David Vladeck believes Apple will likely be sued after hackers grabbed nude photos that celebrities stored on the company's iCloud service.
Vladeck, the former director of the FTC's Bureau of Consumer Protection and a professor of law at Georgetown University, acknowledges that such suits have had little success in the past, but he and other legal and cybersecurity experts also say that a lawsuit over the high-profile hack may be just the thing to push Apple and other online companies to more aggressively protect the people using their services.
Apple hasn't said much about the hack---in which someone pilfered nude photos of dozens of celebrities, including Jennifer Lawrence, Kirsten Dunst, and Kate Upton. In a brief statement, the company called the incident "a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," and not a breach of any Apple systems, including iCloud and FindMyiPhone. But, regardless of Apple’s debatable definition of a breach, some experts believe the hack could inspire a change in the way courts and regulators treat such incidents.
Traditionally, data breach lawsuits rarely make it to trial. They're typically settled or dismissed. The United States, unlike the European Union, has no overarching law dictating the security of a technology company, unless of course, it operates in health, finance, or another regulated sector. That, combined with the fact tech firms often disavow all liability in their privacy policies and end user license agreements, makes it difficult for courts to find them at fault.
But Vladeck and other experts believe that may change as regulators and courts realize our legal system puts consumers at a fundamental disadvantage against the businesses with which they entrust their digital lives. If Apple were to appear in court, these experts say, the case could finally set precedent for how tech companies must behave. Some, including Google, have made major security improvements in recent years to guard against such hackers. But many, including Apple, are behind the curve.
>He says that a lawsuit over the high-profile hack may be just the thing to push Apple and other online companies to more aggressively protect the people using their services.
"We're in this legal mess where the contracts companies are relying on to protect them from liability are functionally the emperor's clothes of contracts. It's a poorly kept secret that no one understands them, and that's not a tenable position," says Andrea Matwyshyn, who recently served as senior policy advisor and academic in residence at the Federal Trade Commission. "We're seeing a trust erosion happening, and the digital economy is entirely predicated on people trusting these products, and being willing to engage with this technology."
If people no longer trust their information to these companies, she says, they'll alter their behavior. And that could imperil the entire internet economy---which is precisely why she and others believe now may be the time to set some legal ground rules. "I wouldn’t be surprised if we saw a case come out of this that made some good law around trying to fix some of these power imbalances that exist between consumers and providers," Matwyshyn says.
To understand how this could play out, it's important to understand how the hack happened. Though details are still emerging, many believe the hacker or hackers gained access to victims' usernames and passwords using a brute force attack, in which hackers, often using software, repeatedly guess passwords until they get them right, or by guessing the answers to security questions in Apple's password reset functionality.
In some cases, as WIRED’s Andy Greenberg recently explained, the credentials stolen with those techniques may have been combined with law enforcement software that enabled hackers to impersonate victims' phones and download their data.
This means that, unlike a situation in which a business's servers are compromised, any legal case or regulatory action would revolve around iCloud's user interface and whether Apple offers and encourages users to implement reasonable security measures at log in. For instance, if a brute force attack occurred, that might indicate Apple failed to set reasonable limits on the number of login attempts that could be made before a user is locked out. Another question might be whether Apple's optional two-factor authentication truly could have protected victims' accounts, even if they had activated it.
"Apple's argument will be: 'We're not responsible. Somebody else got the credentials.' But it's Apple that decides what the credentials can be," says Fred Cate, professor of information security law at Indiana University, Bloomington. That caveat could encourage a lawsuit from the victims that accuse the company of negligence.
According to Vladeck, such a suit is highly likely, considering the high-profile nature of the hack and the deep pockets of the victims. Whether they'll be successful, however, is a different story. "Those cases have, by and large, foundered on the question of whether the individual has been harmed," Vladeck says.
Indeed, Cate says there's never been a successful lawsuit against a company for failing to impose strict enough login credentials. But he believes a high profile suit could change attitudes. "I think this could be just that sort of case," he says. "It takes egregious cases to move the law along."
In such a case, the question also would arise as to whether the victims willingly agreed to a contract with Apple in which Apple disclaims liability. "Apple will claim that when we click 'yes' on those very long agreements in tiny fonts that are written by lawyers for lawyers that we fully understand those risks pertain, and we’re choosing to engage with them anyway," Matwyshyn says.
While such agreements have protected companies in the past, Matwyshyn says, courts increasingly are ready to reassess them, accounting not only for the language in the contract, but for the user's interpretation of the contract.
Another possibility is the Federal Trade Commission would investigate whether Apple has provided reasonable security measures, given the sensitivity of the data and the risks involved. The question then will be whether the hack was based on a known security flaw that was not fixed. "Unfortunately, that's still the bulk of our industry," Matwyshyn says. "Those are the types of problems where you’ll see private sector litigation and enforcement activity from the FTC."
Indeed, a brute force attack very well could constitute a known risk. After all, Twitter experienced a similar hack in 2009 and quickly shored up its sign in. Even Apple referred to the attack in its statement as an "all too common" practice on the internet. Whether the FTC would view that as evidence that Apple failed to respond to a known threat, though, is unclear. And as Cate notes, such action “doesn’t usually put money in the hands of anyone who’s hurt, but it can provide substantial penalties, so the companies want to behave better next time."
None of this means Apple is in grave danger. The company's privacy policy very well may serve as adequate disclosure to users. And Apple certainly could argue that just because users give their data to a third party source does not mean users completely relinquish responsibility to protect that data. If the victims didn't use a sophisticated password, Apple could argue the victims were the ones being negligent.
According to Cate, Apple also will likely argue that forcing stricter log in credentials on users would threaten its business, because hardcore security measures could confuse or irritate the average consumer. "Whenever a company raises the security bar, the public hates it," he says. “So they're sort of in a Catch-22. We hate them when they make us use top security, but we hate them when they lose our data."
That's one reason why Cate, Vladeck, and Matwyshyn agree the United States is in desperate and growing need for laws that at least set basic ground rules for data security. The fear, of course, is that the rate of innovation in the tech sector will make any laws obsolete almost as soon as they’re passed. And yet, Matwyshyn notes that in other areas of contract law, rules have been created to guarantee basic standards for service. For instance, she says, "Your landlord can’t just turn off your heat in the middle of winter. That's a basic agreement, no matter what your contract states."
"For consumers," she says, "data security is increasingly viewed like heat in winter."
