Taking down the hackers

In what amounts to one of the more high-profile – or at least the most salacious -- data breaches of the last few years, the personal phones of more than 100 celebrities were compromised this week. The hackers leaked a slew of personal photos they found on those iPhones, raising the ire of not just the celebrities, but the FBI.

It raises the question: What do you do if hackers get ahold of your personal data?

In this scenario, reports allege that the hackers compromised Apple’s iCloud system, which allows users to sync their photos and data to a cloud storage system. Apple denies that, saying that an internal investigation revealed that the hackers merely used programs to obtain the celebrities’ passwords.

Either way, criminal charges appear to be pending. Civil action, meanwhile, remains on the table.

Civil remedies

If any Canuck celebrities — or, really, any Canadian — fell prey to a similar scheme, they may well find that Canada offers a mixed bag when it comes to fighting back against this sort of bullying.

In the United States, one of the most popular legal remedies for having your intimate images distributed widely is the Digital Millennium Copyright Act. Originally designed to allow artists to go after content pirates, the Act has proven to be a powerful tool for those looking to take down leaked images.

The DMCA allows copyright-holders — and, indeed, these celebrities can claim copyright on photos they’ve taken with their cellphone — to petition website hosts and search engines to take down or delist infringing sites.

Canada’s milder copyright regime isn’t quite so amendable to that sort of action.

Up North, copyright holders could petition the Internet Service Providers to contact the infringing users, but take-down mechanisms just don’t exist in the Canadian system.

The owners of the pictures could, however, file suit.

That, says Barry Sookman, is “the best way to go” in terms of dealing with that kind of malicious hacking.

Sookman is a senior partner at McCarthy Tétrault, and he says the trick is to catch infringement early. If you can catch the producer and file notice for infringement, you might be able to head off further distribution at the pass. After it gets loose, the only option is to find the ‘digital fingerprint’ of the images and ensure that all websites distributing them are targeted.

“It does raise an even broader question — is there a way for the celebrity to reduce the impact of the damage?” says Sookman. “Once content becomes so widely percolated, the only effective way to ensure that the information is not so widely circulated is to go to Google.”

That’s not the only remedy, however.

After the 2012 Ontario Court of Appeal ruling in Jones v. Tsige, anyone filing suit in Ontario for breach of privacy can now rely on the tort of ‘intrusion upon seclusion.’

The judge found that Tsige, a Bank of Montreal employee, repeatedly accessed the account of her ex-husband’s new partner (Jones) and that “the intrusion was intentional, it amounted to an unlawful invasion of Jones’ private affairs, it would be viewed as highly offensive to the reasonable person and caused distress, humiliation or anguish.”

Sookman points to that tort, as well as ‘breach of confidence,’ as good civil remedies for seeking damages from the hackers. It doesn’t do much good if you’re trying to stop the pictures from being distributed, however, which is why copyright works as a catch-all.

But it might not just be the hackers who are liable.

While it’s unclear exactly how the hacking came to pass, if security deficiencies in Apple’s iCloud are to blame, the cellphone giant might be facing rough times ahead.

While the company wouldn’t be automatically liable since the hackers obviously committed a crime in breaking the company’s security, this could be a job for the Privacy Commissioner.

Daniel Therrien, Ottawa’s new appointee to the job, has signalled that private holdings of Canadians’ personal information will be a prime concern for his office in the coming years.

But one determination needs to be made first: Where is the cloud?

If someone in St John’s takes a picture on their iPhone, and it automatically syncs to the cloud — which is hosted in California — and their cloud is hacked, is the picture in California, or is it in Newfoundland?

That philosophical question is one that the Canadian courts have not properly addressed.

In a Privacy Commissioner report on the matter, the watchdog noted that “by its very nature, cloud computing has the possibility of sending, storing and processing data in multiple jurisdictions. Depending on data protection laws and approaches, this may create problems of jurisdiction. Indeed, an ascendency of the cloud model may even call into question the whole notion of data ‘ownership’ upon which much data protection is based.”

There’s a reasonable argument to be made that, no matter where the data is, it constitutes a Canadian’s private information, and therefore falls under Canadian jurisdiction. But whether the Commissioner has grounds to investigate is another question.

It would also need to be proven that Apple’s infrastructure is partly to blame, that it did not live up to its privacy policy or terms of service, and that it falls under the jurisdiction of Canadian courts.

The third requirement, at least, has some basis. A case from June, Equustek Solutions v. Jack, established a BC court’s jurisdiction over the American company for the purpose of protecting a Canadian company’s trade secrets.

Proving the first two requirements, however, would be more difficult.

Criminal solutions

Civil remedies aren’t the only option for a victim of hacking.

Carissima Mathen, a professor at University of Ottawa’s Faculty of Law, says Canadians have a few avenues with respect to criminal sanctions. Soon, however, a whole new path will open up.

Mathen says the two big Criminal Code sanctions that would apply to the cellphone hackers would be section 342.1 (unauthorized use of a computer) and section 430 (mischief in relation to data.) Both are hybrid charges and can carry a maximum penalty of 10 years.

From there, it’s slim pickings.

While a charge under the voyeurism section might seem like a perfect fit for this scenario, Mathen says that, historically, there has been a “physical trespass” element to voyeurism.

“It would be a stretch to apply voyeurism,” she says.

A theft charge, too, might seem like a logical route. However, Mathen points out the Supreme Court has established that “confidential electronic information does not count as property for the purposes of theft.” While technology isn’t quite what it was 30 years ago when that ruling came down, there doesn’t appear to be too much appetite to update the antiquated interpretation.

It might seem lacking that the Criminal Code could only prosecute the hacking aspect, and not the dissemination of someone’s personal images.

This is where C-13 comes in.

The controversial omnibus legislation has been much-derided for its lawful access provisions but its primary goal involves going after ‘revenge porn.’

Distributing intimate images without consent could net you up to five years in prison after the new bill is passed this fall. It’s an ideal sanction to go after the hackers and anyone publishing the images.

However, this situation does underline how overbroad this law could be.

The images were originally posted to online message board 4Chan, and were quickly disseminated to Reddit and elsewhere on the internet.

In this case, where the lack of consent is inexorably tied to the images — given that they were hacked — it raises the question: Where do you stop prosecuting? If thousands of Canadians forwarded the images or uploaded them to their website, are they all guilty?

“It becomes an enforcement issue, obviously. In terms of the way that the law is structured, it covers everyone down the line,” says Mathen. “If this turns out to be an over-broad law, then Parliament should go back and fix that.”

C-13 wouldn’t criminalize the entire internet, however. Police and prosecutors would still need to prove beyond a reasonable doubt not just that the accused distributed the images, but that they knew the images were obtained without consent.

Even so, that could be a lot of people.

Mathen says that prosecutions under similarly structured laws like voyeurism are “pretty rare,” given the physical requirements. She says prosecutions might just pick up.

“I suspect we’ll see a little more with C-13,” she says.

 

Related: Read Kim Covert's blog on whether we need a digital bill of rights