Skip to main content

Keep nude photos offline? Here's a better idea

By Woodrow Hartzog
September 4, 2014 -- Updated 1837 GMT (0237 HKT)
  • Hartzog: It's misguided to think key to Internet privacy is keeping things offline
  • We should demand security from companies that handle our online information, he says
  • We should insist on design features, notifications that let us safeguard our own information
  • Hartzog: Companies that don't protect data must be held accountable by law

Editor's note: Woodrow Hartzog is an associate professor at Samford University's Cumberland School of Law and an affiliate scholar at the Center for Internet and Society at Stanford Law School. The opinions expressed in this commentary are solely those of the author.

(CNN) -- "If you want to keep something private, keep it offline."

This has been a popular reaction to stories about the targeted attack on celebrities' cloud storage accounts that resulted in the publication of intimate photos. There's something intuitive in this way of thinking. After all, folks can't wrongfully access data that doesn't exist. But it's simplistic logic, and misguided when viewed as the ethic that should guide digital age conduct.

Blaming the victims of these attacks distracts us from the greater importance of people and companies working together to protect online information.

Woody Hartzog
Woody Hartzog

We should not, of course, be reckless about what we share online and whom we share it with. But keeping sensitive information off the Internet is no cure-all response to these attacks. Taken to its logical conclusion, the "keep it to yourself" mindset would require that we virtually give up using the Internet.

Most of the things we share online leave us all exposed in some way, even if the vulnerability is incremental. And, let's face it, even if it were possible for people to stay off the Internet and still function in society, we generally can't keep others from sharing our personal information online.

Putting all the responsibility on people to "keep it offline" ignores the responsibility of companies entrusted with our personal information. Instead of becoming digital recluses, we should demand reasonable security from companies, as well as design features and notifications that will empower us to protect our own information in reasonable ways.

Not everyone (though more than some might think) can relate to sending or storing intimate photos and videos online. But most of us have shared or stored something online in such a way that would be quite hurtful if widely publicized. For example, we commonly share credit card numbers, health information, emails to loved ones, and photos that, if taken out of context, might be misinterpreted in harmful ways.

Even innocuous information in the aggregate can reveal deeply personal and private things about all of us. Does this mean we should have kept all these photos, emails, and documents offline? For most people, using the Internet is a virtual necessity to participate in modern society.

Admittedly, data security can never be perfect. There is a some risk inherent in using any technology. But the burden of predicting an infinite number of speculative harms each time every one of us sends an email, stores a photo online, or makes a commercial transaction using the Internet is simply too great for any of us to bear alone.

So what can we do? In the short term, we can insist on better security protections from companies. At this point, every important online service should probably offer two-factor authentication.

Opinion: Who's at fault over J-Law's nude photo hack?

Conan's embarrassing celeb photos
FBI's role in celeb hack investigation

Two-factor authentication is an account verification technique that requires more than just a password. It usually requires both "something you know" (like a password) and "something you have" (like your phone). The way it usually works is that once you've activated the feature and given the service your cell phone number, when you want to access your account, you'll have to provide both your password and an automatically generated code that is sent to your phone. This protects your account from people who can guess your password but don't have your phone.

Some have suggested a "private photo" mode for phones that would prevent pictures from being uploaded to the Internet.

But creating these protections won't be enough. Companies must continually notify users these protections exist, make them easy to find and use, and quickly let users know of any potentially unexpected vulnerabilities. For example, many were surprised to learn that the celebrities' nude photos contained location information.

Ultimately, companies that fail to provide industry-standard data security practices should be held accountable by law. The Federal Trade Commission and other administrative agencies and laws designed to protect consumers must continue to ensure that companies entrusted with personal information respect the process of data security.

Working together, we can avoid having to choose between "enter at your own risk" and living a life disconnected from the modern world.

Read CNNOpinion's new Flipboard magazine.

Follow us on Twitter @CNNOpinion.

Join us on

Part of complete coverage on
September 15, 2014 -- Updated 1947 GMT (0347 HKT)
LZ Granderson says Congress has rebuked the NFL on domestic violence issue, but why not a federal judge?
September 15, 2014 -- Updated 1650 GMT (0050 HKT)
Mel Robbins says the only person you can legally hit in the United States is a child. That's wrong.
September 15, 2014 -- Updated 1723 GMT (0123 HKT)
Eric Liu says seeing many friends fight so hard for same-sex marriage rights made him appreciate marriage.
September 15, 2014 -- Updated 1938 GMT (0338 HKT)
SEATTLE, WA - SEPTEMBER 04: NFL commissioner Roger Goodell walks the sidelines prior to the game between the Seattle Seahawks and the Green Bay Packers at CenturyLink Field on September 4, 2014 in Seattle, Washington. (Photo by Otto Greule Jr/Getty Images)
Martha Pease says the NFL commissioner shouldn't be judge and jury on player wrongdoing.
September 15, 2014 -- Updated 2122 GMT (0522 HKT)
It's time for a much needed public reckoning over U.S. use of torture, argues Donald P. Gregg.
September 15, 2014 -- Updated 1608 GMT (0008 HKT)
Peter Bergen says UK officials know the identity of the man who killed U.S. journalists and a British aid worker.
September 13, 2014 -- Updated 1620 GMT (0020 HKT)
Joe Torre and Esta Soler say much has been achieved since a landmark anti-violence law was passed.
September 12, 2014 -- Updated 2055 GMT (0455 HKT)
David Wheeler wonders: If Scotland votes to secede, can America take its place and rejoin England?
September 12, 2014 -- Updated 2207 GMT (0607 HKT)
Jane Stoever: Society must grapple with a culture in which 1 in 3 teen girls and women suffer partner violence.
September 12, 2014 -- Updated 2036 GMT (0436 HKT)
World-famous physicist Stephen Hawking recently said the world as we know it could be obliterated instantaneously. Meg Urry says fear not.
September 12, 2014 -- Updated 2211 GMT (0611 HKT)
Bill Clinton's speech accepting the Democratic nomination for president in 1992 went through 22 drafts. But he always insisted on including a call to service.
September 12, 2014 -- Updated 2218 GMT (0618 HKT)
Joe Amon asks: What turns a few cases of disease into thousands?
September 11, 2014 -- Updated 1721 GMT (0121 HKT)
Sally Kohn says bombing ISIS will worsen instability in Iraq and strengthen radical ideology in terrorist groups.
September 11, 2014 -- Updated 1730 GMT (0130 HKT)
Analysts weigh in on the president's plans for addressing the threat posed by the Islamic State of Iraq and Syria.
September 11, 2014 -- Updated 1327 GMT (2127 HKT)
Artist Prune Nourry's project reinterprets the terracotta warriors in an exhibition about gender preference in China.
September 10, 2014 -- Updated 1336 GMT (2136 HKT)
The Apple Watch is on its way. Jeff Yang asks: Are we ready to embrace wearables technology at last?