[MP-Ryan]

@zookeeper

I feel like you're drifting away from my point: that users have no expectation that their sent images are private because of the ease in which even a technically un-inclined recipient can capture them.  It's blindingly obvious that your sent images can be captured and released by the recipient, and therefore you should have no illusions that data sent via Snapchat is secure from release.

The breach of private information occurred precisely because senders assumed recipients were not able to capture their images - despite what should be common sense - and sent compromising images.  This was then exploited by recipients, who in turn were exploited by an app.  All of this is the result of foolish people not doing their due diligence before using tech services.

@mars

See, I've always thought the limit of consequences to people who lose data should be the equivalent of calling them an idiot - only if this was predictable by any sort of common sense - and leaving it at that.  the people who actually non-consensually release data should be subject to criminal consequences.

[karajorma]

Really?  It doesn't take willful stupidity not to notice that the images you transmit can be preserved with nothing more sophisticated than a camera and that this completely breaks the so-called security feature of the application?

I'm going to have to disagree with you there. You remind me of the comment I once read. "Why bother with needing a key to start your car? If a thief can break the security of your door locks, they surely can breach this layer too." Yes there probably are some snapchat users who trusted the security model you're complaining about to keep them safe but I think they're the equivalent of people who leave their car doors unlocked on the grounds that they think starter will defeat anyone trying to steal the car.

I suspect many if not most of the people who used Snapchat trusted the app as nothing more than additional layer of safety. Instead of simply sending the picture via email or whatsapp or some other method, they used Snapchat.  If Snapchat deletes the image after x amounts of seconds, well that's just a bonus. The first and foremost layer of security was to simply not send pictures to someone who they wouldn't have sent nude pictures using some other method. In other words, someone they trusted.


So in the end we're down to a breach in trust that could have happened with almost any program. Would you blame the user if someone had been distributing a malicious copy of PGP that uploaded your emails to an internet server? Sure there are steps that a tech-saavy user could take to avoid exposure but we're talking about a program which has half its users in the 13-17 age range. Are we really going to start saying that people who actually took extra steps to keep their pictures safe are stupid because they didn't see a threat like this coming?

I have always figured that, as long as society as a whole demands repercussions from people who's "compromising" photos have been released (firings, criticism, etc.) there ought to be repercussions for people who release such photos. On the positive side perhaps "celeb-gate" will convince people to stop persecuting working stiffs for having nudies that escaped onto the internet.

At this point so many people are taking nude pictures that we really should be losing our 20th century view of it.

[zookeeper]

@zookeeper

I feel like you're drifting away from my point: that users have no expectation that their sent images are private because of the ease in which even a technically un-inclined recipient can capture them.  It's blindingly obvious that your sent images can be captured and released by the recipient, and therefore you should have no illusions that data sent via Snapchat is secure from release.

The breach of private information occurred precisely because senders assumed recipients were not able to capture their images - despite what should be common sense - and sent compromising images.  This was then exploited by recipients, who in turn were exploited by an app.  All of this is the result of foolish people not doing their due diligence before using tech services.

Well... I think this is the exact point we've been arguing about. The breach of private information didn't occur because senders assumed recipients were not able to capture their images, it occurred because recipients assumed that the app they were using wouldn't compromise them - but it did.

I see no reason whatsoever to assume that the users didn't realize that the recipient could capture the images if they wanted to, or that they thought that pictures they send are "secure from release". I don't understand what would lead you to such a conclusion.

You still seem to be arguing basically that people were stupid for trusting another person with a compromising picture (because another person can obviously always copy and leak it), whereas I consider that a completely different thing from trusting a random piece of software with a compromising picture. There's nothing wrong with the former if you actually trust the other person, and for all we know, in this case they might have been perfectly trustworthy, regardless of whether they sought to get personal copies of the pictures received or not.

[MP-Ryan]

I suspect many if not most of the people who used Snapchat trusted the app as nothing more than additional layer of safety. Instead of simply sending the picture via email or whatsapp or some other method, they used Snapchat.  If Snapchat deletes the image after x amounts of seconds, well that's just a bonus. The first and foremost layer of security was to simply not send pictures to someone who they wouldn't have sent nude pictures using some other method. In other words, someone they trusted.

