• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Protection of digital assets: the naked truth about cloud security

As personal devices offer increasing functionality and become increasingly embedded in individuals’ daily lives, it seems inevitable that people will digitally capture ever more of their private life. This celebrity iCloud leak (involving such high profile figures as Jennifer Lawrence, Kate Upton, Kim Kardashian, and Kirsten Dunst) has demonstrated this point. But how many people are aware of exactly how and where their data is stored and how secure it is?  This article seeks to examine the key legal and practical issues.

Cloud Storage

Increased use of enhanced functionality, for example of digital camera video content has in turn fuelled greater consumer demand for solutions that expand data storage capacity beyond the limited amount of capacity provided by their physical device. By offering public cloud solutions businesses are able to meet market demand via an efficient, scalable, and low-cost model, which consequently result in a corresponding increase in the amount of consumer data that is accessible from their device but stored in the cloud.

However, there remains a widespread lack of awareness as to the risks posed by storing data (and especially sensitive and private data) in the cloud. Many individuals fail to understand that backing up to the cloud means their data is stored otherwise than on the physical device via which they amassed such data, and that this potentially increases the possibility of unauthorised access by third parties (such as hackers). In particular, individuals tend to be unaware that low-cost public cloud solutions may provide lesser security protections and options for recourse compared to higher-cost private storage or cloud solutions, which may be more suitable for sensitive or private data the sorts of which have been released in this celebrity iCloud leak.  

The Leak Itself

The celebrity iCloud leak is thought to have originated from online deviant forum “AnonIB”; an offshoot of image-based bulletin board “4chan”. AnonIB’s “/stol/” board is noted for serving as a global meeting hub for skilled hackers who acquire and share stolen or “obtained” pornography, fostering an underground trading ring in which stolen celebrity photographs are traded between individuals (calling themselves “collectors”) in return for other celebrity photographs and/or bitcoins.

The leak itself appears to have occurred as a result of a particular “collector” bragging of his collection on AnonIB’s “/C/” (celebs) forum, pursuant to which an online argument ensued and the “collector” released a directory file and images (rapidly spreading to websites including image hosting site Imgur, microblogging platform Tumblr, community news site Reddit, and online bulletin board 4chan) as proof of the photographs’ existence. The “collector’s” subsequent offer to release all further images in return for bitcoins caused a major dump by other “collectors” who, realising their trading ring was due to imminently collapse and upset about the devaluation of their “collections”, “dumped” photographs on various websites (in some instances in return for bitcoins).

However, the initial acquisition of the photographs is the key concern.

Apple has suggested that the leaks did not arise as a result of vulnerabilities in their iCloud system, but instead derived from a “targeted attack on user names, passwords, and security questions”. This method of acquisition is set out more clearly on AnonIB’s /stol/ board, where historic discussions between hackers suggest that photographs were acquired by:

  1. determining whether a username was active using Apple’s iForgot password reset form;
  2. having confirmed that a username was active, either:
  • guessing passwords or security questions. This is often possible as a result of users setting passwords and security questions either: (i) based on factual information (place of birth, first pet’s name), which could be determined from internet searches (and, in particular in the case of celebrities, interviews and fan sites), or (ii) that take a generic form (“123456”, for example, is the most common password); or
  • using specialist “brute-force” password-cracking tools (which attempt all password variances until the correct password is found) to obtain the relevant password. It is reported that this was possible as a flaw in the iForgot password reset form meant accounts were not locked after a certain number of failed password attempts, as is standard industry practice. A 2013 Deloitte paper entitled “P@$$1234: the end of strong password-only security” suggested that in 2012  a dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units was able to crack any eight-character password (6.1 quadrillion possible combinations) in just 5.5 hours, and even less should crowd-hacking tactics be used; and
  1. either:
  • simply logged into the user’s iCloud and downloaded the relevant photographs; or
  • impersonated the user’s device using Elmsoft’s Phone Password Breaker, a forensics recovery tool primarily retailed for use by government agencies, to download the celebrity’s full backup (which contains significantly greater data than iCloud alone, including videos, application data, text messages, and contacts).

