There was a piece in the news the other day on how a high school teacher videod his sexual exploits then stored them on Dropbox, after which it was summarily compromised. The video was then posted to the school’s faculty page which obviously caused him enormous embarrassment then to top it off, the school fired him. This is a newsworthy story with regards to privacy and security and was worth sharing:
Probably don't put these in Dropbox: "Teacher’s sex tape stolen from hacked Dropbox, posted on school site": https://t.co/WaPlqqsbG8
— Troy Hunt (@troyhunt) February 18, 2016
There are many things wrong with this case totally outside the poor bloke’s control. Someone shouldn’t have illegally accessed his account. They shouldn't have then posted his video. Kids then shouldn’t have shared stills of it via Snapchat. The school shouldn’t have fired him for it (the basis of which isn’t made clear in the story). The guy is the victim yet he well and truly got the short end of the straw.
In my rather analytical mind, there would have been an easy way to avoid this:
Yes, you have the right to privacy...
— Troy Hunt (@troyhunt) February 18, 2016
However, you can't lose what you don't have so maybe consider that too
Makes sense, right? In fact, it’s a long held security truism applied time and again to system design – “Hey’', let’s not capture birthdate / gender / sexuality if we don’t absolutely need it because that way, we can’t lose it”. It is the most fundamentally simple of principles.
Having travelled this path before, I expected someone might pull out the “victim blaming” card and this occasion didn’t disappoint:
@troyhunt Be careful, telling people not to put sensible data in the cloud is called “victim blaming” nowadays and makes you an evil sexist.
— jdax (@jdax) February 18, 2016
The issue of how “sensible” this data is aside, this is a term that has been popularised in the wake of numerous other similar incidents. These are cases where someone has recorded intimate photos or videos of themselves then lost control of them, after which many people say “it probably would have been better not to have recorded that in the first place”.
Sure enough, sooner or later, someone inevitably pulls the old line out:
@troyhunt victim blaming much?
— Rushed Kludge (@lolkthen_) February 18, 2016
Let’s get away from this ridiculous term for a moment – “victim blaming” – because that’s not what it is at all; no blame is being apportioned at the victim. It’s not saying that it’s their fault someone broke into their account and stole their personal files (although it’s highly likely in this particular case the guy was missing fundamental security controls such as multi step verification), rather that they are empowered to choose what they digitise and if they chose not to digitise their sex tapes or dick pics or whatever it is that would cause them great embarrassment should it be released, then it would not be released because it wouldn’t exist!
Same again with this one:
This is a horrible argument. By the same logic I'm to blame for getting hacked in the vtech hack... wrong https://t.co/X7bvC3wX0g
— Ben Dornis (@buildstarted) February 18, 2016
No, of course he’s not “to blame”, Ben made a judgement decision that most of us would consider perfectly reasonable by entrusting VTech with exactly the same class of data we’ve all trusted dozens of websites with. If Ben likes to take dick pics and backs them up to iCloud then gets them pwned per The Fappening of 2014, the person who compromises his account and leaks pictures of Little Ben is the one we should blame. However, Ben can choose whether he wants to expose himself (pardon the pun) to that risk or not by deciding whether Little Ben should be recorded for perpetuity in a way that may lead to redistribution in the future.
He did clarify a little later on though:
@troyhunt the way you wrote it suggested that if they didn't have the video nothing bad would have happened but that just means you'd have
— Ben Dornis (@buildstarted) February 18, 2016
Yes! When I say that “you can’t lose what you don’t have”, I mean that if that bloke didn’t have a sex tape then it wouldn’t have been made public and that is simply not up for debate, it’s an immutable fact. If you digitise content of that nature, then you must also accept that it could one day be made public because that’s just simply the nature of a connected world. It’s not right – it sucks – and people like me spend a huge amount of our time trying to stop this sort of thing from happening in the first place. But people like me also give advice like I did in the tweets – do your own risk assessment and consider whether this is a wise thing to do.
Let me leave you with some suggestions because by no means do I want to deprive anyone of their inner voyeur. Here’s a good option for sex pictures:
You get a nice printout that you can store somewhere offline and because there’s no digitisation you dramatically reduce your attack surface (don’t then scan these and put them in your Dropbox though). They’re effectively “air-gapped” from the connected world which from a pure risk perspective, makes a lot of sense.
If videoing your sexual exploits is more your style, have a go at one of these:
It records direct to VHS and you can then whack it in your video player and relive the moment over and over again from the privacy of your own home. Like the polaroid option, it’s not digitised so you can’t accidentally back it up to the cloud and frankly, even copying them is a pain in the arse. It’s not fool proof mind you, let us not forget the Pamela Anderson and Tommy Lee situation in the late 90s, so do consider how you store the tapes once they contain sensitive footage.
Yes, this is somewhat tongue-in-cheek but the point is that if you want to capture these moments in time then there are ways of minimising your risk. People have every right to do exactly what this guy did but the stakes are very high if it all goes wrong and they should think carefully about whether that’s a risk they want to take.
The “victim blaming” response frustrates the hell out of me and it’s political correctness gone mad. It’s up to you what you do and don’t put on the web in this fashion and you get to make the decision on whether or not you want to expose yourself to these risks. But there’s no two ways about it: if you choose not to record your sexual exploits and put them in Dropbox, they won’t ever be made public per the story above. Call it what you want, but it’s that simple.