Anecdotal evidence suggests otherwise; people trusted the rapid deletion as a security layer.  Also, in one study from this summer, fully 46% of snapchat users were age 12-24, which just happens to coincide with the demographic least experienced with understanding the implications of private information becoming public.

we're talking about a program which has half its users in the 13-17 age range. Are we really going to start saying that people who actually took extra steps to keep their pictures safe are stupid because they didn't see a threat like this coming?

This is precisely what I'm arguing - they actually didn't take an extra step at all.  SnapChat is no more secure than email; in practice, considerably less so considering that with email the users would not assume their naughty photos are going to disappear.

At this point so many people are taking nude pictures that we really should be losing our 20th century view of it.

Indeed.  Of course, we should also be making people aware of the fact that nude photos these days come with a much higher risk of exposure.  If people are OK with that, go nuts.  If not... well, you might want to choose who you send it to and the means by which you send it a little more carefully.

@zookeeper

I feel like you're drifting away from my point: that users have no expectation that their sent images are private because of the ease in which even a technically un-inclined recipient can capture them.  It's blindingly obvious that your sent images can be captured and released by the recipient, and therefore you should have no illusions that data sent via Snapchat is secure from release.

The breach of private information occurred precisely because senders assumed recipients were not able to capture their images - despite what should be common sense - and sent compromising images.  This was then exploited by recipients, who in turn were exploited by an app.  All of this is the result of foolish people not doing their due diligence before using tech services.

Well... I think this is the exact point we've been arguing about. The breach of private information didn't occur because senders assumed recipients were not able to capture their images, it occurred because recipients assumed that the app they were using wouldn't compromise them - but it did.

I'm going to venture a guess that the predominantly teenage users of this app operated on the assumption that recipients were not going to be able to capture their photos, which anecdotal evidence certainly indicates.

You still seem to be arguing basically that people were stupid for trusting another person with a compromising picture (because another person can obviously always copy and leak it), whereas I consider that a completely different thing from trusting a random piece of software with a compromising picture. There's nothing wrong with the former if you actually trust the other person, and for all we know, in this case they might have been perfectly trustworthy, regardless of whether they sought to get personal copies of the pictures received or not.

I'm arguing that people were stupid for trusting another person with a compromising picture because the application they chose to do it through promised its non-permanence, a philosophy a non-trivial number of people appear to have subscribed to.  How many people would send their compromising photos knowing the user on the other end actually was capturing them?

It's going to be interesting to see if the full information is ultimately released and the mindset the users who have their data released will demonstrate.

Ultimately, I don't believe users should be given a pass for not understanding basic privacy principles around technology.  Frankly, by giving people a pass and blaming corporations we encourage more complacency and lack of understanding on the part of users, which is not a good thing for privacy and technology generally.

Both this SnapChat release and Celebgate - though I don't suggest the celebrities acted inappropriately - should be gigantic teachable moments for people to learn two things:
1.  If you put it on the Internet, it essentially will exist forever.  You can never take it back.
2.  The only person or thing that can ensure private information you do not want in public never makes it in public is YOU.

Lessons that frankly need to be taught in grade school these days.

IMPORTANT:  I should also note that while no one has explicitly accused me of victim-blaming [yet], I don't think anyone who has their personal information released online is morally blameworthy in the act; that is different from saying they are behaviourally-responsible for the result of negligence (or, more colloquially, the author of their own misfortune).  I can call someone an idiot for their actions while still recognizing they are not at fault on a moral level.  No one deserves to have their privacy violated.  I tend to agree with [law] Professor Eugene Volokh:  http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/09/03/nude-pictures-hackers-advice-blame-freedom-and-timing/

[zookeeper]

I'm going to venture a guess that the predominantly teenage users of this app operated on the assumption that recipients were not going to be able to capture their photos, which anecdotal evidence certainly indicates.

