In a bold show of support for the victims of the infamous iCloud “nude photo hack” last year, several members of F-Secure’s staff stripped themselves bare to take a group photo that challenged much of the victim- blaming that followed the leak.
The incident occurred in late September when hundreds of nude photos of celebrities, mostly women, were posted online without their consent. The images first appeared on 4chan, an online, image-based bulletin board, but quickly went viral, prompting some victims, like actress Jennifer Lawrence, to involve law enforcement. After a 40-hour investigation, Apple confirmed that celebrity iCloud accounts had been compromised in a “very targeted attack on user names, passwords and security questions,” but that the attacks hadn’t resulted in a breach of Apple’s systems, including iCloud or Find my iPhone, as had been speculated.
While Apple quickly addressed the root cause of the photo leak, the images of victims that had been posted posed a concern since they had already been saved and reposted online, often as a source of ridicule.
Witnessing the events as they unravelled, a number of workers at F-Secure, a Finland-based online security and privacy firm with offices in the U.S., had had enough.
In late September, nine female employees posed nude for a photographer and posted the photo on F-Secure’s blog to emphasize that the iCloud incident, and others like it, showcased the importance of consent in regards to online privacy. Pascale
The team’s show of support was inspired by the actions of a Danish woman, Emma Holten, a victim of “revenge porn,” who eventually decided to “write a new story about [her] body,” she wrote in an essay called “Consent.” Last year, Holten, then 23, published her own nude photos, years after having been victimized by a similar act, when an ex-boyfriend allegedly shared private images of her without her permission, some which were taken when she was 17.
Laura Díez, media designer for corporate communications at F-Secure, who was one of the original staff members to plan (and pose for) the photoshoot, tells SC Magazine that “the wish to support the victims [of revenge porn] was what brought us there.”
While she initially had her doubts about participating in the shoot, particularly concerned with how her close friends and family would react, Díez believes that “the cause for which we fight is fair and bigger than any individual’s fear. It was totally worth it for me to go against the grain,” she says.
Sean Sullivan, security adviser at F-Secure Labs, said that when he became aware of his colleagues’ plans to post their own photos in response to victim blaming, that leadership at the company was on board. “People take these photos and there’s nothing beneficial about saying that they shouldn’t have taken them in the first place, or that they brought this on themselves,” Sullivan says. “It’s [also an issue] when the content is shared without someone’s consent.”
To date, 18 states have passed legislation that, in some form, makes illegal the posting of explicit pictures online without the subject’s consent, an act of harassment in some instances known as “revenge porn.” Yet, despite the successful efforts of lawmakers to prohibit this form of online persecution, a debate has surfaced regarding how effective these laws will be in the long term in discouraging these acts by ex-significant others, hackers seeking notoriety or website operators who’ve created businesses out of extorting victims who are desperate to have their images removed from strangers’ sight.
In May, Florida became the most recent state to adopt anti-revenge porn legislation when Gov. Rick Scott signed the “sexual cyberharassment” bill, which says “a person depicted in a sexually explicit image taken with the person’s consent has a reasonable expectation that the image will remain private.” The legislation, which will become effective Oct. 1, 2015, subjects perpetrators with no prior sexual cyberharassment convictions to a first-degree misdemeanor. Already referred to as “watered down” in some circles, the new law provides protections only for images shared on websites (and not through text messages or emails, for instance, where victims could also be harassed or have their images shared without their knowledge or consent). Furthermore, in order to face a penalty, a perpetrator must publish a sexually explicit image that “contains or conveys the personal identification information of the depicted person,” such as the victim’s name or email address.
Holly Jacobs, a victim of revenge porn turned activist, is still in the midst of a legal battle with her perpetrator years after her life was turned upside down.
Laura Díez, media designer for corporate communications, F-Secure
Mary Anne Franks, board vice president and legislative and tech policy director, Cyber Civil Rights Initiative
Holly Jacobs, founder, Cyber Civil Rights Initiative
Lee Rowland, staff attorney, ACLU’s Speech, Privacy and Technology Project
Sean Sullivan, security adviser, F-Secure Labs
Sandra Toms, vice president and curator, RSA Conference
In a well-documented case, Jacobs was forced to change jobs, and even her name, after she learned in November 2011 that her ex-boyfriend allegedly shared nude images of her with a revenge porn website. Because the case is ongoing, Jacobs declined to comment on her past experience, but she did share that she launched the End Revenge Porn campaign in August 2012 after realizing “there was no help” available to her when she needed it.