Whilst other possibilities have been mooted, such as the use of social engineering (the psychological manipulation of people into performing actions, such as providing account access, or divulging information, such as passwords) or phishing and malware (the acquisition of information by masquerading as a trustworthy entity or installation of malicious software onto the target’s device, respectively), these have since been largely ruled out. 

Rise of Cloud Data Breaches

Unfortunately, as the use of cloud solutions and the value of the data in the cloud increases, cloud data breaches such as the celebrity iCloud leak are becoming commonplace. Last year alone Evernote, Facebook, Microsoft, and Sony were all forced to announce security breaches, with Adobe experiencing the largest ever data breach (152 million records) and Target and Pinterest each taking positions in the top 10 largest data breaches (by volume of data lost) in history. According to a summary report released by threat intelligence consultancy Risk Based Security, 2013 saw 2164 separate incidents with over 822 million records being exposed (almost double the previously highest year on record, 2011). Almost half involved the loss of password data, with hacking accounting for almost 60% of all incidents, and over 70% of leaked records.

McKinsey’s 2014 report “The rising strategic risks of cyberattacks” sets out that research conducted with the World Economic Forum suggests companies are struggling with their capabilities in cyberrisk management, with “highly visible breaches [occurring] with growing regularity”. Traditional “protect the perimeter” technology strategies appear to be insufficient for cloud solutions, and a majority of companies struggle to quantify the impact of risks and mitigation plans. In fact, much of the damage caused by a data breach results from an “inadequate response to a breach” rather than the breach itself.

Cloud Terms

Due to the “one-to-many”, low-cost and highly-scalable nature of public cloud solutions, the terms to which consumers have to sign-up tend to be heavily supplier-biased and non-negotiable. This is especially true in relation to security, where terms surrounding data confidentiality, integrity, and recovery following loss are ambiguously drafted or omitted entirely.

Whilst consumers may expect certain terms to be included in connection with minimum security levels and the protection of data stored on the supplier’s systems, there are often no valuable clauses accounting for detection, reporting, and subsequent management of security breaches.  It is unlikely that there will be any valuable service levels pertaining to detection, reporting, and management of data breaches, or any ability to check the handling practices of suppliers, meaning consumers have little to rely on to ensure suppliers inform them promptly of any potential breach and resolve such in a timely fashion.    

Most commonly the intellectual property provisions under any cloud agreement will set out that the consumer will continue to own all data (and the intellectual property rights in such), and that the consumer licences such to the supplier during the term for the purpose of providing the services in question. However, this clause only serves to reconfirm that consumers own content they have created, enforcing these rights in practice may be of limited use to the average consumer, given the complexity and cost of seeking to enforce such rights on a potentially global basis after a data breach against any individuals reposting or reusing the content publically.

As cloud services are provided for little or no money (consider, for example, Apple’s basic iCloud allowance, which is at no cost to the consumer), suppliers tend to disclaim all liability under cloud agreements. Where it is not possible to disclaim total liability, suppliers will commonly limit this only to the amount paid by the consumer for the solution in question. As such, even if a consumer was able to bring a claim against a supplier under a cloud agreement, the actual amount that would be recoverable would be so negligible that bringing such claim would not be cost-effective.

In this particular instance, it is unlikely that the celebrity victims will have any real or valuable recourse directly against Apple as a result of the leak.

Data Protection Act 1998

Possible legal consequences may, however, apply to the supplier pursuant to section 4(4) of the Data Protection Act 1998 (“DPA”), which sets out that it is the duty of the data controller (in this case Apple) to comply with the data protection principles in relation to all personal data with respect to which [they are] the data controller. One such data protection principle is Principle 7 of the DPA, which sets out that a data controller must ensure that “appropriate technical and organisational measures [are] be taken against unauthorised or unlawful processing of personal data and against accidental loss…of…personal data”.

A breach of clause 4(4) of the DPA enables the UK Information Commissioner’s Office (“ICO”) to levy fines against the breaching data controller; recourse which Sony experienced to the tune of £250,000 following their 2013 data loss involving usernames, passwords, and payment card data. Should the ICO decide that the technical measures applied to Apple’s iCloud (in particular in relation to the potential flaw in the iForgot password reset form) failed to provide a sufficient level of security in order to prevent the unauthorised processing of the celebrities’ photographs by the hackers, it is possible that Apple will be subject to a similar fine.

