The Fappening – Who Was At Fault? Everybody, Especially The NSA

Posted on Sep 3, 2014 by Rick Falkvinge
Share Tweet

It’s now been 48 hours since the biggest leak of private nude photos of celebrities in history, an event dubbed “The Fappening”. Details are starting to appear about what had happened. At the same time, some are demanding blood and wanting to know “whose fault” this was. It’s more complex than that.

“Whose fault was it?”

That’s been the question I’ve heard the most regarding the enormous leak of nude photos this week. It’s a bit more complicated than denouncing hackers and thinking the world is nicely black and white. Yes, what they did – leaking the private photos – was illegal. But if the exact same thing had happened as part of a law enforcement investigation, the same leak would have happened legally.

To top that consideration off, we know that employees at the NSA are routinely intercepting nude photos in transit, passing them around, considering looking at others’ private photos a fringe benefit of the job.

So it’s not as easy as saying that the people who leaked the photos are criminals, when others can do it legally, and others still at government agencies are doing it all the time, including right now. The difference here was not one of action, but one of who took the action. Does that make it wrong? Yes. Would it still be wrong if the NSA did it? Yes. But it would be legal. Or at least legal enough. Was it wrong of Apple to provide so sloppy security so that both the NSA and the hacker could easily get at the nude photos? Aha, now we’re getting somewhere.

This is a story playing out on moral, technical, and legal levels at the same time.

At present, the archive with images from The Fappening is the most-shared and most-seeded torrent on The Pirate Bay across all categories, sporting a record 36,738 seeders. This demonstrates quite clearly that whatever goes on the net, stays on the net.

What happened was that a new interface from Apple, one called “Find My iPhone”, allowed for an unlimited number of failed password attempts with no time limit between them. This allowed people to literally try millions and millions of passwords of their intended targets, all on automatic, until they stumbled on the one password that happened to be correct. Once they had that, they were able to download the entire contents of their targets’ iPhones to their own computers.

It’s safe to assume there was more than photos that were leaked. We’ve only seen the tip of the iceberg.

Apple, meanwhile, reacts to this by saying that people who had their photos leaked should have stronger passwords, and two-factor authentication. While technically true – you should always use two-factor authentication as it helps to thwart these kinds of attacks – it’s nowhere near enough good from Apple in this case. You don’t blame the victims of your own sloppy security, even if your victims could have done a better job, too.

The NSA are actually even more to blame here. They have confused “keeping us safe” with “needing to hack into any system”, and therefore, all of a sudden, they have forgotten their initial mission, being blinded with the ability to penetrate systems and networks. But NSA safeguarding their ability to penetrate means that systems stay vulnerable, and that we are considerably less safe as a result. The Fappening is an excellent example: if the NSA had done their job, they would discovered the vulnerability and informed Apple in no uncertain terms that this was not secure. But that’s not what they do; they do the exact opposite. They discover the vulnerability and let it stay hidden.

And then, Apple blames its victims. The only thing they can be blamed for is having a bad sense of information hygiene, for trusting Apple with their unencrypted data, and for having sensitive data unencrypted in a cloud service at all.

Victim-blaming, even partially, is not something you should ever do lightly. At the same time, lack of basic security practices does have real-world implications. If you’re reckless with the PIN number to your ATM card, the fault is placed squarely on your shoulders and yours alone if somebody uses your ATM card with your PIN – even if the theft is solidly illegal, and a police report can be filed, it’s still considered your fault that it happened. We need to come to a similar understanding with sloppy protection of private data, while at the same time holding corporations liable who don’t take responsibility for private data entrusted to them.

Overall, the fault here lies primarily with Apple and not its (yes, Apple’s) victims. No company should have as sloppy security as to allow millions of password attempts in a short timespan without raising any kind of red flag. Apple should definitely have formal liability here. At the same time, it denies all such liability, and not only that, it tries to divert attention to its newest phone which also wants to be a wallet. A bit of trust issue, there.

Your stance, meanwhile, need to be that you must protect yourself from not only sloppy companies, but also from legal leaks of your private data. Consider that point carefully: you need to protect your private data from legal seizure by law enforcement, which will effectively make it public. If you do this, you are going to protect yourself from illegal leaks as a pure bonus. In other words, encrypt everything.

Some people are expressing that The Fappening wouldn’t be a problem if we didn’t consider women’s bodies and casual nude photos to be something to hide in the first place. That does have some truth to it; things that everybody does eventually lose their taboo:

“Yes, but I didn’t inhale.” — Bill Clinton, 1992
“Of course I inhaled. That was the point!” — Barack Obama, 2006

However, this observation dodges the real issue – that there will always be private data that, when leaking, can be used against the individual concerned. It’s possible that nudes won’t be sensitive in the future, but it doesn’t matter. There has always been, and will always be, private data that can be used in political or financial extortionate situations if it leaks. Consider that the attack vector used here was against a positioning service. Whoever got phone data also got a complete log of the victims’ movements. I’d say that’s a whole lot more sensitive than casual nude photos.

Information hygiene – awareness of how you store and transmit your data – is not something that can be ignored anymore. It’s mandatory. In some areas, it’s literally a survival skill. At the same time, media keeps ignoring these fundamentals of security: at the end of the day, it’s remarkably disheartening that a catastrophic privacy leak only gets the media attention it deserves if somebody is masturbating to it.

Unencrypted data which is stored on or sent through somebody else’s computer is not your data anymore. It’s as simple as that.

Privacy remains your own responsibility.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.

VPN Service

Comments are closed.


  1. NoMoreCoulds

    If he is a decent hacker (cracker in reality), there is no way to trace him. He would have done the attack hidden behind several hundreds, maybe thousands, of high anonymous or anonymous proxies, probably from foreign countries and, although in theory it is possible to trace him while it is still connected by doing inverse way, first you need to be aware of the attack and second the connection barely last for 4 or 5 seconds before he changes the proxy. However, he is greedy and wants to make Bitcoins, this is his weak point and the only way to find him.

    5 years ago
  2. NoMoreCoulds

    Of course, it is Apple’s fault. The iPhones and other Apple devices are
    set up to upload the pictures to the cloud by default to promote its
    service and many users don’t even know it. That’s the huge problem!!! Apple, as other brands, put their interest ahead of the interest of their own clients. Is it ethical? I don’t think so. Do you really want to keep your privacy? Don’t store anything in the cloud, not even in your computer or phone, but in an external hard drive. That’s the only way.

    5 years ago
  3. Whydoyouhate?

    It is about time that we have strong, not moderate or semi-strong, privacy rights that absolutely makes it clear that evading people’s privacy is not worth it.

    5 years ago
  4. wassup

    Any celeb stupid enough to upload nude pics of themselves via the cloud or fall for a phishing email should not be using technology they don’t understand how to use. And funny how the FBI get involved with this what about all the non-famous victims of far worse that this – 1 rule for the rich

    5 years ago
    1. jcm

      not the point

      5 years ago
    2. Whydoyouhate?

      FBI have a lot of manpower. They are not just a few bunch of people as portrayed in crime tv series. Why should the hacker have more rights? Why should ordinary people have to give up their rights?

      5 years ago