Who Is Liable When Cloud Services Are Hacked?

The recent celebrity photo hacking brings up legal as well as moral issues.

Who Is Liable When Cloud Services Are Hacked?
[Photo: Flickr user Ramon Casha]

Over the weekend, some of the world’s biggest celebrities found themselves dealing with a privacy nightmare. Naked, explicit pictures of themselves they had taken for private use were obtained by hackers and posted to the Internet. Jennifer Lawrence, Kate Upton, McKayla Maroney, and a host of other (young and female) public names who may have used Apple’s iCloud to store naked pictures of themselves all got caught up in the scandal.


As of press time, the mechanics of each case of non-consensual photo sharing are unknown. Apple put out a statement saying noting that a few, specific iCloud users had been targeted but it’s unknown whether these celebrities knew how Apple’s default iCloud settings automatically back up copies of any picture taken with an iPhone to remote servers.

This raises the question of culpability. Are Apple, Google, Dropbox and their rivals liable when an account is hacked and naked pictures are uploaded to 4chan or corporate emails end up on PasteBin?

While the terms and conditions of iCloud explicitly say that “Apple does not represent or guarantee that the service will be free from loss, corruption, attack, viruses, interference, hacking, or other security intrusions,” there’s a bit of a gray area there. Apple is a global corporation with a presence in nearly all countries that operates under a wide variety of laws. And the law gets murky when it comes to the question of cloud providers not doing all they can to protect customers. While Apple and their rivals are in the clear, the hackers who stole the pictures can be liable under some circumstances.

Rolf Weber and Dominic Nicolaj Staiger of the University of Zurich recently tackled the question of liability issues related to cloud computing. Part of the murkiness, they write, is due to the fact that cloud services like iCloud are based in one jurisdiction and used by users in other jurisdictions. In addition, the European Union has much stronger personal data privacy protections than the United States or Canada. Although it’s very much an open question, cloud providers generally have less legal protection in Europe than in North America.

But, in some cases, there have been legal remedies for individuals who found naked pictures of themselves uploaded to the Internet. In response to the proliferation of “revenge porn” in recent years–personal naked pictures posted to the Internet without the other party’s consent–some legal experts have found creative protections.


Amanda Levendowski, a New York University law school graduate specializing in copyright issues, recommends using copyright law to have naked pictures posted without consent taken offline. As she notes, 80% of all naked pictures found on revenge porn sites are “selfies,” which means that copyright belongs to the person pictured. Because the reposting of these pictures is a violation of copyright law, injured parties have “a uniform method for revenge porn victims to remove their images, target websites that refuse to comply with takedown notices and, in some cases, receive monetary damages.”

The only problem, of course, is that once a picture finds its way to the Internet, it’s impossible to target every site with a copy of the picture… especially for a public figure like Kate Upton or Jennifer Lawrence.

Danielle Keats Citron, a professor at the University of Maryland Law School, and Mary Anne Franks of the University of Miami School of Law, also argue that current legal protections are lacking for people who find out that naked pictures of themselves are posted online without consent. In a paper published in the Wake Forest Law Review, the two argue that new laws need to be created to protect people who appear in what they call “nonconsensual pornography.”

In the meantime, law enforcement seems to respond quickly when celebrities are the ones whose naked pictures are posted. The FBI is reportedly investigation the iCloud hack; FBI agents arrested two men who were hacking into email accounts to find nude photos in January as well. However, many times law enforcement does not quickly respond to similar cases.

So, the companies that host your naked selfies are largely outside of legal responsibility in the case of a hack. The only body available to hear your case might be the court of public opinion, which, though lacking subpoena power, has been known to bring a few press-sensitive Internet giants to their knees.