What started as a personal campaign soon grew into an organization, called the Cyber Civil Rights Initiative (CCRI), where victims of revenge porn “could get what they needed” in resources to stop the harassment and go after perpetrators, Jacobs says. CCRI refers victims to attorneys offering pro bono legal services at the Cyber Civil Rights Legal Project, an initiative started last September by K&L Gates, a Pittsburgh-based law firm. CCRI has also worked with legislators in other states to help draft legislation that fights what it prefers to call “non-consensual pornography.”
“We prefer the term ‘non-consensual pornography,’ because ‘revenge porn’ is kind of limiting,” Jacobs says. “It’s more than an ex getting back at them for breaking hearts. It’s also the hacking of images, or sometimes there’s sextortion,” an act of exploitation that aims to coerce sexual favors from a victim. “It’s not just someone getting revenge on someone they once dated,” she says.
Jacobs, who says statistics are limited on the acts of harassment often categorized as “revenge porn,” believes that “there’s a huge need for research to be done in this area,” including a large-scale study.
Some statistics do exist – and they are disheartening. In a poll hosted between August 2012 and December 2013 on EndRevengePorn.org, CCRI found that 90 percent of revenge porn victims in its sample were women. Ninety-three percent of respondents said that they had suffered significant emotional distress from such acts, while 49 percent said they had been harassed or stalked online by users who viewed their material.
Along with explicit photos, perpetrators were also said to have posted other identifying information to revenge porn sites, including victims’ names (59 percent), information from social networking sites (49 percent), email addresses (26 percent) and phone numbers (20 percent). Sixteen percent of respondents said that their home addresses were also posted along with their images, while 14 percent said that their work address was shared. Only two percent of respondents said that their Social Security numbers ended up on revenge porn sites.
A more recent survey, conducted for 28 days in March by Abby Whitmarsh, a woman studying to earn her Ph.D. in web science at the University of Southampton in England, showed that around 95 percent of posts to a revenge porn website during the timeframe depicted female victims as the subject. Using a custom-built web scraper written in Python and Selenium WebDriver, Whitmarsh found that there were 396 posts made to the unnamed revenge porn website, in which the identities of only 18 men were displayed.
Brian Pascale, a partner at New York-based WeitzPascale, which represents revenge porn victims among other clients, says that individuals requesting his counsel are typically women, and that he has “only encountered a few [cases with] minors,” though victims were no longer minors by the time they contacted the firm.
The 24/7 attachment to social media that most youths have threatens to make the harassment even more unbearable for some victims, he believes. “When we were younger, bullying ended when we went home. Now, it never ends. There’s social media and kids commit suicide over it,” Pascale says.
In the midst of these attacks, revenge porn legislation is meant to help victims more expeditiously regain control of their lives, facilitating website shutdowns, arrests, convictions and even jail time for offenders. And Jacobs (left) adds, “Besides just needing a law in place to help victims, [legislation] also sends a strong message that this is unacceptable behavior, and it really helps deter doing it in the first place.”
Kevin Bollaert, a San Diego resident who ran two such sites, UGotPosted.com and ChangeMyReputation.com, was found guilty in February on six counts of extortion and 21 counts of identity theft, and in April the 27-year-old man was sentenced to 18 years in prison. The case was deemed the “first criminal prosecution of a cyberexploitation website operator in the country,” by California Attorney General Kamala Harris’ office.
Despite the progress revenge porn law presents, Jacobs admits that, with the plethora of legislation policing these crimes, it is essential to make sure that laws are crafted to carry out their initial purpose – efficiently thwarting further exploitation of individuals.
Revenge porn: Law
So far, 18 states have passed laws making acts of revenge porn illegal. Florida’s “sexual cyberharassment” law, which goes into effect on Oct. 1, is the newest of the bunch, making the crime a misdemeanor in the first degree, and a felony of third degree for second or multiple-time offenders.
“Unfortunately, there are only a small handful of strong [revenge porn] laws,” Jacobs says. “Most of them have some problems, in that there are issues with First Amendment rights…or it won’t help all of the victims that need protection,” she says, pointing to the Florida statute as cause for her concern about adequate protections.