The significance of the breach will be exacerbated significantly should it transpire that the hackers used Elmsoft’s Phone Password Breaker to obtain full backups of the celebrity victims’ respective devices, as this would result in unauthorised processing of much greater amounts of personal data by comparison to the hackers simply accessing the victims’ iCloud and downloading a few select photographs.   

Litigious matters

DPA fines, however, do not resolve the issues experienced by the celebrities themselves. The difficulty encountered with leaked digital photos is that they can be copied and shared rapidly across multiple social media platforms and websites. The main priority will therefore be to get the photo taken down urgently, following which legal recourse and recovering damages can be addressed.

What Legal Action?

Breach of Human Rights

There is no fixed body of privacy law in the UK protecting against the wrongful disclosure of materials relating to an individual’s private life.  However, the introduction of the Human Rights Act 1998 (“HRA”) provided individuals with the “right to respect for private and family life”[1].  This right has been used to try and prevent breaches of privacy where there has been a publication of information that is obviously private or where the disclosure would give substantial offence to a person placed in a similar position to the claimant.  

One case that considered this human right in the context of the publication of highly intimate photos was the Max Mosley case.[2]  In that case, the News of the World published video footage and still photographs showing Max Mosley allegedly engaging in sadomasochistic sexual practices and the Court held that there would have to be a very high public interest to justify any publication of such photographs. Given that the Court found that Mr Mosley’s privacy was breached, there would be little problem convincing an English judge that the publication of nude celebrity photos should be restrained. Indeed, following the Mosley case, one has to wonder if there would ever be sufficient public interest to justify publication of private photographs showing nudity or sexual activity. 

There are limits to this cause of action:

  • The courts will always balance an individual’s fundamental right to privacy against the publisher’s right to freedom of expression.
  • Publication is more likely to be allowed if there is a public interest in the information becoming public.  English courts have been at pains to point out that, just because something is “of public interest”, does not mean that it is “in the public interest” to publish it.  As one judge has pointed out, “the most vapid tittle-tattle about the activities of footballers’ wives and girlfriends interests large sections of the public but no-one could claim any real public interest in our being told all about it.[3]  As stated above, in the case of nude photos of female celebrities, it is hard to imagine any public interest justification.  
  • The Court is unlikely to grant an injunction when a photograph or piece of private information becomes so widely publicly available (e.g. as a result of re-posting and re-tweeting) that the grant of an injunction would be futile.  For example, in the Mosley case,[4] the High Court refused to grant an injunction to restrain publication because, by the final hearing, the information had been viewed more than 1.4 million times.  However, the real question for the Court is not how many people have seen the content but rather whether an injunction could still prevent some intrusion and distress to the claimant.   
  • The courts tend to be slightly more lenient when it comes to disclosure of private information in written form, rather than the publication of photos, which are deemed to be generally more intrusive than written information describing the same subject matter.

Breach of Confidence

Cases relating to the human right to privacy (above) grew out of an existing body of law relating to the protection of confidential information (or breach of confidence).  In order to protect confidential information, the claimant must prove that information was imparted to the defendant in circumstances importing an obligation of confidence.  It is often used to protect commercially sensitive information but can also be used to prevent disclosure of personal information, including details of sexual conduct disclosed to a friend.[5]

Copyright

Copyright can be a useful cause of action for restraining circulation of personal photos. 

The first owner of copyright in a photo will usually be the person who takes it and therefore, each time the photo is posted online and shared by users, it will be copied multiple times and infringe that copyright.  Inevitably, the internet service providers and any social media website operators will also copy the photo as part of providing the service and may also be liable for copyright infringement unless they fall within one of the E-Commerce defences.[6]  Case law suggests that a website provider can avoid a damages claim if it acts expeditiously to remove any infringing content upon becoming aware of it, makes it clear (e.g. in its terms and conditions) that it does not approve or allow the copyright infringement and the site does also have a legitimate purpose (i.e. it is not just a P2P site for illegal downloading of music). 

