Has Apple Mishandled the Question of the Security of Private Information Stored on iCloud?

Note: this post was written on September 3, 2014

In, perhaps, one of the strongest examples, in recent memory, of the wisdom of Murphy’s Law, Apple finds itself 6 calendar days away from a major announcement, but the promising opportunity it presents (for Apple to advance the positive features of its brand) is moving further away from its grasp, seemingly by the moment. In fact, the September 9, 2014 scheduled even may even be transformed into an unpleasant question and answer session on a difficult topic if public sentiment continues to trend further in its present direction.

Unfortunately for Apple, on Labor Day, September 1, 2014, a story broke detailing the theft of personal information — photographs — of at least one celebrity, Jennifer Lawrence. But the theft of Lawrence’s personal data, apparently a hack of her iCloud account, is not, in this writer’s opinion, the complete problem facing Apple just a few days from its otherwise promising fall public relations event.

The real problem is how Apple’s own Public Relations team has responded to questions about the security of iCloud as a cloud SaaS offer for secure online storage of personal data.

Without thrashing over the details of the response, it should suffice to sum it up as an editorial denial of legitimacy. In other words, Apple’s public voice states, forcibly, the claims iCloud is insecure are all wrong.

The problem with this type of rhetorical convention is the way it moves the focus of debate away from the points likely to matter to an ISV (in this case Apple), and over to points of vulnerability for the general public, where the odds of Apple’s PR team successfully convincing an audience of the truth of this editorial position aren’t nearly as promising.

So, for the more technical segment of Apple’s public audience, the focus has now shifted to a document in Apple’s knowledge base, Apple ID: Security and Your Apple ID. Sure, most of the text of the article spells out steps Apple has taken to seamlessly protect its users (these are summed up in the mandatory requirement of complex passwords). But, tellingly, the section on the optional step of enabling two step verification over one’s Apple ID doesn’t work to Apple’s favor. Given the gravity of delivering a secure cloud, SaaS computing experience for the general public, the technical segment appears to argue a safeguard like two-step authentication, ought not to have been presented as an option. Rather, it should have been plainly presented as a mandatory control each and every user must take.

After all, from a risk management perspective, a control like two step verification should be a mandatory feature of a truly secure repository located anywhere. But presenting this control as a mandatory step is, today, is a tacit assumption of a “best of all possible worlds” view with regard to how the general public goes about completing their computing activities. In contrast, the computing realities of 2014 have been designed more to “dumb down” potentially complex computing procedures like two step verification, than to foster them. So Apple lines up with its peers, and adopts a more lenient stance as regards the applications of these controls.

Unfortunately, the reason for scrutiny of Apple’s policy doesn’t work to this ISV’s favor. Once again, Apple is certainly not alone in this, but the choice of the public relations team to deny the obvious, in this writer’s opinion, should have been subjected to more scrutiny before it was publicized.

The lesson here for early stage ISVs is to plan on reacting to a problem like Apple’s by admitting culpability, rather than denying it. After all, the point of weakness, in this case, is precisely the same for any number of Apple’s peers. Apple could have chosen to stand up as a leader and notify the public of a decision to make two step verification a mandatory control over all Apple IDs. Let’s all hope they needn’t come to regret the position they took.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved