'Don't Take Nude Selfies' Is Not Good Security Advice (Op-Ed)
Your email account got hacked, and all your messages were posted online. It's your fault for not using a better password. Your World of Warcraft account got hijacked, and someone stole all your gold. It's your fault for playing video games. Your credit-card data was stolen. It's your fault for having a credit card.
Your photo-storage service or smartphone was hacked, and someone posted your nude selfies online. It's your fault for taking photos that other people find desirable.
Most people would find the first three assertions ridiculous. Using a guessable password, playing an online game or having a credit card may be inherently risky propositions, given the nature of the Internet, but they don't mean you're at fault when someone else hacks your account.
But when the stolen data consist of selfies privately taken by famous women posing nude, suddenly people leap to blame the victims of the data breach, not the perpetrators.
Virtually no other type of breach provokes this kind of blame-the-victim response. "She shouldn't have done it" isn't actually sound technological advice. It's moralizing, condescending and puritanical.
Jennifer Lawrence, Kate Upton, Kirsten Dunst and the other actresses whose nude photos appeared on Internet forums Reddit and 4chan this weekend are not at fault for these data leaks. The only people responsible are the ones who stole, collected and apparently trafficked these photos for years before the spoils of their thefts appeared online.
"Don't take nude selfies" is not only victim blaming, it's simply not viable. Taking nude selfies may not be "necessary" in the way that having an email address or a credit card are, but neither is playing an online game, and no one would describe playing World of Warcraft as "scandalous" or tell players they "shouldn't have done it."
Encouragingly, the conversation surrounding this round of female celebrity nude photo leaks is less accusatory than in previous leaks. In 2007, when a nude photo of Disney Channel star Vanessa Hudgens appeared online, hardly anyone asked who had actually leaked the photo, or questioned the security of the digital service used to store and transmit it. Hudgens, who was 18 at the time, was forced to apologize for a nude photo that someone else leaked without her permission.
"We hope she's learned a valuable lesson," said a Disney Channel representative of the incident.
This time, the question of who stole dozens of nude photos, and how they did it, is at the forefront of the conversation. Many experts and commentators have attempted to focus blame on the people who stole and exploited the photos, not the people who took them. Celebrity blogger Perez Hilton, who initially posted the photos on his website, quickly took them down and apologized for posting them in the first place.
That's not to say Jennifer Lawrence, Kate Upton and the more than 100 affected actresses haven't been shamed and blamed for the hacks. Under a Twitter hashtag #ifIwerehacked, people have boasted that they're "smart enough" or "responsible enough" not to take nude selfies, and that the only photos on their phones were of pets or of food. At best, this hashtag misses the point; at worst, it contributes to a culture of victim blaming and exploitation.
Could Jennifer Lawrence and the other women affected in the data breach have done more to protect their photos? Sure. "Security is a process, not a product," as security guru Bruce Schneier wrote in his book "Applied Cryptography" (Wiley, 1996).
Security experts could and probably should recommend that anyone, no matter what gender you are or how famous you are, use encrypted cloud storage services, secure messaging apps and complicated unique passwords.
But before offering that advice, people need to first acknowledge that a person's private data is that person's private data, and that "don't take nude selfies" is neither good advice nor appropriate commentary.
The fact is, the theft of these women's nude photos was a theft. It was an invasion of privacy. It was the digital equivalent of robbing a bank and stealing money from accounts held in the bank. Just because the "safe" the criminals broke into to steal these private photos wasn't as strong as it "could have been," or even because the photos existed in the first place, does not make the theft any less of a crime or an outrage.
- 12 Computer-Security Mistakes You're Probably Making
- Best Free PC Antivirus Software 2014
- 7 Scariest Security Threats Headed Your Way
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.