Even though a website operator might avoid a damages claim, a court does still have the power to grant an injunction compelling the website operator to take down the photo provided the service provider has actual knowledge of another person using their service to infringe copyright.[7]  This is one of the reasons why we recommend (in Section B below) that letters before action are sent to website operators at the earliest opportunity.

Other Causes of Action

In the UK, there are no image rights or personality rights (as there are in the US, Australia and France), however, the UK courts are expanding the scope of existing causes of action in order to give people more control over the use of their image.  In addition to breach of privacy, breach of confidence and copyright infringement:

  • If a photo of a celebrity is published without authorisation in a way that suggests they endorse a product, the celebrity may be able to bring an action under the “tort of passing off”. 
  • If the photograph is posted online in a derogatory manner that is likely to harm the reputation of the individual, then they may also have a claim for defamation
  1. Remedies & Defendants

Injunctions

The remedies that are available to a claimant for the above causes of action would normally be an injunction, damages or account of profits and delivery up or destruction of the unlawful copies of the photograph.

In reality, the claimant is likely to be most interested in securing an injunction to stop further publication of the photograph as a matter of urgency.  Courts are willing to grant injunctions urgently, on an interim basis, pending a full hearing of the case.  In terms of an action for breach of the human right to privacy, there is arguably a higher test to meet to secure an injunction.  The usual test for an interim injunction is whether the claimant can prove that there is a “serious issue to be tried”.  For breach of the human right to privacy, section 12(3) HRA states that a court should not grant an injunction to restrain publication before trial unless it is satisfied that the application is “likely to establish that publication should not be allowed”.   This is one of the reasons why copyright infringement can be a useful back-up cause of action.

Defendants

There are two main parties that the celebrity could bring legal action against:

  1. The Hacker –

Sometimes the only way to stop the dissemination of material is by targeting the hacker directly, however, this should be approached with caution: it is costly and time-consuming to locate hackers, who are experts at concealing their identity and location.  It is possible to apply for certain Court orders that may assist in revealing the hacker’s identity.  For example, a Norwich Pharmacal order compels an internet service provider or website operator to reveal the details of the account and IP address from which any unlawful content has been posted.  The law enforcement authorities may be able to assist with a criminal investigation into the hacking under the Computer Misuse Act 1990. 

  1. Website operators hosting the photo –

It is usually worth writing a legal letter to any website operators hosting the photo stating that: (i) they are required to take down the photo immediately; (ii) they should preserve any identifying information they might hold about the hacker (in case you later wish to build a case against the hacker and/or apply for a Norwich Pharmacal order).

As well as the specific defence discussed above for copyright infringement, there is a more general defence for website operators under regulation 19 of the E-Commerce Regulations 2002 stating that the website host will not be liable for the content provided: (i) the user posting the content was not acting under the authority of the provider; (ii) the provider had no actual knowledge of the unlawful activity or facts/circumstances that would have made it apparent; and (iii) the provider acted expeditiously to remove the content as soon as it was made aware of any infringing activity.  However, despite this, many website operators will not take action to remove content without a court order, particularly as this limited defence is based on European legislation, whereas a number of the most notable social media and website operators are based in and/or have their servers in the USA. 

One point to bear in mind is that, as soon as you send a letter to the website operators, they are likely to notify the hacker of the legal complaint and this will put the hacker on notice that you are aware of the posting.  In certain circumstances, particularly if you wish to go after the hacker directly, it may be worth delaying sending this letter so that investigators can gather as much information as possible about the hacker.  Of course, if the immediate priority is to get the content taken down, rather than locating the hacker, then these notice-and-takedown letters should be sent immediately to the website operators. 

Basic security protections

Despite the availability of recourse, the fact that the photographs have been released and seen by millions of people cannot be taken back. As the maxim goes: “prevention is better than cure”.

It is unlikely the businesses will turn away from the use public cloud solutions where consumers are paying little or no amount for the service in questions. Similarly, it is unlikely that consumers will capture fewer moments of their private lives using personal devices. Accordingly, the change of a breach such as this occurring again is inevitable.

