

Anger for Path after Privacy Breach: So Many Apologies, So Much Data Mining - ChrisArchitect
http://bits.blogs.nytimes.com/2012/02/12/disruptions-so-many-apologies-so-much-data-mining/

======
beaker
I probably should keep my mouth shut, but after seeing so many posts about how
great Path is for giving such a genuine and heartfelt "mea culpa", I can't
help it. A friend of mine did some work for an older version of Path.com which
included an installable desktop client. One of the key features in the spec
was the ability to grab the users entire address book without ever letting
them know what was happening (e.g. no alerts or confirmation). This behavior
wasn't a mistake or an oversight, it was completely intentional from the
beginning. Of course my friend thought this was a bit shady, but the truth is
that shady tactics are used all the time in the software industry for one
reason - because they make money.

When Path states they didn't realize users would feel deceived and that they
only intended to use the information to make better suggestions for the user's
contact list, well, I don't want to sound cynical, but I think anyone who
blindly believes these kinds of statements (from Path, Facebook, or any other
company) is either personally/financially interested or extremely naive.

~~~
gms
You attribute malice to where there probably is none.

I reckon the more likely truth is that the Path folk genuinely saw nothing
wrong with what they were doing. There are a group of people (call them the
Facebook crowd, if you want) who think that excessive privacy is unnecessary,
extending that thought to sharing people's address books.

~~~
anamax
> You attribute malice to where there probably is none.

No one ever says "I'll be evil". Instead, they come up with ways to justify
the evil that they do.

The only reason for giving someone who "meant well" a pass is if it's likely
that the bad outcome was fairly unexpected. If, as is usually the case, the
bad outcome was likely, they should be held accountable for intending it, just
as we do with drunk drivers. No, "meaning well" isn't an excuse for ignoring
reality.

Remember, most of the world's horrors are caused by folks who claim that
they're trying to do good.

------
SoftwareMaven
I really hope the furor over this causes Apple to require permission to access
the address book. I understand Apple is trying to keep things simple, but this
is, IMO, as important as location information.

~~~
eps
This is arguably far more important than the location info.

~~~
loceng
Yup - you could likely link all kinds of demographic information based on who
someone knows - including their likely location or locations.

------
SideburnsOfDoom
This is completely relevant:
[http://www.daemonology.net/blog/2012-01-19-playing-
chicken-w...](http://www.daemonology.net/blog/2012-01-19-playing-chicken-with-
cat-jpg.html) ("Playing chicken with cat.jpg" by Colin Percival from tarsnap)

> "The answer isn't for ... the company ... to prove that they can be trusted;
> the answer is to ensure that their customers don't need to trust them. ...
> The best way to avoid privacy breaches is not to formulate a detailed
> privacy policy; it's to reduce your capabilities so that you're unable to
> violate anyone's privacy."

Just think of what target companies like this will make for hackers. It's an
accident waiting to happen.

~~~
joe42
>It's an accident waiting to happen.

It'll be a shitstorm when a large set of address books gets leaked to the
internet (à la AnonOps, etc.).

(Though it would be a _lot_ of fun to run some graph-theoretic metrics on the
dataset (closeness, centrality, etc.). I've often lusted over getting an
anonymized version of the Facebook graph (32-bit ID for each person, assume
average of 100 friends, 700 million users, gives a total size of about 300 GB
uncompressed), but a leak of a couple million address books now seems not far-
fetched.)

------
andrewcooke
what worries me, and is related to the issues described in that article, is
that the various examples i've seen don't seem to be secure. the path loading
was via https/tls but seemed to be (from the description given at the time)
vulnerable to a simple mitm attack. that means that the server certificate was
not being validated correctly. another example (can't remember the company)
was using http.

in both cases, a clued-up governmental agency could read the data. as the
article says, this can be a big fucking deal.

tldr: if you're going to abuse people's privacy, at least do it right.

[it's possible that the tls case involved loading a new trusted certificate
onto the phone before the attack; i did check for that when i read the
description and couldn't find any mention, but if that's the case then the
loading would be secure - although even then, it might have been possible for
path to hard code details of which ca they trust.]

~~~
relme
In order to mitm over https you have to install a special certificate, for
example, [http://www.charlesproxy.com/documentation/faqs/ssl-
connectio...](http://www.charlesproxy.com/documentation/faqs/ssl-connections-
from-within-iphone-applications/)

~~~
andrewcooke
that is not included in the step-by-step instructions at the end of
[http://mclov.in/2012/02/08/path-uploads-your-entire-
address-...](http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-
to-their-servers.html)

i agree that, if it was done, then the transfer is more secure, but, as i
said, that does not appear to be the case.

------
djacobs

      It would have taken programmers weeks to write the code
      necessary to copy and organize someone’s address book.
    

"Weeks" seems a little far-fetched, no? (Especially given the apparent lack of
sophistication in the import process.)

