> Why wasn't this [sending all the contacts to your servers without users knowing] an opt-in situation to begin with? Isn't that against Apple's own T&Cs?
and the Path CEO replied:
> This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we've been proactively addressing this.
Really guys? REALLY? This is why developers need explicit guidelines, because as they just demonstrated if there are no guidelines companies default to the thing that exploits the end user! (incidentally, its unfair to pick on Path too much as almost all social networking applications do exactly this also.)
I actually cringed when I read this "however, as mentioned, we believe users need further transparency on how this works" ... which is why it took someone running a proxy and writing a blog post for you to suddenly be transparent about it. Mind blowing. Why even say that?
Btw, times like this? You destroy any and all credibility when you say you are trying to build a company that is built to last or one that is going to follow in the footsteps of Apple.
Apple would never do this to their users.
(do not make this a discussion about the evil and good sides of Apple. Apple has repeatedly not bowed to companies desires for owning contact information and I expect they will fix this contact hole in the near future.)
It's sad because I respect Path and their love of design. But design isn't just about how it looks. It needs to resonate through the entire vision, company, product, and how you treat people.
"This is currently the industry best practice"? That's the biggest bullshit line I have ever heard. No, it's most certainly NOT a "best practice", and even if it were, it shouldn't be, and as a CEO, you're supposed to be bright enough to know this. And if you don't know this, you're supposed to be bright enough to make up a better excuse when you get caught. Hint: This ain't it.
>> No, it's most certainly NOT a "best practice"
How can I remove my information if I've never installed Path before? It doesn't seem right that my contact information, which I have kept private, because someone I know has uploaded that information. Do I not have a right to keep that information private?
This would make Path and other companies that upload the entire contacts database the prime candidate for hackers and government agencies that want non-Facebook information about people, given a name, phone number of email address.
> Do I not have a right to keep that information private?
But you didn't. You gave it to someone else. It's not your information any more.
Information about you is not information you own.
Privacy and anti-spam laws in various jurisdictions cover what an organisation can do with information they collect about private individuals, but that has nothing to do with ownership.
Generally no. I mean anyone can put their in law's information on their blog. It's a dick move but not illegal generally (if you're putting the person in danger like an battered spouse or witness protection there may be problems, IANAL).
I get the outrage that they didn't hash everything but the righteous indignation that a social network is trying their best to let people know when their friends sign up seems overblown.
Moral of the story: don't be shocked when social networks don't follow best practices for privacy. Also foxes like chickens.
If they're smart they'll revamp their system to work like this:
edit: (0) we get your permission /edit
(1) we check for your contacts in our database (hashing your contacts).
(2) we let you know if any matches are found.
(3) we throw away all your data afterwords.
They'll generate a few fewer matches this way but since they're going for stronger ties it shouldn't really be an issue.
No, this is a matter of security. Apps should not be able to access user data without explicit permission. It's not something you can rely on guidelines for.
> Apple would never do this to their users.
You're being way too generous to Apple here. They are the ones who provide the API. I've used other phones and their APIs never freely provided my data to apps. Honestly, if I knew the iPhone worked like that I wouldn't have bought it.
Wait, on second thought. Maybe he is right. Hopefully he will post a comprehensive list of all other companies he is aware of that engage in this practice in order to show his good will in stating it is an industry best practice according to his personal knowledge, and not that he is merely a compulsive liar. I look forward to Mr. Morin's follow up with the list.
Played right, this episode could actually give them free publicity. Companies like Facebook and Zynga have been embroiled in far worse controversies, and they've all blown over.
2) requested a complete deletion of our family's account
3) requested deletion of any/all stored information
4) considering contacting our lawyer
Ok, I'm going to pick on you for a second.
Hold the downvotes everyone! Let me explain.
This seems like a bit of a knee-jerk reaction akin to "think of the children!" or the whole child porn scare-mongering that politicians engage in that we on HN are always criticizing. I recognize that Path screwed up, big-time, but I'm unclear on why them having the information you cited, along with dozens or hundreds of other contacts from your address book, for millions of users, constitutes some kind of terrible threat to your children. I mean, their schools, their bus companies? How is that even remotely useful information to anyone?
I think there's plenty to criticize here from just the high-level perspective of "they used my contacts without my permission", without use the children scare-mongering tactic. But maybe there's a specific threat in mind that I'm not thinking of?
Anyway, just thought your response was a little over the top, and more informed by emotion than reason.
Ok, now everyone can downvote :)
Now most people's response to that kind of threat is to think "I'm just nobody important, no one would ever go to the trouble of using this information to impersonate me or otherwise make my life difficult." Probably you are underestimating one or more of: (a) your importance, meaning how much money someone stands to gain by impersonating you, (b) the gullibility/apathy of customer service reps at the companies you interact with, or possibly (c) the amount of free time and/or perversity of someone who will fuck with you just for the lulz.
So now, without consent, this "private" "friends and family"-based app I installed on my phone, plus it's company, plus any other company they choose to do business with, or any entity that acquires them in perpetuity, or any data mining, social profiling, credit bureau, can start building far-reaching and long-lasting profiles of a four year old little boy that needs a extra help.
What part of that confuses you?
p.s. this could have been avoided with a dozen lines of code via a dialog box.
Do you also buy snake oil if it comes with a document using lots of difficult sounding words but ends saying it cures everything?
> along with dozens or hundreds of other contacts from your address book
Path should be private by default. Forever. You should
always be in control of your information and experience.
> for millions of users
"kill one, it's murder - kill 1,000,000 it's a statistic" - this isn't about your children - it's about mine. ;)
> constitutes some kind of terrible threat to your children
Where did I say this was a "terrible threat" to my children? Maybe it is, maybe it isn't - bottom line is we did not consent to it. And perhaps we just want to protect our underage children from having behaviorial profiles or credit risk assessments built up on them before they reach kindergarten.
Interestingly enough, according to Path it is VERY reasonable that I should protect my children's information:
We take reasonable measures to protect your personal information
in an effort to prevent loss, misuse and unauthorized access, disclosure,
alteration and destruction. Please be aware, however, that despite our efforts,
no security measures are perfect or impenetrable and no method of data
transmission can be guaranteed against any interception or other type of misuse.
(You)...accept all risks of unauthorized access to the Registration Data and any other information you provide to us.
> But maybe there's a specific threat in mind that I'm not thinking of?
Yes, there is. And I acknowledge that you might live in a world where you have no problem allowing anyone in the world to know any detail they can illicitly sneak out of your phone about you, your family, and your friends - but most of the rest of us don't.
For fuck's sake a UIKit dialog box and handler code is less than a dozen lines of code and then NONE OF THIS WOULD BE AN ISSUE.
> Anyway, just thought your response was a little over the top, and more informed by emotion than reason.
I'm curious, do you have a spouse or children?
What are you talking about? Do you expect them to perform complex data analysis to figure out that certain contacts are young children, and then explicitly ask permission to share those? Or do you expect them to preemptively ask for any potential sensitive contact information? "Can we use your children's information?" "Can we use your in-laws' information?" "Can we use the address of the President's safehouse?" Etc.
I ask because we would be foolish to think the developers of some less then typical quality apps have, or will, certainly exploit this for their own monetary gain.
On our lap/desktops we use prompting firewalls and on occasion will even watch suspicious apps or behaviors, if you will, where on iOS this is much harder.
I have an idle FreeBSD box and may start mitm'ing like OP did, but seriously pouring through the kind of output a home network produces doesn't sound like fun at all and I already know that going back to a dumb phone would probably be just as easy.
I would be curious for someone to do this with other apps. Even those that aren't social networks. I have a strong inkling that most of the top free apps are doing this without any of us knowing.
What for an argument is this. So if he doesn't have a spouse or children he can't be right. What kind of populist are you?
Don't really like this kind of argumentation.
What do you expect to achieve with this step?
I would respect a company that did this because they are not only addressing users that are aware of it but also users that are not aware (but are affected.)
Wiping data is fine but it feels like it doesn't solve the crux of this problem -- communication and transparency. Companies make mistakes and they can fix them, sure, but communicating about them? that's much cooler. (I suspect this is overkill unless mainstream news catches on this - which seems unlikely)
Ambivalent boss: "I don't think it's a problem, who's going to notice anyway?"
Not that the ethical engineer will get anything more than personal vindication for actually giving a shit.
1) Immediately delete all of the non-user data
2) Send an apology e-mail to each Path user explaining the situation
3) Write, by hand, a corresponding apology letter for each Path user
4) Hold a townhall-style meeting in which members of the public can ask him questions
5) Pay, out of pocket, the travel expenses of anyone who attends the townhall meeting
6) Wear an indicator of shame (large necklace or a sign) for as long as he is CEO of the company
1.) Get the user's address book and 2.) upload it to a server.
Installing an application implies a higher level of trust than a web application. You can't prompt the user for every API that might have a nefarious use. Location data is also much more sensitive so it makes sense to prompt the user for that.
The problem is that this isn't easily enforceable at the API level without the user having to make decisions. The right level of enforcement is at the app review stage.
It's not enforceable even WITH the user having to make decisions. The user can not allow the app to upload one kind of data and disallow another (address book). You can only allow ANY upload or no upload at all.
1) Get the user's address book 2) upload _something_ to a server.
A user could give permission to both.
You'd have solved the problem, but created a horrible user experience instead.
I feel like shooting someone every time I see them (or for that matter, anyone else) doing things 'proactively' (at least three times in the comments of original blog post). My BS meter goes all red on that. What does 'proactively addressing issue of transparency' mean? Even the sentence itself is not transparent.
I seriously wonder why so many companies communicate using language like that. Is it because of law? If instead, he'd say "well, we really screwed that one up and we want to apologize; right now we're trying to figure out how to fix those issues, please be patient" - could that get them sued, or what?
And yeah, if you don't do this (everybody else does AFAIK) you're left with a disadvantage in hooking you up to your friends who also use the service.
I actually think the CEO's response is not that bad.
"Proactively" doesn't mean acting after you've been caught.
Actually, it means exactly the opposite.
About four years ago, a new trend just started emerging. Sites would ask user's for their Gmail passwords and scrape all the users' contacts to invite them for their service. I remember this because I was at a company where I refused to implement a service that requested a user to enter their Gmail password. They got someone else to do it. The issue was that we had competitors using this tactic and they were gaining a lot of users. Unless you have a way to level the playing field, you'll end up just punishing the ethical companies.
Apple makes apps prompt me every time they want to know my location or send me push notifications, but they don't require it for the contacts info.
How is managing push notifications more important than leaking private contact info?
iOS doesn't know what's being uploaded by an app. It can't know. They could ask every time an application wants to access your contacts (which, I think, would really suck for UX, and it'd be a context-free question without indication of what the data would be used for), but after that? There is no practical way to know that that data is being sent over the wire to somebody.
Perhaps not, but remember that Apple are supposed to have approved all Apps on the AppStore. It's supposed to be for user benefit, to prevent malware, viruses and bad applications. However this app was approved by Apple. What, exactly, is the point of the AppStore approval/walled garden approach if this is acceptable?
Facts are stubborn things.
I live in almost the middle of nowhere, i guarantee nothing like google maps, etc has ever passed this way to map my WIFI point's BSSID onto a physical location, yet the week a member of my family got an iphone, plugging the BSSID into a location api gives the exact location of my house...
Here's more useless analytical evidence to suggest that most people don't know everything: when Samy Kamkar first demonstrated geolocation via BSSIDs, I tried out every wireless router in my house, including one that had not been plugged into a wall in over 4 years and never at my current residence, long before Google started wardriving for street maps and well before the first iPhone came out. He was able to accurately map it to my old residence. That means that sometime before December of 2006, someone or something was able to snatch my BSSID from someplace, accurately note it's physical location in the world, and store that away in some database that was used almost 4 years later. I can guarantee you it was not Apple, and I'd be damned surprised if it was Google at that time.
The data was used for GPS assistance -- it was a cache that triangulated your location from cell phone towers to help get a faster GPS lock (and to find your location without GPS if you’re getting bad GPS signal).
If you're concerned about the police finding out your moves, they have access to such information from the tellcos themselves with your cell number, whereas to use those stored GPS logs they would need physical access to your iPhone.
>Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
>We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
edit: Morin responds to a response
To the suggestion that they just hash the addressbook entries:
> 1. This is a good alternative solution which we'll look into. Thanks for the idea.
"Proactively?" How do you get into the Social Networking business and not see this issue coming before the first line of code is written?
>This is a good alternative solution which we'll look into. Thanks for the idea.
Again, no. That no competent system design talent/time was dedicated to this process is a damning critique of your organization's ability to be trusted to safeguard user data.
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it." -- Upton Sinclair (http://en.wikiquote.org/wiki/Upton_Sinclair)
was about to say exact the same. the only thing I can add here is that if this wouldnt make headline, noone would have thought of opt outs.
EDIT: possibly even better, they could use a Bloom filter, similarly to how Chrome uses them to filter malicious websites without sharing your entire browsing history with Google.
Besides, a small search space can only be searched quickly if it takes little time to a hash a phone number. Doing a few billion MD5-sums is not so difficult. If the hashes are computed with an expensive bcrypt then it's just a matter of increasing the number of iterations to make brute force attacks unfeasible.
Edit: I realize that the hashes can't be salted (because different phones must produce the same hashes for the same phone numbers), so a rainbow table can be created for the entire database.
That wouldn't really stop anybody from reversing the hashes, but it would make a global rainbow table useless.
The hashes for a given user could still be attacked using their phone number, but a global table wouldn't work.
I would be more comfortable with this than giving them my entire address book, anyway.
Everybody knows "why" Path is doing this and the response should have been more of "why this way".
I have yet to open the app again.
He didn't even respond that they were checking your address book against their database for matches and then making those connections and dumping the rest of the data. He actually confirmed that they are storing non-user data in the hope of one-day making a connection. But if that was correct, the new user would make that connection when they signed up. You don't need two independent sources to make the connection through the address book.
Ever since I learned this was possible, I've been very careful about which apps I download, and actually have downloaded very few since, as a result. There are a lot of random iPhone developers that I really don't think need to have access to my entire contact list.
17.1 Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used
It's likely that this app will be pulled from the App Store within the next few hours.
I was operating under the assumption that this is not possible as I am sure many other people were. What sort of imbecile at Apple decided that allowing apps do that was even remotely acceptable to the phone owners?
All these services require either a email or phone number to sign up, so to search for friends who have also signed up for the service, you need to compare two data sets: emails or phone numbers of users you already have, and those in the person's address book.
You obviously wouldn't download your entire database of users contact information to the phone to compare the data sets, so you send the data set up to the server.
Email addresses can be effectively canonicalized by lower casing. Not many mail servers are case sensitive these days. Additionally, for the local part, you can generally strip off anything after a "+", and with gmail, you can drop any period in the local part. (Granted, it's not perfect-- so make sure that's not a security concern.)
These techniques have been working fine so far in my app for my "Find My Friends" feature.
- iOS app review is very minimal. For the initial submission, they'll play around with the app for ~5 minutes. I've had updates approved without the app even being launched, and other times it's approved with simply logging in and launching the app on different devices. They are mainly concerned about policies, private APIs, etc. Things get stricter when you submit in-app purchases, but again those are more administrative than functional. So, I don't think they would ever catch something like this.
- Amazon's testing is insanely detailed compared to Apple's(at least, for the first submission - I haven't submitted updates yet). They tested the app on several Android devices, and also were looking at data over the wire using, presumably, a client proxy. They will reject the app if you send up passwords/usernames without using SSL, for instance. They hit all the menu buttons and try most features. And they review all permissions your app needs.
Sometimes it's tempting to speculate whether the real purpose of the app store review team is just to ensure developers aren't trying to access Private Frameworks (i.e. non-public APIs) or try to upsell the customer while bypassing the 30% Apple tax?
That said, it's humorous how a blatant abuse of trust such as this gets through unscathed but god help you if you try to access the iPod library the wrong way!
There are other actions allowed by the SDK that seem to have little non-nefarious use, such as the ability to hide the fact that an application is transmitting and receiving data (the network "spinner" can be disabled by the application); as others have mentioned it's interesting which API calls require authorization from the user while others do not.
As far as I know Apple was not interested.
Here's the paper if you want to take a look:
(I'll go back and read the paper in more detail soon)
So the analysis would fail to determine the method and class of a obfuscated string.
The ivar was in a public header, and was not marked @private, which is the only correct way to designated an ivar as private in Objective-C. Putting a comment above it saying "this is private" (which they did) doesn't count. It's protected, by definition.
NSActionCell.h, I think.
The problem is surely one of governance - it must be that the app reviewers simply don't (whether through sheer volume of apps they have to review, or lack of ability) see what's being posted, and where.
What's more if Path used https and a CA, would we ever have found out what was being posted short of live debugging?
I also want to thank the author of this post to discover this! I wanted to try Path some time ago, now I can safely avoid it without regret.
there was a furor recently where it was revealed that OS X and Windows collect data on what access points you have associated with. what was omitted was that linux does exactly the same thing: the wireless subsystem has a debug print (at a debug info level turned on in all major distributions) that will log the MAC address of the AP you just associated with.
it's still there, afaik.
You think people should be upset because a Linux computer knows the MAC address of the AP you are associated with? If that is a problem, then imagine what people will think when they realize that the computer knows what keys you press on the keyboard (!!??)
There is only a problem if the operating system shares information with 3rd parties without authorization.
it shouldn't be upsetting that your computer knows what keys you're pressing or what network you are affiliating with. recording that information permanently could be bad.
if you have an ubuntu laptop with wireless handy, run the following command:
sudo grep AssocResp /var/log/syslog
Ideally the OS should prompt you if an app wants access to your address book, just like it does for location.
"The Weather Channel" is a default icon suggesting a free download on the Kindle Fire.
It asks for:
Set the wallpaper
Send SMS messages
Write to external storage
Access info about Wi-Fi networks
Access coarse location
Initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed
Write (but not read) calendar data
Read calendar data
Required to be able to access the camera device
Open network sockets
Access fine GPS location
Access vibration feature
Access info about networks
If legit apps are demanding all this, then a Chinese weather app dialing those toll numbers in the Caribbean could do the same.
If you do not open them manually or restart you phone (if they have the permission RECEIVE_BOOT_COMPLETED) They are not executing. You can install them and revoke certain permissions before they are running for the first time.
I also remember seeing that permissions were reset on reboot, but that might have been some other setup, not CM.
For their Facebook Connect permissions, they ask for all the permissions… (that was true beginning of November, not sure they changed it since)
Lots of people do read those permission lists, and they are one of the most commonly referenced complaints in app reviews. A firestorm arose when an Angry Birds update inexplicably added the ability to send SMS'.
Further it focuses a spotlight when an app does request a permission that seems out of place. Ideally when Google evaluates app for their "staff's picks" (the "optional curation") they consider threat surface area.
I also asked about whether and how Facebook intended to enforce their platform terms of service, which essentially said apps could use such information temporarily, but that they must discard it no later than 24 hours after a user's most recent use of an application.
I remember that in answering those questions, he essentially said that his preferred approach was not to try and make violations of those terms difficult or impossible through technical means. His inclination was to give apps the benefit of the doubt, and deal with troublemakers if and when issues arise. He also relayed a story about his college days, in which he said that his study of the workings of government was better preparation for his web career than anything directly related to technology.
The "Beluga" app did this, without user permission or warning, and it boomed ahead of competition that did not. "Kik" did something similar. "Industry best practice" indeed.
Sadly, it's a winning strategy, and will continue to be until someone fixes the rules of the game.
I emailed to have my Path account deleted a few weeks ago and was told it had been 'deactivated'. After querying this, it was confirmed that they did not yet have the functionality to delete your data, only hide it. Worrying that he said they can.
Morin and company need to provide an "opt-out and wipe all of my contact data now" option if they don't want legal action and backlash, as well. Simply making the app require opt-in to share this data in the future isn't nearly enough (and, especially in the EU, isn't legal).
Update: I'm working on a MobileSubstrate tweak to neuter AB* functions in non-Apple apps, and it's now possible to get your information wiped from Path... by emailing firstname.lastname@example.org.
"Contacts are suggested from among persons in a user's electronic address book, as well as people with whom the user is communicating by email."
It's been there for over a year. http://en.wikipedia.org/w/index.php?title=Path_%28social_net...
FEB 08, 2012 | 05:19PM PST
Thanks for getting in touch with us! I have erased your contacts and their information from our servers.
On behalf of the team, I’d like to apologize for any privacy concerns that you may have had. Our current release of Path for Android requests permission to access your address book. In the next iOS release, we will have this same permission request added.
Until the update is released for iOS, selecting “Add Friends” will display the names of contacts that you have stored on your phone. But now that you’ve opted out of contact uploading, we will never re-store this data on our servers.
Please let me know if there is anything else I can do to help you. I’m more than happy to address any further questions or concerns that you may have.
Per user Steko is this the ultimate solution to the problem -
(0) we get your permission (is this in the ULA, the in app screen? The privacy page of the app?)
(1) we check for your contacts in our database (hashing your contacts). The method of hashing yet to be determined or what info to hash and match if anything other than the email address or maybe the phone number.
My question is - do you go through steps 1,2,3 each time that you boot up the application or click the add connections button. Compare the hash, report on the matches and dump the rest? Rinse and repeat?
Is the issue more the keeping the address book for later matching, or the passing it in the clear part?
If you were going to have an opt-in or disclosure what would you want it to say?
Here is to RMS and his kind.
At this point, if you want a solution, you need to contact your representative and demand data and electronic privacy laws like that which is written in the constitution of Switzerland.
Or was the first response, "hey, that's an invasion of my privacy!" I doubt anyone said that before the 1950's.
I think privacy is an invention of the late 20th century. I am truly curious if any real notion of "invasion of privacy" existed for most of man's history.
I haven't heard an assertion so patently foolish and I'll considered since the Path CEO claimed that uploading every users "little black book" onto the Path servers without permission or notification was an "industry standard best practice."
What a bunch of hogwash.
Now one would hope that employees wouldn't have unrestricted data to this access, but one would also hope Path wouldn't do this in the first place. The fact that they collect all this information in the first place, unnecessarily and without consent does not inspire much confidence in their internal safeguards for access to this data.
Also, if anything were to happen to the company, it's hard to know what hands all that data will end up in.
More details would probably make it work better, too.
Oh, really? You'd be surprised. http://gawker.com/5637234/
Though I also don't really think it's something private companies should solve. Now, I can of course avoid services that let me be too easily findable, but the proper solution is to make said opt-out required by law. Otherwise it's just not beneficial for the company to provide it.
Disappointed in Path, especially since their focus was on a more private, tightly knit social network.
I thought about this with whatsapp. This is scary because while we are used to having multiple emails for different parts of our lives, juggling multiple phone numbers is still a chore despite services like google voice.
Phone numbers cost money, and multiple emails are usually a chore still.
It's rough around the edges, but check it out: http://news.ycombinator.com/item?id=3564968
It should be available in the BigBoss repository as "Address Book Privacy" sometime tomorrow.
That being said, I wholeheartedly agree it should be opt-in (or at least have an opt-out) for people who are concerned about their personal data.
If they had asked up front for permission this article would not have been written.
Do they explicitly state that what personal information they download to their servers, what they use it for, and how long they retain it?
If not then they're breaking the law in many countries, regardless of what Apple's current developer guidelines happen to be.
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Co-Founder and CEO of Path
This is just one out of 100 things that our platform does while solving the usual stuff of apps: user signups, importing address books, invites, etc. However, we applied for a patent on some of the stuff we do. Even though I personally don't like patents, it's the thing to do in the current environment. Going to write a blog post about it soon.
Well shit. How do I get it off their servers?
Without it, generating the table of say 10^10 hashes is within range of almost everyone (especially on a GPU). At say 1ms per input, it would take 10M seconds, or about 4 months.
