How to keep your private photos from running wild on the web

It's too late for actress Jennifer Lawrence to stop her nude photos from running wild across the internet, but here are things you can do to help keep your own private photos safe and secure.

10 tips to help you avoid Jennifer Lawrence's nude photo debacle

Actress Vanessa Hudgens, left, takes a photo with her sister Stella on her iPhone. Photos taken on an iPhone are automatically uploaded to the cloud for access on other devices when Apple's Photo Stream feature is activated. (Lucy Nicholson/Reuters)

It's too late for Jennifer Lawrence to stop her nude photos from running wild across the internet, but here are things you can do to help keep your own private photos safe and secure.

Nude photos of Oscar-winning actress Lawrence, model Kate Upton and other celebrities were posted online and sold to potential viewers this week by users of the online forum

Apple said Tuesday that its investigation found that "certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions."

It had previously investigated the possibility that a security flaw in its Find My iPhone app may have have let hackers get hold of passwords for iCloud — Apple's online data storage and backup service — using a "brute force attack." However, Apple said none of the attacks were caused by a breach of Apple systems such as iCloud or Find My iPhone.

Actually, there are many ways for your private photos to escape onto the internet without your authorization, with or without the help of hackers.

Here are some tips you can follow to minimize the chance of that happening.

1. Remember that you have limited control over the security of photos and data stored on the internet.

When you store data and images on iCloud, Google Drive, Microsoft OneDrive, Dropbox and other cloud services, you are storing them on an internet-connected servers that belong to those companies and are beyond your personal control.

"Don't call it 'the cloud.' Call it someone else's computer," wrote security blogger Graham Cluley in a post last December, saying that mentality will make people more mindful of the security risks.

Sean Gallagher, IT editor for the technology website Ars Technica, says cloud services are "leaky by their nature; things that are supposed to be private get stored alongside things that are shared." He noted that anything from user error to previously unknown software vulnerabilities can expose those. Someone getting ahold of your password can do that, too.

2. Check your passwords to make sure they are strong and don't reuse them.

Don't use easy-to-guess passwords that include things like your name, pets and relatives' names or your birthday, address or phone number.

Apple said Tuesday that its investigation found that 'certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions.' (Canadian Press)

A "brute force attack" involves systematically checking a very large series of possible passwords until one works. That's why common passwords such as these ones are very risky. 

Don't use the same password for multiple accounts or services or they will all be vulnerable if just one becomes compromised.

Longer passwords (eight characters or more) that mix different types of characters such as letters, numbers and symbols are the most secure. Password managers such as LastPass and Dashlane can help you remember them.

3. Don't answer security questions honestly.

In this particular attack, security questions were compromised along with usernames and passwords.

Internet security firm Trend Micro says you should reconsider whether those questions are really secure.

"Secure means that you are the only person who can answer the question," wrote Rik Ferguson, Trend Micro's global VP of security research, on the company's CounterMeasures blog.

He recommends making up your own security questions if possible.

"If you are obliged to answer more standard questions such as 'first school' or 'First pet,' remember the answer doesn’t have to be the truth, it only has to be something you can remember."

4. Turn on two-factor authentication.

Many services allow users to require more than just a password, or a password plus security question, to log in. If you turn on so-called two-factor authentication or two-step verification, you will also have to enter a code that is sent to your phone or email.

You can usually set two-factor authentication so that the code is not required when you log in from the device you use most often, and is only needed when someone tries to log into your account from another computer.

5. Know what you are automatically backing up online. Turn such backups off if you don't want everything stored on the cloud.

Many services including Apple, Google Plus, Microsoft OneDrive and DropBox have options that allow users to automatically backup or sync their photos or other data to the cloud.

In some cases, that's the default setting when you first configure an account — something you may not even remember. You should check your settings to make sure you know what is being automatically uploaded.

On Apple devices, an easy way to check is to see if you have an Album called My Photo Stream in your photos. Photo Stream allows photos taken on one device to automatically appear on all your other Apple devices. How?


If you're not comfortable with automatic backups, turn them off.

6. Review the photos you've already uploaded.

Every now and then, you might want to check the photos already stored online to make sure you'd be OK with them escaping, should that happen. You can delete the individual photos that don't meet this test.

7. Don't send sensitive images of yourself to other people.

"Even 'ephemeral' messaging applications like SnapChat, Glimpse, Wickr and the like don’t block people taking screen captures of the image," noted Gallagher of Ars Technica, "and if image recipients are using an iPhone, those might automatically get synced to their cloud."

8. Have an extra cloud account just for backups.

"If a hacker can gain access to one of your accounts, he may be able to use that to access your other accounts," notes the blog for CloudHQ, a service that syncs data across many accounts, including DropBox, Evernote and Google Drive.

It recommends keeping an unconnected account just for backups.

9. Encrypt your data.

Some apps allow you to encrypt your data before uploading it, and share the encryption key only with certain people. For example, CloudHQ recommends Credeon, which automatically encrypts all files in a certain folder. 

You can also encrypt photos or data stored on devices like hard drives and USB keys if you're concerned about them getting lost or stolen.

10. Don't take naked photos of yourself.

…or any photos, for that matter, that you don't want the whole world to see. Even if you don't upload or send them anywhere, you could lose the phone you used to take them or store them.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?