Yesterday [Oct 10] news broke that Gigabytes’ worth of Snapchat photos and videos had been posted on the Internet. Yet another hack with personal info stolen, but what makes this different is that confidentiality was breached at several levels. Not only was data stolen from an insufficiently protected service, but the fact that data was there to be stolen in the first place, goes very much against the point of a service that should destroy messages after few seconds. It has now reported that the material did not come from Snapchat itself, but from SnapSaved – a third party app used to save the shared files online (detailed report from Ars Technica ->here and comment from the app developer ->here). According to the reports the leak was caused by a webserver that was not configured correctly.
I haven’t tried Snapchat myself – I am probably too old with too boring interests to try out something that looks like a digital doctor game (with opportunities for mature flirting and nasty “your Mommy and Daddy will never know”) – but as long as no laws are broken and noone abused, it ain’t my business [Update: I am definitely too old, but there is plenty of business for some]. However, I feel bad for everyone who has shared private photos and videos with friends, lovers, spouses in good faith that the other part was also using the service in the way it was intended. Now all Snapchatters must wonder if their partners in fun can be trusted
The initial coverage in here Denmark focused on how people are naive and way too trusting on the Internet (plus the inevitable sensationalism), hinting that everybody getting their pictures exposed only got themselves to blame (ha!). And while I do not disagree that people should take web security more seriously, I think it is wrong. First of all, that is blaming the victim, ignoring the criminal hacking/leaking and the negligent hosting. Second, considering the data breaches from major corporations and from public institutions where you have little or no choice of having your data registered, anyone can become a victim at some point. Third, even if the victims have done all the right things to protect them selves online, they would not be protected when the people they shared with stored data that was supposed to be destroyed.
The nature of the incident does not change the usual advice about safe conduct on the internet:
- Use strong passwords
- Don’t use the same password on several sites
- Use two-factor authentication when possible
- Be careful what services you use and what you install (keep an eye on permissions)
- Remember you never know who will see content you share on Web (apart from NSA and colleagues),
but this story adds another point to the list:
- consider if the people you share with understand safe conduct as well and whether you can trust them at all
(actually, this is nothing new and perhaps a painful reminder was due).
In a world fighting global warmth, international terrorism and ebola, this may not seem like a big issue. But when such broken trust takes away the kind of things that makes life bearable, it is serious.