I'm arguing that people were stupid for trusting another person with a compromising picture because the application they chose to do it through promised its non-permanence, a philosophy a non-trivial number of people appear to have subscribed to.  How many people would send their compromising photos knowing the user on the other end actually was capturing them?

It's going to be interesting to see if the full information is ultimately released and the mindset the users who have their data released will demonstrate.

Certainly it would be interesting. My point was just that currently, we don't know what their assumptions were. Maybe most of them really thought that even a malicious recipient couldn't copy the picture, or maybe they understood the risk and took it consciously. Stranger things are known to happen, after all.

[karajorma]

This is precisely what I'm arguing - they actually didn't take an extra step at all.  SnapChat is no more secure than email; in practice, considerably less so considering that with email the users would not assume their naughty photos are going to disappear.

Again I'm going to have to disagree. I don't think it's much more secure than email but even if someone takes a screenshot they're left with what? A blurry copy of what they would have gotten had the person sent them an email instead. And in most cases, people don't take a screenshot so that message should be gone forever.

You're completely ignoring the "We've broken up and now he/she wants to use naked pics for revenge" aspect of this. If you've sent someone an email they can look back a few months or even years and get your pictures. Yes, someone might take a screenshot but that only occurs if the person you are sending the chat to is untrustworthy at the time. They can't get hold of those pictures at a later date unless they decided to break trust with you and save them at the time. And there is nothing you can do to stop someone doing that except for not giving them naked pictures. Sending by email is considerably less secure in this respect because you not only have to trust who the person is now, but also who they will become.

At least if you sent them over snapchat you have the advantage that you have proof whoever you sent them to was an untrustworthy scumbag at the time rather than posting revenge porn only after something went wrong in the relationship because of something you did (A favourite Revenge Porn excuse is "She, cheated on me so I don't have to keep my promise to not post her naked pics. An excuse which is somewhat undermined if you've saved naked pics that were supposed to have been destroyed." )


Basically though, your entire argument is based on the assumption that the people affected by this leak were using Snapchat to send content that they wouldn't feel safe sending by other means. And you haven't proved that in the slightest. I tend to be of the opinion that someone who would send a naked selfie on Snapchat would have just as used something else if they didn't have Snapchat.

Anecdotal evidence suggests otherwise; people trusted the rapid deletion as a security layer.

If you mean as an extra security layer over and above trusting the person you're sending naked selfies to, I'd agree with you and say that it's not wrong to do so. If you mean as an unbeatable security layer that will prevent someone from getting any of their snapchat content, well 2-3 minutes on Wikipedia would have proved that wrong.

The study also researched as to why people use the Snapchat application. The results suggested that Snapchat’s success is not due to its security properties, but because the users found the application to be fun. The researchers found that users seem to be well aware (79.4% of respondents) that recovering snaps is possible and a majority of users (52.8% of respondents) report that this does not affect their behavior and use of Snapchat.

So it's not trusted as an actual unbeatable security layer. Simply as an additional layer of security of lesser importance than trusting the person you're sending naked pictures to.

feel like you're drifting away from my point: that users have no expectation that their sent images are private because of the ease in which even a technically un-inclined recipient can capture them.  It's blindingly obvious that your sent images can be captured and released by the recipient, and therefore you should have no illusions that data sent via Snapchat is secure from release.

And I think you're missing the counterpoint we're making which is that this was not the primary security model the users were trusting. What people trusted was that the people they were sending the pictures to wouldn't leak them. Expecting users to be aware that the image they are sending might be received by a 3rd party application instead of the Snapchat app, and that that 3rd party application might be maliciously saving those images is a completely different level of technical understanding than the simple one you're arguing about.

I tend to agree with [law] Professor Eugene Volokh:  http://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/09/03/nude-pictures-hackers-advice-blame-freedom-and-timing/

Now, the release of nude photographs isn’t quite in the same category as a brutal physical attack, but it’s still pretty bad stuff; and chiding the victim strikes me as similarly out of place there.

It’s not so much, I think, that the advice dilutes the blame imposed on the culpable party. Sometimes it might, but usually not.

