iCloud photo leak and product design

Unless you've been hiding under a rock over the last few days, you will have seen the celebrity photo leaking scandal.

Hackers, most likely using a brute force attack on Apple's "Find My iPhone" iCloud service, managed to compromise a large number of celebrity accounts, and consequently download their photo streams and backups. Kirsten Dunst has left us in no doubt who she blames for the whole affair:

Kirsten Dunst's opinion of iCloud

Unfortunately, your desirability as a female celebrity is mostly driven by your appearance. Hackers being generally young and male means that your private intimate pictures are therefore a particularly inviting target. It's worth stating this fact clearly, to remove any doubt - anything you put on a remote server may some day be downloaded by someone who doesn't own it. Before you upload something anywhere, think about the consequences if someone who wasn't you gets hold of it.

What is most interesting about this saga, however, is the role played by product design. Apple has struggled to attract people to using their network services, despite experiencing phenomenal success in device sales. This has resulted in a perceived "competence gap" - where Google can be trusted with network services, Apple can't be.

We've no idea about the conversation that happen behind closed doors at Apple, but I can imagine that the iCloud team has been under a lot of pressure to increase adoption. Apple want to own the user, from the devices they use to where their data is stored. The pressure is on to pull more people into a service which internally is seen as strategically vital. Combine this pressure with Apple's skill in User Experience (UX) design, and users are given a seamless "on-boarding" experience when they start using their Apple devices.

After adding your Apple credentials, a single dialog is displayed to the user with potentially far-reaching consequences. Note that the user is "sold" the benefits of the service with no hint about the potential consequences if their account is in any way compromised. In the interests of simplicity, the description of what actually happens when the service is activated are left a bit vague and wooly.

Initial iCloud dialog

Under the hood, however, your iCloud account is immediately activated to synchronise all of your photos, documents and data. You can see this from the default iCloud settings on a clean device:

Default iCloud settings

One tap, sold to the user as a wonderful and practical convenience (who wants to have to manually copy photos backwards and forwards from their Mac or iPad?), means that any photo you have taken on your phone is immediately uploaded to a server, somewhere.

The server team who decided to leave out the brute-forcing check on the "Find my iPhone" service will be facing some stiff criticism internally. Heads may well roll. But it's important that we accept several inevitabilities in system design:

  • Users will choose bad passwords
  • Users will upload things they would rather the entire world didn't see
  • Servers will get compromised

Bearing these things in mind, the people who should face censure here are not the engineers who forgot a brute force password check. The criticism should be levelled at Product Managers who, in the interests of encouraging uptake of the service, sold it to users as a convenience without ensuring they were warned of the potential damage if the service was compromised.