> Why wasn't this [sending all the contacts to your servers without users knowing] an opt-in situation to begin with? Isn't that against Apple's own T&Cs?
and the Path CEO replied:
> This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we've been proactively addressing this.
Really guys? REALLY? This is why developers need explicit guidelines, because as they just demonstrated if there are no guidelines companies default to the thing that exploits the end user! (incidentally, its unfair to pick on Path too much as almost all social networking applications do exactly this also.)
I actually cringed when I read this "however, as mentioned, we believe users need further transparency on how this works" ... which is why it took someone running a proxy and writing a blog post for you to suddenly be transparent about it. Mind blowing. Why even say that?
Btw, times like this? You destroy any and all credibility when you say you are trying to build a company that is built to last or one that is going to follow in the footsteps of Apple.
Apple would never do this to their users.
(do not make this a discussion about the evil and good sides of Apple. Apple has repeatedly not bowed to companies desires for owning contact information and I expect they will fix this contact hole in the near future.)
It's sad because I respect Path and their love of design. But design isn't just about how it looks. It needs to resonate through the entire vision, company, product, and how you treat people.
"This is currently the industry best practice"? That's the biggest bullshit line I have ever heard. No, it's most certainly NOT a "best practice", and even if it were, it shouldn't be, and as a CEO, you're supposed to be bright enough to know this. And if you don't know this, you're supposed to be bright enough to make up a better excuse when you get caught. Hint: This ain't it.
>> No, it's most certainly NOT a "best practice"
How can I remove my information if I've never installed Path before? It doesn't seem right that my contact information, which I have kept private, because someone I know has uploaded that information. Do I not have a right to keep that information private?
This would make Path and other companies that upload the entire contacts database the prime candidate for hackers and government agencies that want non-Facebook information about people, given a name, phone number of email address.
> Do I not have a right to keep that information private?
But you didn't. You gave it to someone else. It's not your information any more.
Information about you is not information you own.
Privacy and anti-spam laws in various jurisdictions cover what an organisation can do with information they collect about private individuals, but that has nothing to do with ownership.
Generally no. I mean anyone can put their in law's information on their blog. It's a dick move but not illegal generally (if you're putting the person in danger like an battered spouse or witness protection there may be problems, IANAL).
I get the outrage that they didn't hash everything but the righteous indignation that a social network is trying their best to let people know when their friends sign up seems overblown.
Moral of the story: don't be shocked when social networks don't follow best practices for privacy. Also foxes like chickens.
If they're smart they'll revamp their system to work like this:
edit: (0) we get your permission /edit
(1) we check for your contacts in our database (hashing your contacts).
(2) we let you know if any matches are found.
(3) we throw away all your data afterwords.
They'll generate a few fewer matches this way but since they're going for stronger ties it shouldn't really be an issue.
No, this is a matter of security. Apps should not be able to access user data without explicit permission. It's not something you can rely on guidelines for.
> Apple would never do this to their users.
You're being way too generous to Apple here. They are the ones who provide the API. I've used other phones and their APIs never freely provided my data to apps. Honestly, if I knew the iPhone worked like that I wouldn't have bought it.
Wait, on second thought. Maybe he is right. Hopefully he will post a comprehensive list of all other companies he is aware of that engage in this practice in order to show his good will in stating it is an industry best practice according to his personal knowledge, and not that he is merely a compulsive liar. I look forward to Mr. Morin's follow up with the list.
Played right, this episode could actually give them free publicity. Companies like Facebook and Zynga have been embroiled in far worse controversies, and they've all blown over.
2) requested a complete deletion of our family's account
3) requested deletion of any/all stored information
4) considering contacting our lawyer
Ok, I'm going to pick on you for a second.
Hold the downvotes everyone! Let me explain.
This seems like a bit of a knee-jerk reaction akin to "think of the children!" or the whole child porn scare-mongering that politicians engage in that we on HN are always criticizing. I recognize that Path screwed up, big-time, but I'm unclear on why them having the information you cited, along with dozens or hundreds of other contacts from your address book, for millions of users, constitutes some kind of terrible threat to your children. I mean, their schools, their bus companies? How is that even remotely useful information to anyone?
