Sunday, September 07, 2014

Levels of Protection

Note: Since this topic comes pretty close to my professional interest, I want to emphasize that these are my own thoughts on this issue, not a reflection of my employer's policies or attitudes.

There's been some discussion of the leaking of photos of celebrities that those celebrities would have rather not released.  The consensus seems to be that the main culprit is lax security policies by Apple and other "cloud" providers.  But I think there's another way of thinking about it.

99.9% of the photos stored in the cloud are worthless to everybody except the owner of those photos. Nobody outside of my family is itching to see my daughter's baby pictures.

As such, it does not require a high level of security, and I would be annoyed if I had to pay for it, either explicitly with money or by enduring some form of security theater every time I wanted to grab a picture from a past Great Strides Walk.  I'd also be annoyed if my pictures were lost, or if someone I didn't know got their hands on them, but my primary concerns are accessibility, ease of use, and price.   I suspect this is the case for the vast majority of customers, perhaps including celebrities.

It's similar to a coat check at a restaurant.  I want them to take care of my jacket and make sure nobody leaves with my jacket. But I also don't want to see an armed guard there, wouldn't be willing to pay a very high price for a more secure service, and I would be more annoyed than relieved if I had to go to great lengths to prove that my jacket was actually mine.

Enter the celebrity photos.

Now, all of a sudden, a service designed for accessibility, convenience and low cost is the guardian of something that others value very highly.  Now, the service is hosting something that the owner would very much like to keep from other people, and other people (unfortunately) are willing to make a concerted effort to get.

And the service providers don't know (or shouldn't know) that this has occurred.  To them, the celebrity photo is indistinguishable from the picture I took of my daughter's camp.

To use my analogy, it would be similar to putting $1000 of cash in the pocket of my jacket, giving it to the coat check.

Which is why I think this misses the point:

Sure, this will score some PC points about victim blaming, and of course the primary responsibility for these leaks lies with the people who hacked into the accounts.  And, the commentary I have seen doesn't say that the victims deserved to be hacked, but that some prudence could have prevented the situation.

But in general, photos are a completely different type of data than photos.  I have to share my credit card with an online retailer in order to do business with them, and them securely managing that data is an implicit (sometimes explicit) requirement of the contract.

It would be unwise for me to leave my wallet in a jacket I checked, because the service is not designed to secure things that are valuable.  If someone steals it, they are responsible, but anger at the coat check service would be misdirected.

Nothing about using a photo cloud service implies that I post very sensitive photos there.  And almost all users don't, and indeed couldn't if they wanted to.

Is it reasonable to expect these services to ratchet up their security to account for these cases?  Should the rest of us have to pay for it either with inconvenience or currency?

I don't think so, but perhaps there's a better way, and figuring things like this out is what they pay us to do.

Monday, September 01, 2014

My Challenge

I’ve been challenged for the ice bucket challenge.  In my judgement, at this point, the campaign has run its course, and for me to post a video would be mostly about drawing attention to myself versus those with ALS and other diseases.

There has been some debate about the effectiveness of this campaign.  What is undeniable is that it has drawn our attention to those impacted by this terrible disease, and raised much more money for research to find an end to it.  Anyone with a casual knowledge of my Facebook feed knows I am not above using events and physical acts to raise money for research to end diseases.  I salute those who have taken part, and think they should feel good about what they’ve done.

Nevertheless, it’s always a bit disappointing that many of us wait for campaigns like this, or for disasters to strike, or for a political or cultural spat, to give to those who are suffering.   My heart has been very heavy lately -- with some deaths in the family, with injustice and unrest in the city I called home for 15 years, with violence and warfare breaking out throughout the world. I think we are called to always keep those who are suffering in mind, and to do what we can to help them. I know that I often fall short of this goal, and suspect I am not alone.

So, in honor of this, I am making three small donations, which may not be large but I hope to repeat several times:

  • To the Cystic Fibrosis Foundation, in honor of my recently deceased Great Aunt Eileen Cooney
  • To the MS Society, in honor of the consistent and inspiring efforts of Rick Keating on behalf of his wife Michelle.
  • To the ALS Association (with a request that it be used for non-embryonic research) in honor of Carle Lacouture, father of my childhood friend Michael.

And my challenge, to myself and the rest of you, is to find a way in our daily routines to keep those who are suffering in our minds, and to use whatever influence we have to remind each other of those we may prefer to forget about, and to do what we can to help them.