Last September, the American Civil Liberties Union (ACLU) helped challenge Arizona’s “nude photo law,” which intended to combat revenge porn, citing concerns that the legislation was “overbroad” in that that could impact any individual who distributed or displayed nude images without a person’s consent, which could include photos used for historic, artistic, educational or otherwise newsworthy purposes, the group argued. The ACLU, the ACLU Foundation of Arizona and the general counsel to the Media Coalition represented plaintiffs – including the National Press Photographers Association, the American Booksellers Foundation for Free Expression, the Association of American Publishers, among others – in a federal lawsuit challenging the new legislation. The plaintiffs’ complaint called the law an “overbroad and content-based statute that criminalizes the display, publication and sale of non-obscene images fully protected by the First Amendment.”
Lee Rowland, staff attorney with ACLU’s Speech, Privacy and Technology Project, contends that “it’s problematic to make it illegal to share a certain type of picture without the person’s consent [who is pictured],” and that a bigger question looms over the issue of revenge porn law as to “when the criminal law is the appropriate way to remedy a violation of trust between two adults.”
From Rowland’s perspective, effective revenge porn law should be “thoughtful and tailored” to prosecute those with clear malicious intent who have carried out a knowing invasion of the victim’s privacy and caused actual harm done to the person pictured.
Outside of law, Rowland (left) believes that progress has been made through other avenues, such as private companies changing their policies in the aftermath of the iCloud photo leak. Reddit (which following the incident took down nude celebrity photos associated with the hacks) introduced a new policy in March banning “involuntary pornography” – inclusive of photographs, videos or digital images – in which it asked users to report questionable content. Following suit, Twitter, Facebook and Instagram also updated their user policies to take a stricter stance against activity facilitating revenge porn.
For the security industry to help prevent the kind of cyber exploitation that occurred after the iCloud hacks, F-Secure’s Sullivan says it must continue to advocate good data security practices.
“A large problem with the iCloud hacks was that the passwords were guessable,” he explains. “After the photos were leaked…people gave advice that you should lie on the security question, but the problem is you might not remember that,” Sullivan says. “The goal is for the security industry – if we can’t get rid of passwords – to at least make it easier for [individuals] to use strong passwords and managers for them.”
To open the dialogue on this issue and educate users on how crucial it is to secure their personal data, including intimate images or information that could be used to harm or humiliate them by attackers, privacy advocates must continuously peel away the sense of shame or discomfort surrounding these topics.
At RSA Conference, the world’s largest information security event, professionals broached the topic of protecting children online from predators and falling victim to sextortion – a category that could include revenge porn. The keynote session at the April 2015 show in San Francisco, called “Into the Woods: Protecting our Youth from the Wolves of Cyberspace,” convened about eight years after the subject had first come before RSA attendees, according to Sandra Toms, vice president and curator of RSA Conference, who served as the moderator for the session.
“I remember thinking that I didn’t know if it was going to go down, because it was such a serious and hard topic to talk about,” Toms (right) says of the first panel on the subject.
That first session was well-received, however, and all these years later, the Into the Woods panel was the highest-rated keynote session at the 2015 conference, Toms says. One of the panelists, Alicia Kozakiewicz, president of The Alicia Project, shared her abduction story with the audience – she was sexually abused at the age of 13 by a man she met online.
Toms says that the topic of protecting youths online made a return, in part, at RSA Conference so that experts could offer insight on how attendees could help address the issue.
“One thing we didn’t leave them with was how we could make a difference,” Toms says of the panel nearly a decade ago. “And we tried to incorporate that this year. When we did the panel again, as moderator, I can say that the room was never quieter.”
In the end, the talk inspired IT security practitioners to bring the information back to their neighborhoods and families, Toms adds. “And if we could just prevent one more incident from happening, then it’s worth it.”
When it comes to revenge porn, Mary Anne Franks (left), board vice president and legislative and tech policy director for the Cyber Civil Rights Initiative, hopes cyber security education also will be stepped up to protect potential victims, both adults and minors, from such crimes.
“It’s a question of, if you have intimate material, what types of steps should you take for that info not to be vulnerable to hackers,” or others seeking to exploit victims, Franks explains. Cases involving minors may also raise troubling issues about coercion, she adds.
Franks notes that, whatever the way forward, the fight to stop these perpetrators could use help from all sides.
“You have to prevent the breach in the very beginning,” she says, comparing the ramifications of revenge porn to the more fleeting impact of other personal data being posted online in a similar fashion.
“If someone’s credit card data gets leaked, it’s different,” Franks says, adding that “the consequences of disclosure [here] are so severe and devastating that it’s got to be on security companies’ minds.”