I think there's plenty to criticize here from just the high-level perspective of "they used my contacts without my permission", without use the children scare-mongering tactic. But maybe there's a specific threat in mind that I'm not thinking of?
Anyway, just thought your response was a little over the top, and more informed by emotion than reason.
Ok, now everyone can downvote :)
Now most people's response to that kind of threat is to think "I'm just nobody important, no one would ever go to the trouble of using this information to impersonate me or otherwise make my life difficult." Probably you are underestimating one or more of: (a) your importance, meaning how much money someone stands to gain by impersonating you, (b) the gullibility/apathy of customer service reps at the companies you interact with, or possibly (c) the amount of free time and/or perversity of someone who will fuck with you just for the lulz.
So now, without consent, this "private" "friends and family"-based app I installed on my phone, plus it's company, plus any other company they choose to do business with, or any entity that acquires them in perpetuity, or any data mining, social profiling, credit bureau, can start building far-reaching and long-lasting profiles of a four year old little boy that needs a extra help.
What part of that confuses you?
p.s. this could have been avoided with a dozen lines of code via a dialog box.
Do you also buy snake oil if it comes with a document using lots of difficult sounding words but ends saying it cures everything?
> along with dozens or hundreds of other contacts from your address book
Path should be private by default. Forever. You should
always be in control of your information and experience.
> for millions of users
"kill one, it's murder - kill 1,000,000 it's a statistic" - this isn't about your children - it's about mine. ;)
> constitutes some kind of terrible threat to your children
Where did I say this was a "terrible threat" to my children? Maybe it is, maybe it isn't - bottom line is we did not consent to it. And perhaps we just want to protect our underage children from having behaviorial profiles or credit risk assessments built up on them before they reach kindergarten.
Interestingly enough, according to Path it is VERY reasonable that I should protect my children's information:
We take reasonable measures to protect your personal information
in an effort to prevent loss, misuse and unauthorized access, disclosure,
alteration and destruction. Please be aware, however, that despite our efforts,
no security measures are perfect or impenetrable and no method of data
transmission can be guaranteed against any interception or other type of misuse.
(You)...accept all risks of unauthorized access to the Registration Data and any other information you provide to us.
> But maybe there's a specific threat in mind that I'm not thinking of?
Yes, there is. And I acknowledge that you might live in a world where you have no problem allowing anyone in the world to know any detail they can illicitly sneak out of your phone about you, your family, and your friends - but most of the rest of us don't.
For fuck's sake a UIKit dialog box and handler code is less than a dozen lines of code and then NONE OF THIS WOULD BE AN ISSUE.
> Anyway, just thought your response was a little over the top, and more informed by emotion than reason.
I'm curious, do you have a spouse or children?
What are you talking about? Do you expect them to perform complex data analysis to figure out that certain contacts are young children, and then explicitly ask permission to share those? Or do you expect them to preemptively ask for any potential sensitive contact information? "Can we use your children's information?" "Can we use your in-laws' information?" "Can we use the address of the President's safehouse?" Etc.
I ask because we would be foolish to think the developers of some less then typical quality apps have, or will, certainly exploit this for their own monetary gain.
On our lap/desktops we use prompting firewalls and on occasion will even watch suspicious apps or behaviors, if you will, where on iOS this is much harder.
I have an idle FreeBSD box and may start mitm'ing like OP did, but seriously pouring through the kind of output a home network produces doesn't sound like fun at all and I already know that going back to a dumb phone would probably be just as easy.
I would be curious for someone to do this with other apps. Even those that aren't social networks. I have a strong inkling that most of the top free apps are doing this without any of us knowing.
What for an argument is this. So if he doesn't have a spouse or children he can't be right. What kind of populist are you?
Don't really like this kind of argumentation.
What do you expect to achieve with this step?
I would respect a company that did this because they are not only addressing users that are aware of it but also users that are not aware (but are affected.)
Wiping data is fine but it feels like it doesn't solve the crux of this problem -- communication and transparency. Companies make mistakes and they can fix them, sure, but communicating about them? that's much cooler. (I suspect this is overkill unless mainstream news catches on this - which seems unlikely)
Ambivalent boss: "I don't think it's a problem, who's going to notice anyway?"
