred posts on this thread Squander Two notices that his/her attack on Herr Oettinger has NO FACTUAL BASIS.

    Really? Gosh. Your comprehension skills are just getting better and better.

    UKL,

    > I don’t think this is an unreasonable translation

    No, it’s not, but the word “online” is a bit vague. If a better translation is “on the Web” (as the Germans seem to think), then Oettinger is flat-out ignorant. The photos were online, but were not on the Web.

Leave a Reply

Name and email are required. Your email address will not be published.