They did this only to cover their asses and that has been the only concern they've ever had. That they already tried to push the opt-in was of course only in fear of what just happened.
I'm sorry, I'm all for public apologies and I truly believe that it is in times like these companies have a chance to really prove themselves and really make a mishap something positive (and come out stronger than ever before). And they have tried to do that, for that I give them credit.
But. It was not a mistake. And this sentence really shows why:
"Through the feedback we’ve received from all of you, we now understand that the way we had designed our ‘Add Friends’ feature was wrong."
They did it deliberately, there was not a mistake anywhere when implementing this nor with their intentions, and if they honestly didn't understand that what they did was wrong they don't deserve to be trusted again, not never. And if they did understand that it was unethical, which they undoubtedly did, it is even worse.
Their trust is not worth anything more than what they think they can get away with. The only thing that is different today from yesterday is that they think they can get away with less.
This desperately highlights why both android and iOS needs a way to spoof contacts for apps (return an empty list). Some android developers have solved this by having two apps in the market, one "private" version that requires fewer permissions. But that's a kludge (that I really appreciate) that almost noone uses.
Of course, there are some things for which no amount of apology could ever bring about true forgiveness (think godaddy). I personally don't feel this is one of those times, but everyone is entitled to their opinion.
EDIT: Switching "amoral" to "immoral"
"Amorality, the absence of morality; for example, a stone, a chair, or the sky may be considered amoral",
"not involving questions of right or wrong; without moral quality; neither moral nor immoral."
Merriam-Webster: lacking moral sensibility <infants are amoral> | being outside or beyond the moral order or a particular code of morals <amoral customs>
Apple dictionary: lacking a moral sense; unconcerned with the rightness or wrongness of something : an amoral attitude to sex.
thefreedictionary.com: Lacking moral sensibility; not caring about right and wrong.
Admittedly, some of these do mention definitions along the lines of "having no moral component", so it looks like everyone was wrong. Hurray!
Hopefully at least Five good things will come out of this:
1) Social Apps immediately remove the "upload contact list code from their
2) Social Apps come up with a more privacy clueful way of searching for
3) Social Apps (all apps, ideally) focus more on user privacy.
4) Apple requires permission to be granted before allowing an app to read
your contact list.
5) Apple is more explicit about what app developers are _not_ allowed to do
when transmitting information off the IOS Device
6) The App review process adds a check to see if certain user private fields
are accessed, (Contact, Photos) - and ensures (through audit, or
confirming with the developers) that private information is not
being uploaded without opt-in.
Now you may say, "Who cares what the factors are? A wrong decision is a wrong decision." And you're right. However, as a practical person who wants to see real change come about, I cannot be satisfied with the run-of-the-mill, "They did it because they're evil and untrustworthy" response.
People are rarely inherently evil. I find it hard to believe that this group of engineers is really so different from you and I. It's likely that all of us grew up in similar environments, have gone through similar experiences, and possess similar moral beliefs. So aren't you the least bit curious why they're capable of making a decision you could never imagine yourself making? I think simply dismissing them as untrustworthy people is an irresponsible and short-sighted reaction. Human beings are more complex than that.
A lot of teachers believed that the only students who cheat are the dishonest ones. Well, some clever psychologists came along and -- lo and behold -- they showed that under the right circumstances, you can convince almost any student to cheat. That's the nature of humans.
Like it or not, we react to situations much more than to our personal moral codes. No amount of shaming greedy bankers, book-padding executives, dishonest politicians, privacy-invading programmers, etc is going to work. If we want to effect real change, we need to change the systems that allow for and incentivize this type of behavior.
I highly recommend reading up on basic human psychology. Influence (by Robert Cialdini) is a good place to start. Charlie Munger's writings, although unorthodox, are also great.
No, its not. You do not kill a person over any of these. You do not kill someones trust in you over any of these.
>I cannot be satisfied with the run-of-the-mill, "They did it because they're evil and untrustworthy" response.
