Keeping it safe

Leakage of online data raises questions

Once again, questions of data privacy have taken centrestage on the Internet. Over the last fortnight, two major leaks have caused a great deal of soul-searching about the degree to which online data are being kept secure. In the first leak, it appeared that hackers had gained access to a series of iCloud accounts. These are the online stores of personal data maintained by those with an Apple device, whether phone or tablet. They are accessible by password, and maintain a record of everything that users have uploaded - or photographed. Indeed, even if someone deletes a photograph from his or her Apple device, it may still stay archived on the cloud. This may have contributed to the problem. The hackers who broke into iCloud accounts focused on those belonging to American celebrities, and they then leaked their private photographs online. The industry magazine Ars Technica has demonstrated exactly how easy it is to break into an Apple account with some technical knowledge and only basic skills.

Then, last week, a Russian-language online forum devoted to discussing Bitcoins was the location for a post that included a large file of what turned out to be five million passwords to Google accounts. It turned out that a large number of them were out of date - only about two per cent worked, according to Google, and most of those would probably have been caught by its online authentication system. But, given the amount of information that is consigned to Google accounts - after all Google's Android, not iOS, is by far the world's dominant smartphone operating system - many asked similar questions. Is user data online safe enough?

It turns out that security of online data depends crucially on two things: how hard users themselves work to protect it, and how hard their chosen providers work to protect it. Sadly, here it appears that Apple may not be doing enough. Its CEO Tim Cook, who gave a much-watched keynote address at the company's annual new-product extravaganza last week, failed to mention the iCloud leak even once. The company's official response was hardly a model of disclosure either. And subsequent efforts by Apple on iCloud security have gone little beyond warning users that a hack might be in progress. Google, in contrast, responded swiftly, and assured its account-holders that they were safe unless they specifically heard from the company. If anybody's account was on that list of five million, Google forced them to reset their account. And since so many of the passwords were out of date, it seems clear that the list was not accessed from Google's own servers, but from some other website where users may have entered their addresses and passwords in error.

Companies, clearly, can take precautionary steps only up to a point. Users on the Internet have to be careful of how they're using their passwords, whom they entrust them to, and what the costs of losing them might be. After one major leak last year, in which 130 million accounts and passwords were stolen from the servers of Adobe Incorporated, what stood out was how lazy many people were about their passwords - "password" and "123123" were chosen by millions of people, as were "qwerty" and, for some reason, "iloveyou". Apple and Google both offer extra authentication services, as do several other cloud-based services; those who have more to lose, or are most concerned about privacy, would do well to use them. Still, it is clear that cloud-based services are not necessarily as safe as their providers would claim. For companies and individuals most concerned about security, the recent leaks will have enhanced the sense that cloud security has a long way to go before it can match physical control of data.