Guest Column: Pellicano Prosecutor Explains How to Fight Hollywood Hacking

Issue 12 Cyberhacking Illustration - P 2012

Issue 12 Cyberhacking Illustration - P 2012

The public always has been fascinated with the private lives of celebrities. But "tell-all" magazines have been supplemented by an alarming new trend: cyber hackers who can invade stars' privacy more effortlessly and on a greater scale than previously could have been imagined.

Nude photos, financial data and personal information hacked from phones or e-mail accounts increasingly are splashed across the Internet for all to see. And it doesn't just happen to celebrities; anyone who stores sensitive information online or on phones is at risk (that means you, studio exec). Even Syrian president Bashar al-Assad's wife was banned from the EU when hacked e-mails revealed lavish shopping habits.

On March 26, Florida resident Christopher Chaney, 35, pled guilty in Los Angeles federal court to hacking the personal e-mail of numerous Hollywood figures, seizing private communications and distributing images (including nude photos of Scarlett Johansson) to celebrity blogs.

Chaney's activities are far from isolated. In 2005, a Massachusetts teenager pled guilty to hacking Paris Hilton's cell-phone account and posting her contact list and revealing photos online. In 2008, a Tennessee teen admitted hacking Miley Cyrus' Gmail account and providing provocative photos to various websites. Just within the past few weeks, racy photos of Mad Men actress Christina Hendricks and Glee star Heather Morris, reportedly hacked from their cell phones, were disseminated on the Internet.

The recent torrent of celebrity hacks raises the question of how public figures -- and those charged with managing their images and reputations -- can protect themselves from intrusion and take action should they fall victim to cyber scandal.

Here's how:

♦ LESSON 1: How to Prevent a Hack

Use Secure Passwords

Seems obvious, right? But many people use information from their personal lives (kid's birthday, dog's name) as passwords to their computers, smartphones and online accounts. This is particularly risky for celebrities because so much of that information is publicly available. And everyone should avoid using the same password for multiple accounts or devices. The teen who hacked Cyrus in 2008 obtained her MySpace password by manipulating a MySpace employee into giving him access to an administrative panel, then he used the same password to gain access to her Gmail account.

Protect E-Mail Accounts

Webmail providers such as Yahoo and Gmail use security questions to allow users to reset their passwords. As with passwords, using publicly available information (such as your mother's maiden name or a school you attended) for password recovery is an open invitation to intrusion, particularly for celebrities. All that a hacker need do is identify the victim's e-mail account, click on "I forgot my password" and correctly answer the security question; at that point, the hacker can access the administrative settings for the account, reset the password and set up a forwarding command so that even if the user changes the password, the hacker will continue to receive copies of all e-mail traffic. Chaney admitted that this is how he gained access to his victims' accounts.

Be Smart With Smartphones

An actor's iPhone left unattended or placed in the hands of an untrustworthy assistant is an invitation to a hack. It is fairly simple to "jailbreak" an iPhone or iPad to circumvent its security features and install spyware that is available online for less than $40. Some programs track the user's movements through GPS; more malicious programs can send all call records, photos, texts and e-mails to an account controlled by the hacker. Protect your phone with the longest possible password or PIN, use location-based functions only when needed, and keep your phone in your possession at all times. Be alert for whirring sounds, pixelation or unusual heat emanating from the phone, any of which can be signs of a jailbreak.

LESSON 2: What to Do When Hacked

Bring In Professionals

The first priority is identifying the compromised device or account and stopping any leak. This requires experienced personnel, from law enforcement and/or a computer forensic-services firm, to perform a thorough assessment. When involving law enforcement, keep in mind that most hacking involves multistate activity that confers federal jurisdiction; the FBI, working with the U.S. Attorney's Office, can obtain subpoenas and search warrants that might yield information allowing agents to track IP addresses and identify the source of the intrusion (as was done in Chaney's case).

Mount a Media Strategy

In many instances, the public will experience initial skepticism as to whether the incident was staged as a publicity gimmick. By declining to hold news conferences or to make the victim immediately available for interviews, reps can send a message that the victim is not trying to take advantage of his or her victimhood. Note: Although a common response is to deny that hacked images are real, this can backfire by drawing more attention and scrutiny to the photos and largely eliminating the ability to go after the offender.

Explore Legal Remedies

Many websites will remove nonconsensual material when notified. For those that do not, an aggressive barrage of cease-and-desist letters can be effective. A wide range of legal remedies should be considered: Lawsuits can be brought for unauthorized computer access, invasion of privacy, copyright infringement and other claims against not only the original hacker, but also servers and other knowing facilitators. Preliminary injunctions and temporary restraining orders can be sought against Internet hosts that continue to publish hacked image or data files. And if the hacker is apprehended, the ultimate sanction of criminal proceedings can be pursued in state or federal court -- as prosecutors did with Chaney, who could spend several years in federal prison.

Daniel A. Saunders is a partner at Bingham McCutchen focusing on white-collar crime and privacy matters. He served as lead prosecutor in the Anthony Pellicano celebrity wiretapping case while at the U.S. Attorney's Office.