Then how about that they are shitty crappy company who are unconcerned about ethical matters of things and more concerned about what they can get away with. You know that they must have spent considerable time and effort to enable their app and service to steal all Contact data in the first place, right?
>I think simply dismissing them as untrustworthy people is an irresponsible and short-sighted reaction. Human beings are more complex than that.
irresponsible, irresponsible? What shit are you smoking chief? I have zero responsibility for their actions, or the pubic outrage against it, or my own reaction to crap. Let them rot in hell for all I care.
>convince almost any student to cheat. That's the nature of humans.
I am alarmed, you are now equating cheating under the right circumstances, to planned and intentional thieving under business as usual.
>I highly recommend reading up on basic human psychology
and I highly recommend some common sense.
No, its not. You do not kill a person over any of
these... they are shitty crappy company who are
unconcerned about ethical matters of things
I am alarmed, you are now equating cheating under
the right circumstances, to planned and intentional
thieving under business as usual.
irresponsible, irresponsible? What shit are you
smoking chief? I have zero responsibility for their
actions, or the pubic outrage against it, or my own
reaction to crap. Let them rot in hell for all I care.
The facts in this case are simple. The judgement is clear. You seem to be justifying their actions. There is no moral justification.
>type of perfectly disastrous environment that could entice even the most noble of people to make bad decisions
see, because of this incident we can now clearly tell which companies are noble and which were pretending to be so. "ducks in a row" is not a moral argument.
>Either you care more about verbally abusing people who behave poorly, or you care more about preventing poor behavior in the future
I am sorry, it is not an either-or, and not the way you put it too. You admonish people for __bad__ behaviour because you care about preventing it in the future.
You seem to be justifying their actions.
There is no moral justification.
because of this incident we can now clearly
tell which companies are noble and which were
pretending to be so.
You admonish people for __bad__ behaviour because
you care about preventing it in the future.
This is precisely my reaction to Facebook's Beacon. I decided that they were either completely inept or amoral. In either case I don't trust them.
But it's also possible for management to make a mistaken decision, and that's what Path is meaning here.
I think their flaw was either in not polling their user base before hand or making it opt in to begin with, but I also think that this oversight happened because they truly believed in the usefulness of what they were doing.
Then again, I still believe that Google isn't trying to be evil (nor do I really think they ARE particularly evil for the time being), so take my opinion with a grain of salt.
If the going is so bad, I will soon end up using a clam shell that I put up with all these years before an eventful day that I fell in love with an "are you getting it?" product. Makes one wonder what all those jerks making the rounds on SOPA and PIPA are doing to protect us from these Path like shit makers.
I don't think the developers behind the product were thinking about it in a bad way when they did it that way. It was probably more practical to do it that way at that moment and they didn't give it more thoughts, like they would never have considered selling those informations.
I get that now it's a big deal since it became a huge product. I wouldn't call that a mistake though, the problem with personal information on internet is pretty recent (facebook, google+...) and developers don't really know how to deal with it yet.
I guess the more we see problems like that, the more developers will educate themselves on the matter.
Well, you can make a mistake intentionally.
As in: "I intentionally opted for course A, and I realize it was a mistake".
And if you ask me, that breach of their users trust is not something that you can just turn around. If they didn't understand that their users might get upset that only makes it worse (when it comes to trusting them).
"Privacy empathy" (no .. pun not intended I swear) seems hard to come by these days.
> They did it deliberately, there was not a mistake anywhere when implementing this
Exactly - so that's why those "oh I realize that now and really want you all to understand my deeeep commitment to the exact opposite moral values of what I actually did" apologies make me so sick. It completely side-steps the fact that it was done deliberately, 100% on purpose and they basically cover that up by trying their hardest to scrape it under the rug as an "oopsy-daisy!" now and let users feel as if thousands of phonebooks beamed themselves totally magically into their servers and they really had no idea that was happening!
You can simply not be so detached from reality that you do not worry about reading people's phone books like that.
Want to apologize and really speak through actions? Dave Morin, Co-Founder and CEO, step down immediately because you have deliberately violated human rights and now you are just trying to get away with it, IMHO. And as CEO, you are ultimately responsible.
That they've wiped their user data and are giving people the opportunity to use their product in a setting with opt-in sharing seems to demonstrate to me, at least, that they still believe that hosting your contact information would add value to their product, but they now realize that concerns regarding privacy are significant enough to warrant using the product without this feature. To reference a parallel thread, I don't think this is a reflection of morality/amorality/immorality, but rather that this never registered in their engineering oriented brains.
Outside of establishing boundaries there needs to be a way to deal with those who break the rules. Sending CEOs straight to the slaughter house doesn't accomplish anything. Companies need an opportunity to react and do the right thing. Especially when intentions were good, and the reaction from the Company is as responsible as Path's.
+1 Paths Owned their mistake
+1 Deleted all the data
+1 Fixed the mistake by publishing an opt-in feature.
They did everything they could to right their wrong.
You also need to realize they didn't commit murder. They weren't 'caught red handed with the murder weapon'. They had some digital data, and then deleted it. It's not like they raped and murdered your wife and family. They didn't commit genocide. They made a minor mistake and fixed it.
Great save for a bad mistake.
Sometimes you need to make actions speak louder than words. :)
Better would have been 'we are sorry we misused your phone contacts', rather than trying to make the users responsible by invoking their feelings.
Aside: interesting how the concept of theft seems meaningless when applied to copyrighted material, but meaningful when applied to private data.
It's not a "great save", it's a piece of PR flak arse-covering.
Still leaves me with a shitty feeling. Basically this boils down to "sorry we got caught", they knew what they were doing.
Not to single out Path, a massive number of apps are guilty of this behavior.
And so is Apple. I am alarmed that any 2 bit app can access and upload all my personal contact information for any use they want to.
Why would I not trust them with my contact info but trust that they actually have deleted it and there are no copies.
Also, these are developers, there are copies, it's a near certainty.
Since we're talking about a fantastic breach of trust, I'd like clarification that all copies of all uploaded contact information have been deleted from all servers (even ones that one could argue are other people's), and from all backup media, and further that no effort will ever be made to try to recover this information.
Because, I'm sorry, but anybody who thinks its OK to violate someone's privacy like this is at best someone who is able to easily justify unethical behavior because they think their business might depend on it and at worst a sociopath.
There is not a human on earth who would not object if someone else picked up their phone and started looking through the contacts.
TO FEEL, as in "we still don't give a shit whether you actually _ARE_ completely in control of your information"
I'm not so sure.
The updated iPhone app does the right thing.
What do the apps not updated to the latest version do? Does it re-upload the contacts? If it does, what does the server do with the data?
I assume that you are not ware of the FTC fine involved if they kept the data, right?
Its almost as bad was Zynga pulled its first year in operations
Here's the explanation:
This is one of the few areas where the EU is (still...) ahead of the rest of the world. Facebook should not be able to collect data on your friends even at your request unless your friends explicitly consent to this.
Clearly your friends have no business passing on your data and Facebook has no business collecting it. "Make sure your friends are comfortable" is no excuse for facebook to go ahead and break the law.
> Your neighbours to the north
I also submitted another bug report (15th time, I believe) about iOS 5's stupid lack of support for audiobook chapters and podcasts...
Yesterday morning Path thought it was perfectly OK to scrape user's Address Book behind their back, and now they suddenly acquired moral backbone and ethics? Please give me a break. What they did today is the only sensible thing there was to try and save the company, so they did it, but should they be commended for that? Hell, no. Would you commend a landlord for dismounting a hidden camera in your bathroom? Doubt it.
The fish rots from the head. The company is still under the exact same management it was yesterday morning. Nothing's changed. I wish Path a slow, painful and very public demise to serve as a dire warning to others in similar positions.
- users brought to light an issue
- we now understand that the way we had designed... was wrong
- we are deeply sorry if you were uncomfortable
Not sorry. Sorry if and only if you took it wrong.
- We want you to feel completely in control of your information on Path.
You won't be in control, but we want you to "feel" you are.
- stored securely on our servers using industry standard firewall technology
Hmm. My firewall doesn't store data.
- We hope this update clears up any confusion
It's not us, it's you. Stop being confused.
This is a non-apology apology. It's a "you caught us, and we don't want our company to die" apology.
If they actually cared about your privacy, they wouldn't have stored all your personal data on their servers without your permission to begin with.
Woah, woah, nice analogy. Excepting what Path did is even worse. They also retain(ed?) your bathroom activity photos forever and can do what they please with it.
Better than ATT, VZW, MS, TW, Comcast, or any national US bank.
Clearly that is not practical so we'll have to take them at their word, as it stands I think that if path is found out to be lying about this that it will come back to haunt them big time.
Written by their CEO => icing on the cake.
Path does not retain or store any of your information in any way.
The big thing in this apology is that they have deleted all the data. That was a good move and shows they listened to complaints. The app update is also smart. Hopefully they will implement a better friend finding system soon (maybe using the hashing ideas put forward in yesterdays HN thread).
* They've admitted responsibility.
* They've shown they understand why they were wrong.
* They've explained what they've done to put it right now.
* They've explained how they intend to proceed in the future.
My only qualm is that you can't revoke the permission from within the app. The opt-out should be as easy as the opt-in.
While I agree that it would be nice from the users point of view, the impact of pulling data from the kind of analysis I'd expect them to be doing is going to be a data analysts worse nightmare (i.e. holes in your data set can sporadically appear, so nothing is concrete and all analysis must be reverse-justifiable). If you can reduce the frequency this happens but still give the users the option, this seems like the best of both worlds.
You cant guarantee a unique hash. When you hash users' data there is the possibility of collision; this probability grows with every new user. Without identifying data of some sort, it's difficult (impossible?) to get the exact user.
Edit: Furthermore since the set of valid emails and phone numbers is a very restricted set of input, it is extremely likely that there are literally no two valid email/phone numbers that SHA1 hash to the same value.
Instead of an MD5 they could just as easily upload a bloomfilter which would expose even less data and would compress it significantly, however it would be more computationally expensive to generate matches that way vs. hashing.
This is matching user email addresses so they can spam you and your friends and grow their company on the back of dodgy practices.
I can't think of a hash function without a good public-key infrastructure, which is obviously beyond Path's remit. Anyone aware of a solution to this?
There it is. If you have a button that stores all contact information, Why can't you add a button that says remove all my contact information ? Ofcourse, then more people will click it. Just a stunt, nothing more.
Undoubtably in plaintext. Having "industry standard firewall technology" didn't do jack for Zappos, why would Path's data be any more secure?
This information should never be stored on Path's servers. Best case scenario they should be storing hashes of information and before people say there can be collisions so what? The number of people who would be presented with a friend that they don't know will so minuscule versus the number of people whose personal information is stored in plaintext in a database somewhere.
The idea that when someone signs up for Path and is instantly recommended to friend someone else because that person shared their personal information is scary.
Making this opt-in gives people the illusion of control when one of their tech illiterate friends who always clicks accept has already given out all of this information.
But can you really trust a company like this in the future?
I think Dave Winer is right. One should treat others data as one would like others to treat their data.
I can imagine a user unaware of the recent event stumbling across this article and leaving confused about what wrong was committed. They sort of just assume you knew what happened, instead of explicitly explaining what they'd been doing.
But, they're taking steps to resolve the issue, apparently; so good on them.
Dave explained the issue well enough in the first paragraph.
I don't think it's intentional, though. When writing this I doubt the audience in their minds were the people who don't know about the issue.
- Did they get hacked and now some unknown party may have the contents of my address book?
- Were they selling my information to others?
- Did something happen as it relates to storage that mixed up or deleted information
- Was my data being transmitted in the clear
- Was mt data being transmitted without my knowledge or approval?
Two of those things did happen but the user doesn't know for sure. To be fair though, I think their statement was enough. They really don't have to go into more details unless the situation calls for it and it doesn't right now. Those who know get the apology they deserve and those who don't continue using Path as if nothing ever happened. Win win.
"In the interest of complete transparency we want to clarify that the use of this information is limited to improving the quality of friend suggestions when you use the ‘Add Friends’ feature and to notify you when one of your contacts joins Path––nothing else. We always transmit this and any other information you share on Path to our servers over an encrypted connection. It is also stored securely on our servers using industry standard firewall technology."
The actual problem was number 5, and they tell you exactly how they are fixing this: by deleting all existing data and letting people opt in to sharing it.
Also, I hope that their "industry standard" firewall is better than their "industry best practices" data sharing practices.
For the benefit of anyone else who is confused: http://mclov.in/2012/02/08/path-uploads-your-entire-address-...
Dave's message is straightforward and sincere.
Even if that weren't the case, "better than Facebook" is a pretty low bar. "Worse than Facebook" is way, way out of bounds.
If they are going to hash the data, they should salt it (and possibly use key strengthening a la bcrypt, etc).
The purpose of uploading your contacts is so that if Jack's phone number is (555) 555-5555, and Sam uploads a contact list saying that he is friends with a guy whose phone number is (555) 555-5555, Path can match up those two phone numbers (or hashed versions of them) and tell Sam that Jack is a member. That match-up doesn't work if the phone number is stored as (a hashed version of) 5555555555jack and 5555555555sam.
It wouldn't keep someone with access from checking if a social relationship existed in the database, but it should make recovering phone numbers and the like from the hashes quite a lot harder.
To be honest this should be a third party service, since it sounds like every major social networking app is doing the same exact thing.
Of course the other side would be maintaining users in this service, which again is pretty straight forward.
(Hi David?... I'm the OTHER DJB, probably not the one you are thinking of)
It seems they may have broken the data protection act in more than one way.
* First, they collected personal data about UK citizens without their permission (as a 3rd party cannot give that permission),
* Secondly, personal information was kept for longer than is necessary (it should have been deleted after it was used)
* Thirdly, they allowed personal data to leave the EU.
Note that personal data includes name and address, telephone number or Email address.
While i don't think its acceptable to ever make this kind of mistake, we should also encourage companies to be upfront and honest about what went wrong and what they're going to do to make things better when issues come up.
This is a positive step forward for this company and tech companies as a whole. Having said that, maybe i would feel different however if i actually used this app?
I keep a lot of data about people in my address book in addition to phone numbers and email addresses: birthdate, names of children and spouses, residential and work postal and physical addresses, gift ideas, group affiliations, etc.
I am happy to click "OK" if an app asks for essentially the social graph information that I've already exposed through Twitter and Facebook. I don't want an app to have the other data I've curated. Even if you can trust the app vendor to not be evil, you can't guarantee they won't leak the data through incompetence.
So while Apple really should require permission for apps to get access to the address book, we really need a new model more sophisticated than all or nothing.
Will hashing be implemented?
This is smoke and mirrors and makes it sound like they've done a good deed.
Not only did they take full responsibility for what they did and apologize instead of making excuses, they deleted all the data people were concerned about, wrote a well-worded blog post about it that hit the top of hacker news within a couple hours, AND pushed a fix for the issue to the app store all within less than a day of the concern becoming public.
Path's attention to detail not only in the gorgeous design and user experience of their app, but in the way they handle PR crises like this one only makes me trust them more. Well done Path, well done.
Only when someone caught them "in a compromising position" they said sorry.
Its like Bill Belichick saying "I misinterpreted the rule" :)
It would be a bit of an beaurocratic pain in the ass though.
