Nude celebs on iCloud: Was Apple Inc. at fault?

September 3, 2014, 4:48 PM UTC

Much to Apple’s dismay, the nude-celebs-on-the-iCloud story has legs like a supermodel.

Tech reporters are filing dispatches from the “crazy, obsessive subculture of celebrity nudes and revenge porn” where such photos are exchanged. British tabloids are in hot pursuit of “Original Guy,” the hacker who took credit for posting the current crop. And the Web equivalent of Fleet Street is trotting out any story — no matter how irrelevant — that can be filed under the “Apple security” slug. The latest from Gawker: Eva Longoria Says Star-Struck Apple Employees Stole Her Information.

Meanwhile, the carefully crafted media advisory Apple issued Tuesday is being scrutinized by privacy experts for what it did and didn’t say.

The operative bits:

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions… None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone… To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.” (emphases mine)

“Breach” in this context is a term of art. If you think of the iCloud account where Jennifer Lawrence stored her photos as a locked vault, someone got into it with the key (her login and password). They didn’t do the computer equivalent of sledgehammering through a wall or dropping in through the ceiling panels.

What the company saying, in the technical language of Unix security, is that Lawrence got hacked, not Apple.

“Protect” is also a little squishy. While Apple’s two-step verification is recommended, it’s not required, not that easy to install and from Apple’s point of view sends the wrong message about iCloud and the Internet: That it’s a dangerous place full of unsavory people.

Moreover, it’s not at all clear that two-step verification would have kept those R- and X-rated selfies from getting out. The dark corners of the Web are filled with guys with police-grade hacking tools who can, given an iCloud login and password, download just about anybody’s photo stream.

The issue, at heart, is to what extent Apple is responsible for everything that happens on iCloud — not just to Hollywood celebrities, but to any user foolish enough to offer up their passwords to unsolicited e-mails from people they don’t know.

By accident or design, the issue has come to a head at the worst possible time for Apple — a week before a major media event at which Apple is expected to unveil a new payment system that depends on customers trusting the company to keep their money safe.

“Worringly for the general public,” reads the kicker in typical nude-celebs-on-iCloud story, this one in the Daily Mail, “is how simple the posters make their privacy theft seem — and raises the frightening prospect that Apple’s iCloud used by millions is not safe for anyone to store sensitive information on.”

Apple shares closed Wednesday at $98.94, down $4.36 (4.22%) following Tuesday’s all-time high of $103.30.

UPDATE: The best advice on how to think about all this comes from former New York Times reviewer David Pogue, now writing for Yahoo. Headline: You’re Reacting to Celebgate Wrong.

Follow Philip Elmer-DeWitt on Twitter at @philiped. Read his Apple (AAPL) coverage at or subscribe via his RSS feed.