Rather, it’s that the advice, framed as an observation of the victim’s mistake, dilutes the sympathetic outrage that we should be offering to the victim, and to those who empathize with the victim. Law-abiding, rights-respecting people expect other such people to condemn lawbreakers and rights violators, and to express sympathy for their victims. It is, I think, a social duty. It is a duty related to kindness, a sense of the community of the law-abiding, and norm reinforcement, not a duty stemming from law or even obligation to respect others’ rights. But some of our most important social duties fall in that category. The duty applies even if the victims exercised a bit more freedom than is wise under the circumstances. And turning the incident into an occasion to point to the victims’ errors weakens the force of this.

Vs

http://www.businessinsider.com/snapchat-hacked-the-snappening-2014-10

"I'll use a phone app to send pictures and videos that it says it will delete after a few seconds.  I'll send compromising images of myself (whether or not underage) to other people because nothing could possibly go wrong." - SnapChat users.

"You are a ****ing idiot." - Everyone familiar with technology and security.

I despair for the future of humanity in a technological civilization.  The pace of technology has exceeded the ability of human stupidity to cope with it.

To be honest, I can't see where you agree with him. Almost your entire argument on this thread is nothing but chiding the victim. Worse, you're chiding the victim for something that they probably didn't even do (expect snapchat to be secure).

I do agree that people (especially young people) need better education on the dangers of placing personal information and nude pictures on the internet but I don't think your argument helps that cause because despite what you claim, it is just victim blaming.

[StarSlayer]

Stop with the negative waves MP.

Technology user != Technology specialist, man.

WOOF!

[MP-Ryan]

Basically though, your entire argument is based on the assumption that the people affected by this leak were using Snapchat to send content that they wouldn't feel safe sending by other means. And you haven't proved that in the slightest. I tend to be of the opinion that someone who would send a naked selfie on Snapchat would have just as used something else if they didn't have Snapchat.

The study also researched as to why people use the Snapchat application. The results suggested that Snapchat’s success is not due to its security properties, but because the users found the application to be fun. The researchers found that users seem to be well aware (79.4% of respondents) that recovering snaps is possible and a majority of users (52.8% of respondents) report that this does not affect their behavior and use of Snapchat.

So it's not trusted as an actual unbeatable security layer. Simply as an additional layer of security of lesser importance than trusting the person you're sending naked pictures to.

Nowhere have I said the first layer was not [misplaced, in the case of those people who are affected by the breach] trust in the people they were sending the pictures to not to capture them.

Your own cited stats - 20% of people were not aware that recovering snaps is possible.  Extrapolating:  20% of 30 million users is six million people.  Six million people who use SnapChat were not aware their snaps could be recovered - despite it being blindingly obvious.  Of the 30 million users, 15.8 million people don't allow the fact that snaps can be recovered to affect their behaviour (this is of course, a loaded statistic since "not affecting beahviour" could mean they never would have sent risque snaps in the first place).

Six million people is not an insignificant number when we're talking about users who didn't consider the fact that their snaps weren't actually secure from capture - in other words, they relied on that security layer despite the obvious fact that it is NOT actually a security layer.

If you mean as an extra security layer over and above trusting the person you're sending naked selfies to, I'd agree with you and say that it's not wrong to do so. If you mean as an unbeatable security layer that will prevent someone from getting any of their snapchat content, well 2-3 minutes on Wikipedia would have proved that wrong.

Precisely.  Apparently something roughly six million people didn't bother to check on.

And I think you're missing the counterpoint we're making which is that this was not the primary security model the users were trusting. What people trusted was that the people they were sending the pictures to wouldn't leak them. Expecting users to be aware that the image they are sending might be received by a 3rd party application instead of the Snapchat app, and that that 3rd party application might be maliciously saving those images is a completely different level of technical understanding than the simple one you're arguing about.

I believe the two go hand-in-hand.  You're trusting that the person you're sending these images to won't capture them and can't capture them.  Assumptions which in this case proved false - because clearly a number of recipients did violate that trust and bypass the 'security' offered by SnapChat, resulting in the breach.