~~~
plasma
I don't think so, when you need to then make the server side work, plus
testing etc.

~~~
a_a_r_o_n
Plus fixing the bugs that happened because you said you could do it in days.

~~~
djacobs
I disagree. It's a simple, stateless data transform.

------
kevinpet
I was with him right up until this:

"Lawyers I spoke with said that my address book — which contains my reporting
sources at companies and in government — is protected under the First
Amendment."

What does this even mean? Does he mean the fourth amendment? If so, lawyers
would have told him "not once it leaves your phone". What do you mean by
"protected"? That you can't be compelled to divulge it at all? That police
need a warrant to get at it? That you can sue if someone else exposes it?

So I flipped the bozo bit. If the author plunks a meaningless but frightening
sounding paragraph in the middle of an article, I just don't really put a high
value on anything he has to say.

~~~
mechanical_fish
Actually, the issue of whether or not a reporter should have a special right
to preserve the anonymity of sources has been a question of First Amendment
law since at least the nineteen-seventies:

[http://www.rcfp.org/first-amendment-handbook/introduction-
le...](http://www.rcfp.org/first-amendment-handbook/introduction-legislative-
protection-news-sources-constitutional-privilege-a)

And, as others have suggested, you might want to flip the "bozo bit" on the
entire notion of a "bozo bit", because it's a funny metaphor but a lousy rule
for real life. Everybody is a bozo some of the time.

~~~
SimHacker
Well if he's flipping the bozo bit instead of setting it, that means you need
only be a bozo an even number of times and he won't consider you a bozo. I set
the bozo bit of anyone who flips the bozo bit.

------
chairface
This bit is inaccurate, as far as I can tell:

> it was also transmitting the data in “plain text.” This would be like
> mailing a private letter to someone without the envelope.

My understanding is that the data was transmitted over https, which is
decidedly not like mailing a letter with no envelope.

~~~
rsingel
Path said it was sending over HTTPS, but storing in plaintext - protected by a
firewall. No server-side encryption.

~~~
chairface
That's still not like sending a letter without an envelope.

------
Drbble
One Hundred Years on Stilts: While Seeking Eschewed Natural Grammar, the Grey
Lady's Headline Readers are Bereft of Comprehension

Why is the _New York Times_ incapable of writing headlines in one of the
variants of English spoken on Earth?

~~~
tokenadult
_Why is the New York Times incapable of writing headlines in one of the
variants of English spoken on Earth?_

But the New York Times headline writing style is a variety of English,
familiar to English-speaking readers of newspapers. As I wrote earlier in
response to a similar question,

<http://news.ycombinator.com/item?id=3358744>

"Newspapers all over the world use different grammatical conventions in
headlines from articles. I read Chinese, and Chinese-language newspapers also
have headlines that look quite bizarre in isolation. As the first kind reply
here said, this convention probably began to save space for banner headlines
in large type."

~~~
Drbble
In general, yes you are right, but NYT headlines are not Standard Headline
English. They are bizarro convoluted long-winded show-off try-to-look-clever-
by-overcomplicating English.

------
Jayasimhan
Singling out Path in this issue is not right. Instagram fixed the same issue
in their new release. Ditto with Voxer. And more app updates to come. Its sad
that one company is being shown all the heat. The issue is pervasive and the
problem is not with the apps but with the platform, iOS. It would make much
better sense and workout better if we take the issue to Apple. But I'm sure
Apple will close this loophole in the next release. Until then, lets leave the
app developers alone.

~~~
lambda
No, don't leave the app developers alone. Apple has merely failed to protect
its customers; it is Path, Instagram, Voxer, and whoever else who have
actively taken advantage of this lack of protection to abuse the trust of
their users. Yes, Apple could do more to protect their customers, but the
fault lies with those people who are uploading address books without
permission.

When I install an application on my computer, I do not expect it to upload
arbitrary information from my disk to the developer's servers. If an
application did, I would be quite upset, even though any application that I
run on my computer will generally have access to all of my data with no
substantial platform-provided protection.

Why should I suddenly give the developers a break because the application is
running on the computer I carry around in my pocket, instead of the computer I
put in my lap?

Would you forgive a company if their application grabbed your cookies, and
uploaded those to their server, so that they could log into your Gmail account
to find your contact information? Decided to upload all of your documents to
their servers and convert them to a convenient HTML format to make it easy for
you to share them with one click to your friends? Rooted around your hard
disk, uploading your tax information to their servers?

So why do you say that we should forgive companies for making the deliberate
decision to grab private information from your phone, and upload it to their
servers, just because the platform vendor never implemented a feature to
explicitly forbid that?