Is there any regulation to protect consumers here? If not, are any legislators drafting any?
Would the FTC step in or does this only happen when a giant like MSFT/GOOG/FB makes a mis-step?
Did he say that with a straight face? Heard a lot of corporate BS in my time but this takes the cake.
This is Apple's fault for allowing all apps access to the address book. But there is a deeper issue here, trust. Just because I leave my office unlocked doesn't mean my colleagues can steal from it.
I love this app and had great hopes for it but trust is a limited commodity and Path just lost mine.
I know for a fact it is illegal in Europe, know for a fact it is a violation of their contract with Apple, and I am almost positive it is criminal in the US as well.
Therefore the names and affiliations of the engineers here who are claiming data theft of private information is normal are very interesting to me, and I am noting them carefully, as should we all.
I am outraged by this scandal, and I still can't bring myself to believe that Path has been collecting this sensitive personal information. My 6-month old's pediatrician's # is in my phone. If this were EVER exposed or shared with a 3rd party, I can only image what kind of damage could occur. Path should suffer for this. I forgive Apple for secretly tracking my iPhone's location for a year, but I DO NOT FORGIVE PATH. Not this time. This went to far. Dave Morin should know better. I bet an engineer voiced that he felt morally wrong doing this, and Path just fired him. This is just wrong. A defining moment in our industry. We need to stand united on this issue, and just try to move forward.
"The Address Book framework provides access to a centralized contacts database, called the Address Book database, that stores a user’s contacts."
It has been there since iOS 2.0
The moral is to treat customers privacy with utmost respect.
Browser History: There is no way to communicate directly with what Mobile Safari stores.
Other installed apps list: Apps are sandboxed so it is impossible to know what else is installed. If you've developed one of the other apps you can share the same App ID which gives you access to the same storage space so you could create a flag to indicate one of your apps has been installed. Some apps respond to certain protocols so you can ask iOS if a given protocol will be handled and if it returns yes then you know the app is installed. Again because they are sandboxed you really can't do anything harmful and responding to the protocol only allows the other app to receive information, not expose it.
Emails: No, the only way you can do anything with email is prompt the user to compose an email.
Notes: Same as Mobile Safari.
Pics: You can display a popup to the user that asks them to select an image from their camera roll/iPhoto and if they select a photo you then get a reference to an object that represents the photo. You can't just search their camera roll.
EDIT: rbritton points out that with the AssetLibrary framework you can actually search through all pics/videos and for some reason it gives a location access prompt when you do. http://news.ycombinator.com/item?id=3563336
Vids: Same as pics.
Music List: You can get a list of every song in the users library without asking for permission:
Podcast list: Same as music list.
iTunes Username: To my knowledge there is no way to access this but I've never been asked to so I really haven't spent time looking. In theory because you can access the Address Book you could make a best guess at which contact is the user and then assume one of their emails is their iTunes username.
Thanks for the heads up. I was unaware of the AssetLibrary framework.
This is pretty basic stuff.
The above was their official response to me when I asked to delete my account... and I had to ask by email since there is no link on their website to close your account...
Their collective decision making has proven to be a huge liability. Would you hire them for your next venture?
A 14 year old girl could tell you that her address book is private, private, private!
You seriously think that this is out of the ordinary or unusual? How many huge privacy fiascos has Facebook had? And yet, they're about to IPO for $100 billion.
The only group who really cares about this is on HN. In a week, most of us will have moved on to the next big drama. In a year, no one will remember this at all.
The memory of the voting population is short, but the memory of the Internet is so infinitesimal as to almost not exist at all. And truthfully, I'm not sure if that's a good thing or a bad thing.
Downvotes me all you want. The fact remains that, if you asked a teenage girl if it would be OK to grab her address book without consent it is very clear what kind of an answer you'd get. Why is it that a bunch of smart adults think that they can get away with it then? The apology is bullshit. They knew what they were doing and got caught.
As far as only HN caring, I'll bet that users of this app would disagree with you on that point. How many people do you know that are OK with a company of strangers secretly downloading their private data onto their servers?
This, in my opinion, is a very serious transgression.