Apple Security

Path’s Privacy Folly Proves Shift In Privacy Views

Path uploaded address book data from its users in order to provide “social” functionality. After this became public they deleted all address data and apologized.

Everyone is ignoring the worst part of this. While very bad, it’s not that Path actually uploaded their address book (I’d venture most store it in “the cloud” already, so true privacy is out the window). The worst part is that Path didn’t even think this would be a problem until it became news. Even 2 years ago I don’t think there was anyone other than malware developers who would think uploading an entire address book of contacts without an explicit approval would be an OK practice. That is a huge cultural shift.

If Path were a desktop app in 2010, they would be competing with AntiVirus and Spyware blockers who would be racing to provide protection to their users.

In just a short time, a practice that would be reserved for illegal and dubious software was adopted by what seems like a mainstream startup. It’s electronic moral decay.

Apple doesn’t get a free pass either. Why in iOS 5 a sandboxed app can access an address book without alerting the user is beyond me. Addresses, calendar data, geolocation, and the ability to make a call are sacred API’s and should have obvious UI and/or warnings. Geolocation does have an interstitial alert. Phone calls have an obvious UI. Address and calendar data need to have an alert before the app is granted access.

4 replies on “Path’s Privacy Folly Proves Shift In Privacy Views”

The cynic in me says consumers are, at least, partially at fault.

Facebook has illustrated for the Silicon Valley startup that you can basically do whatever you want, privacy-wise, and there will be no consequences, legally or adoption-wise.

Apologize if you feel like it. But you don’t really need to put your heart into it, and you don’t even really need to change your behavior. Just add the exception to your privacy policy. It’s ok; no one reads that anyway (until they’ve been fired from their job because of something they said on Facebook and thought was private!)

And, to boot, the blogosphere will whine and complain for a couple of weeks, and users, if they even bothered to care, will go back to poking each other.

And then have your billion dollar exit.

Obviously, this won’t be the case for every startup, but I can picture in my mind the conversations going on in the meeting rooms of most (especially “social” and “mobile”) startups: “Facebook (and Apple and…) have totally ignored the customers who care about privacy, and it didn’t hurt them at all; so why would we even consider taking the high road?”

It’s a hard argument to make, because it sounds so “curmudgeonly”… until a 20-something has been screwed hard and irreparably by it.

Even Facebook never did anything to this degree AFAIK. They never obtained data without consent. These days they are pretty good with explaining what they do (maturing!).

I do agree apologizing is BS, and change is optional.

I disagree on the level of user blame. Had they known, I suspect quite a few would have balked. I blame Apple for having so many rules yet no way of shielding the address book from a “sandboxed” app.

To be honest, I don’t think Facebook has even been fully clear on what they’re doing, so it’s difficult to say whether or not they’ve done anything this egregious.

For example, I consider the cognitive disconnect between what people think they’re publishing via the website and what’s available via the API is on the same level as this.

What I meant by “the user is to blame” is that we’re not swiftly and decisively penalizing companies who engage in this kind of behavior; I guarantee you: if you 50% of Path/Facebook users stopped using the app within days of one of these “oopsies we didn’t think about you as a person who cared about privacy LOL SORRY,” it would incentivize other companies to at least have the discussion and consider it, instead of taking the approach of “Well, everyone else does it and gets away with it, so who cares!” “Social/mobile” users are, in this regard, akin to a battered wife: our privacy keeps taking a beating, but we keep on comin’ back! Until we stop doing that, there’s no reason we should expect these companies to change their behavior.

I agree that Apple really dropped the ball on this one, from an SDK perspective.

Leave a Reply

Your email address will not be published. Required fields are marked *