Unfortunately, these things happen.
What you have to do now is look at how Path reacted. The second the article exposing their mistake was published Path became very open and honest. Above that they offered reassurance to their users, deleted the data (I never expected that), and pushed a feature to opt-in to sharing your private data.
In my opinion they couldn't have handled this any better. For that reason, I give Path all the trust and respect in the world.
I'd be impressed if they'd turned round and said "We realise it looks like we were trying to expand our business off the back of your private data, and have therefore decided that in our next release we will stop uploading user's contact details altogether. We'll make our social network so compelling that it'll go viral without abusing your privacy."
Do you honestly believe they are sorry and they deleted your data just because they said so?
I personally doubt it. It's valuable for the company and it would be foolish (from their perspective) to delete it. Somebody has to write & test code, to make sure that the code uploads all your contacts.
I find it hard to believe that you have access to all the data, see what is coming in, and then discover, when you're caught that "ups, we did a mistake". Our implementation sucked.
After reading the post, it is apparent that Path did nothing wrong except poorly communicating their procedures and policies.
Or do they mean they are sorry you found out about it?
It'd be great to see a new "best practice" emerge from this discovery. If it's easy to use, everyone building an app will just default to comparing hashes vs. matching phone numbers.
If they do it often enough, in the end one of them will even claim they're using the "standard industry practice"
We are guilty. We took your contacts...and no, you can't have them back.
That sounds like exactly what you were hoping for.
So, they haven't changed their implementation, they've just added the ability to opt out of the poor implementation.
They are putting a false choice in your hands that they hope will lead to the status quo while still giving a show of making good on this issue. They could, through sophisticated hashing and matching algorithms, do the user matching without ever learning your contact details. But they aren't bothering to do that. Instead they are just planting a checkbox in front of the user before they go and violate their privacy, and they hope that the vast majority of users will just check it and they'll only lose data from a minority of privacy nuts. Which means Path will end up exactly where they would have been anyway - with a giant database of personally sensitive information sitting unencrypted on their servers, waiting to be exploited, abused or leaked.
The community response to this is ridiculous. Off the top of my head, I can't think of any other company that has responded to community criticism within a day or two with a policy reversal, a software change, and a deletion of offending data.
Guys and gals, stop picking on Path. They are AWESOME. They deleted your data and changed their app so it would never happen again. Try that with Facebook.
As a nerd, on some level I too lament that they didn't fix this with a cryptographic hash and a bloom filter, but come on, as businesses go, this is top notch.
Also, yes, I typically forgive people when they reverse their actions and ask for forgiveness. It makes for good relationships.
The rest of it is a repeat of yesterday and is really not necessary.
I do want to know how I can backup by Path to a S3 or Dropbox account. Does anyone know if they support this?
Making sure you really lose a single record is a lot more expensive because then you have to selectively remove it from your spinning back-ups as well, in this case you can just wipe the back-ups of the file by opening the file for 'update' and overwriting it with random data.
Tapes are a bit harder again...
Did you know that Path by default and always does not store android phonebook address entries on their server?
In facts its against standard android dev practices to the point where its prohibited by Google..
So when Path found out about that in completing the android app why did they continue to insist that it was right on iphone to do so?
Now I would not say the Path CEO is directly lying, but it stinks pretty bad..
Note to app builders: never hire a PR firm to do your dirty work.
Moreover, how on earth did you think the "Add Friends" feature worked? I'm assuming at least some of you program software, and you should know that data doesn't just appear out of nowhere. Do you really expect a software startup to move every piece of data sorting & analyzing to the client side that has potential to piss off its userbase?
I understand that it's easy to just encrypt the information, or some other X remedy. I'm just saying there's a line between a software mistake and the let's-grab-the-pitchforks rhetoric that inevitably stems from stories like this.
Unless all their userbase is composed of programmers or at least IT people, it's completely unreasonable to expect them to know that. I think they should, for their own sake, but as a app developer you can't assume they do.