Not that the ethical engineer will get anything more than personal vindication for actually giving a shit.
1) Immediately delete all of the non-user data
2) Send an apology e-mail to each Path user explaining the situation
3) Write, by hand, a corresponding apology letter for each Path user
4) Hold a townhall-style meeting in which members of the public can ask him questions
5) Pay, out of pocket, the travel expenses of anyone who attends the townhall meeting
6) Wear an indicator of shame (large necklace or a sign) for as long as he is CEO of the company
1.) Get the user's address book and 2.) upload it to a server.
Installing an application implies a higher level of trust than a web application. You can't prompt the user for every API that might have a nefarious use. Location data is also much more sensitive so it makes sense to prompt the user for that.
The problem is that this isn't easily enforceable at the API level without the user having to make decisions. The right level of enforcement is at the app review stage.
It's not enforceable even WITH the user having to make decisions. The user can not allow the app to upload one kind of data and disallow another (address book). You can only allow ANY upload or no upload at all.
1) Get the user's address book 2) upload _something_ to a server.
A user could give permission to both.
You'd have solved the problem, but created a horrible user experience instead.
I feel like shooting someone every time I see them (or for that matter, anyone else) doing things 'proactively' (at least three times in the comments of original blog post). My BS meter goes all red on that. What does 'proactively addressing issue of transparency' mean? Even the sentence itself is not transparent.
I seriously wonder why so many companies communicate using language like that. Is it because of law? If instead, he'd say "well, we really screwed that one up and we want to apologize; right now we're trying to figure out how to fix those issues, please be patient" - could that get them sued, or what?
And yeah, if you don't do this (everybody else does AFAIK) you're left with a disadvantage in hooking you up to your friends who also use the service.
I actually think the CEO's response is not that bad.
"Proactively" doesn't mean acting after you've been caught.
Actually, it means exactly the opposite.
About four years ago, a new trend just started emerging. Sites would ask user's for their Gmail passwords and scrape all the users' contacts to invite them for their service. I remember this because I was at a company where I refused to implement a service that requested a user to enter their Gmail password. They got someone else to do it. The issue was that we had competitors using this tactic and they were gaining a lot of users. Unless you have a way to level the playing field, you'll end up just punishing the ethical companies.
Apple makes apps prompt me every time they want to know my location or send me push notifications, but they don't require it for the contacts info.
How is managing push notifications more important than leaking private contact info?
iOS doesn't know what's being uploaded by an app. It can't know. They could ask every time an application wants to access your contacts (which, I think, would really suck for UX, and it'd be a context-free question without indication of what the data would be used for), but after that? There is no practical way to know that that data is being sent over the wire to somebody.
Perhaps not, but remember that Apple are supposed to have approved all Apps on the AppStore. It's supposed to be for user benefit, to prevent malware, viruses and bad applications. However this app was approved by Apple. What, exactly, is the point of the AppStore approval/walled garden approach if this is acceptable?
Facts are stubborn things.
I live in almost the middle of nowhere, i guarantee nothing like google maps, etc has ever passed this way to map my WIFI point's BSSID onto a physical location, yet the week a member of my family got an iphone, plugging the BSSID into a location api gives the exact location of my house...
Here's more useless analytical evidence to suggest that most people don't know everything: when Samy Kamkar first demonstrated geolocation via BSSIDs, I tried out every wireless router in my house, including one that had not been plugged into a wall in over 4 years and never at my current residence, long before Google started wardriving for street maps and well before the first iPhone came out. He was able to accurately map it to my old residence. That means that sometime before December of 2006, someone or something was able to snatch my BSSID from someplace, accurately note it's physical location in the world, and store that away in some database that was used almost 4 years later. I can guarantee you it was not Apple, and I'd be damned surprised if it was Google at that time.
The data was used for GPS assistance -- it was a cache that triangulated your location from cell phone towers to help get a faster GPS lock (and to find your location without GPS if you’re getting bad GPS signal).
If you're concerned about the police finding out your moves, they have access to such information from the tellcos themselves with your cell number, whereas to use those stored GPS logs they would need physical access to your iPhone.