To reduce the possibility of personal accounts being hacked, a few simple steps may be followed:

  1. strengthen your password – longer codes with a mixture of alphanumeric and other characters should be used, whilst passwords that can be closely associated with you (such as birthplace, or home town) should be avoided;
  2. choose random answers to your security questions – finding out personal information is relatively simple as a result of the vast amount of information contained on the internet, so using random (false) answers for security questions will reduce the likelihood of a hacker being able to determine the necessary information and obtain access to the relevant account; and
  3. enable 2-factor authentication (“TFA”) – when enabled, TFA adds a second layer of security which applies the first time access to an account is obtained using a new device (computer, smartphone, or otherwise). After entering the username and password, a special code will be sent to an already trusted device (usually a mobile phone). Without possession of this device a hacker is unable to obtain the special code, and therefore cannot satisfy the second authentication layer and, consequently, gain access to the relevant account.

It should be noted that, contrary to popular belief, TFA is not a flawless system. For example, as iCloud is installed on new devices with only an Apple ID and password, it does not trigger the use of TFA and therefore would not have prevented the celebrity iCloud leak. The best possible mechanism to ensure security in the cloud, therefore, remains for individuals to ensure they use a strong password.  

The right platform for the right data

Low-cost, public cloud solutions which offer less control to a consumer over the security controls in place to protect their data and recourse in the event of loss or unauthorised access to such data, such as the iCloud solution which is the subject of this celebrity photo leak, are largely considered unsuitable for particularly sensitive and private data. This is demonstrated by the fact that banking organisations and other businesses that deal with particularly sensitive data, such as the NHS, either store personal data on in-house servers or using costly, bespoke private cloud solutions.

Individuals should review the sensitivity of their data and determine which solution will be best for storage. Public cloud solutions may be used to back up data which an individual would not be concerned about entering the public domain, but should be avoided for sensitive and private data. Solutions such as iCloud can be turned off, and users can either:

  1. back up to their personal device’s internal memory, subject to the limit of that data storage, backing up frequently to an external hard drive; although this would not provide the flexibility to access that backed up data remotely and/or using multiple devices; and/or
  2. back up particularly sensitive data to private cloud solutions and continue to back up non-private data to public cloud solutions. This, however, not only increases cost (as private cloud solutions are expensive due to the increased protections provided to individuals that use such) but also requires users to actively consider each piece of data in isolation at creation and determine where that should be placed; a time consuming and potentially complex procedure.

In light of the multiple hacks and data losses in 2013, and this celebrity iCloud leak, it is possible that the security provided to data which is stored using public cloud solutions will be subject to greater scrutiny and an increase in data security may be seen. However, this is likely to be marginal given the economics of providing a low-cost solution to consumers and the cost of implementing and maintaining robust security controls.  Although we will undoubtedly see a rise of more secure services targeted at persons who are willing to pay more in return for a higher level of security

Another possibility is that a change in law may take place in the near future, with stronger Data Protection Regulations being forecast to apply across Europe in 2015 and a potential standardisation in cloud terms to offer a more balanced consumer agreement. The combination of these laws may force businesses to comply with a higher standard of data security, and therefore result in a more beneficial position for consumers using cloud solutions.

We suggest watching this space closely because it seems highly likely that such data breach instances will become increasingly common. 

For further details, please contact Nicola Fulford.

[1] Article 8 of the European Convention on Human Rights

[2] Mosley v News Group Newspapers Ltd [2008] EWHC 1777 (QB)

[3] Lady Hale, Jameel v Wall Street Journal [2006] UKHL 44

[4] Mosley v News Group Newspapers Ltd [2008] EWHC 687 (QB)

[5] Stephens v Avery and others [1988] Ch. 449

[6] These are the three defences provided to internet service providers who transmit, host or cache infringing user-generated content.  These defences are contained in Articles 12-14 of the EU’s Electronic Commerce Directive 2000 and are implemented into UK law by the Electronic Commerce Regulations 2002.

[7] Section 97A Copyright, Designs and Patents Act 1988