~~~
guest
one might argue that by not protecting the user's personal data by default,
when how to protect such information is quite well known, the vendor and
market maker is clearly the liable party

~~~
lambda
Would you argue this for your desktop or laptop as well? For any breach due to
you installing an application from someone who abused your trust to read your
files and upload them, that your OS vendor (Microsoft, Apple, your Linux
distro, or whatnot) is the liable party?

------
mbesto
_It seems the management philosophy of “ask for forgiveness, not permission”
is becoming the “industry best practice.” And based on the response to Mr.
Morin, tech executives are even lauded for it._

I am really upset by this. Most executives (I'm looking at you BP) have had
very inconsiderate versions of "I'm sorry" that are literred by play on words,
media spin, and disgrace.

Human beings are not flawless and I respect the companies (I'm looking at you
Facebook, Dropbox, Path, etc) that are willing to treat me like a human being
and say they're sorry.

~~~
amirmc
How many times are you willing to hear the words "I'm sorry" from an industry
before you get tired of it? Part of life is learning from _other people's
mistakes_ but if that learning was actually happening would we be hearing
about privacy 'violations' etc from different places?

~~~
a_a_r_o_n
"I'm sorry" is just the latest way of getting away with shit.

In the seventies it was "At this time, Senator, I do not recall."

In the eighties and nineties it was "there's nothing new here."

Now we're sorry.

SSDD.

~~~
mbesto
Why do we (as "hackers") follow the mantra of "Move fast, break things" and
yet highly scrutinize people when we don't...

------
richardlblair
I can't believe that this story is still being brought up. The concerns of the
users were eventually addressed, data was deleted, and they apologized. What
is to report here? This is nothing more than the media making something out of
nothing, as always.

It's not like they were using the data for something other than convenience
for the user. When the users were upset, they reacted accordingly.

Facebook looks at all your data for targeted ads, and Google uses all your
data to refine their algorithms. All Path did was try to use your data to help
you, and when they were met with resistance they back tracked on their
decision.

Mistakes like this are made all the time, and this isn't even that big of a
mistake. It's not like the data was leaked. People need to seriously calm
their nerves and look at what Path did right.

Stop looking for a story where there isn't one. The real story is Apple's
privacy policies. Path should have been forced to ask for access to the data,
but they weren't.

~~~
VengefulCynic
I'm confused as to how Apple's lack of regard for the privacy of its users is
a story, but Path's lack of regard for the privacy of those same users is a
non-issue. One of the parties failed to protect the users' data, another one
of them took it without asking. _Both_ should be held to account in my mind

~~~
eropple
What is Apple supposed to do to prevent a social network app (i.e., something
plausibly worth granting access to your contact list, and so asking for
permission to access your contacts wouldn't help) from uploading your data to
their servers?

I think having some sort of permission guard for contacts is totally worth
doing, but to put Path's sending of your contacts to a remote server in the
same category as Apple not asking before allowing something to _see_ your
contacts is misleading at best.

~~~
SideburnsOfDoom
> What is Apple supposed to do to prevent a social network app ... from
> uploading your data to their servers?

1) Put in their detailed rules that this (uploading entire address books) is
not allowed.

2) Remove apps from the Apple App Store if they are found to violate this
rule.

Apple could also remove such apps from phones after the fact as if they were
hostile malware. This may be going too far, but it can be done:
[http://cybernetnews.com/apple-can-remotely-remove-bad-
apps-f...](http://cybernetnews.com/apple-can-remotely-remove-bad-apps-from-
your-iphone/) I mention this since by saying "What is Apple supposed to do to
prevent.." you may be asking if there's anything Apple can do at all. Yes, of
course there is. It's not hard to do _something_ when you own the app store
and have control over all the devices.

~~~
towelrod
That's not enough. Contacts should not be accessible by third party apps
without explicit permission, period. Its not enough to remove apps after they
are found to violate a rule. Just don't even make it possible to violate that
rule in the first place.

~~~
SideburnsOfDoom
> That's not enough. Contacts should not be accessible by third party apps
> without explicit permission, period.

Well, that too. But eropple (the parent poster)'s point is that social
networking apps are the kind that would typically ask for this permission.
Controls on this behaviour before and after the fact can work together.

Now that I think about it, doing the "find your friends" thing without
uploading address book data at all would be tricky.