To be honest, I can't see where you agree with him. Almost your entire argument on this thread is nothing but chiding the victim. Worse, you're chiding the victim for something that they probably didn't even do (expect snapchat to be secure).

I do agree that people (especially young people) need better education on the dangers of placing personal information and nude pictures on the internet but I don't think your argument helps that cause because despite what you claim, it is just victim blaming.

My argument is that victims were stupid - or more precisely, willfully ignorant of the risk at which they placed themselves - despite all the very good advice and information available to the contrary.  Again, I think this is a teachable moment.  I don't find the victims morally culpable for their mistakes, but rather that there was eminently great advice available for protecting themselves which people should continue to read now to protect themselves in the future.  This argument is fully consistent with Volokh's views.  The victims had the right to send private information to trusted recipients in the belief that it will be kept private and not be distributed; however, on the basis of the evidence of that, they should not have reasonably expected that that would be the case, and this is not a circumstance where sophisticated tech literacy was required to figure that out.  That doesn't make it their fault, morally; that resides with the people who released the information.  It does, however, and as I so ineloquently put it in the original post, make them ****ing idiots about privacy and technology.

So long as we give people a complete pass on taking easily available and very sensible advice about protecting their privacy (even though they have the right to believe it should be protected, despite the reality that it isn't), then the more privacy breaches we're going to continue to see.  Part of crime prevention (though this probably wasn't a crime as the law currently stands, like I said earlier) is target hardening.  It's an unfortunate necessity that looks an awful lot like victim-blaming, but it's the difference between saying "you are responsible for what happened to you" and "there were things you probably should have considered and people should consider in the future to protect themselves."  I completely understand the desire to say "things should be this way because my rights are protected" but the reality is that some people just don't care, and therefore is reasonable that we take measures to protect ourselves.

Volokh's piece is entirely about that distinction.

Now where's my fireproof protective suit...

[karajorma]

Rather than go point by point on this I think I'd better sum up what I'm talking about.

My argument is that victims were stupid - or more precisely, willfully ignorant of the risk at which they placed themselves - despite all the very good advice and information available to the contrary.

This here is what I object to. I'm quite happy for this to be used as a teaching example. I think people should be made more aware of the dangerous of malicious websites and apps.

What I have a problem with is that in this statement you basically claim that everyone affected by this leak was stupid. As far as I'm concerned this is not a sensible statement to make as it is built on a series of faulty assumptions.

You are attempting an argument that because users were willfully ignorant of the dangers of security flaw A (That you can easily circumvent the deletion of your photos) they were stupid to be affected by security flaw B (A complex phishing scheme). I'm sorry but I think there is a world of difference between "Be careful who you send naked pictures to cause they might try to keep them" and "Be careful that the person you send the pictures to isn't using a maliciously designed application or website which required some not inconsiderable amount of technical skill to set up in order to steal copies of your picture" The first might be pretty obvious but it doesn't follow that the latter is. If you want to make the argument that the phishing scheme itself was foreseeable, go for it. But please leave this nonsensical argument alone.

The data I posted suggested that the majority aren't ignorant of A and in fact simply don't care. Either because they don't send pics to people who would save them, or because they simply don't care if the recipient does save the image. I touched on this in passing earlier but you are completely ignoring the possibility that some people may use Snapchat for files they know the recipient is saving. They may simply have used it cause it was more convenient.

Basically, even if I accept the 6 million people you claim are ignorant as a fact, that still means that 24 million were not ignorant. Or more than 12 million even if you claim only those who didn't let the knowledge snaps could be captured affect their behaviour. Nor does it follow that the 6 million who didn't know were necessarily less careful about making sure that they sent pics only to people who could be trusted.

But yet you are claiming everyone involved was stupid. For doing nothing more than using an application to send a file to a computer which the recipient, through their own actions, had compromised. That could just as easily happen with email or Skype or pretty much any other method of sending data you care to name. By blaming Snapchat for this you actually dilute the message that people should beware of malicious apps as you make it quite clear Snapchat is the problem.