Hacker News new | comments | show | ask | jobs | submit login
An open challenge to PandoDaily (scripting.com)
127 points by davewiner 1786 days ago | hide | past | web | 67 comments | favorite

Pando Daily appears to be trying to recreate the TechCrunch of last year, rather than the TechCrunch of 3+ years ago. This is the same guy who wrote the mocking article on Ireland's startup scene. I guess he's filling the MG Siegler role.

You know what would be awesome? Some solid technology journalism. The last thing we need is another conflicted, industry mouthpiece. If this is the content they're pushing, I hope it fades into oblivion.

And, if I might be so bold:

Technology != Consumer-Oriented Devices

Edit (before the downvotes hammer this comment into oblivion): The subject here is "tech journalism". I don't consider puff pieces about smartphones, MP3 players, your cell carrier, or anything else related to consumer-grade products to be "tech journalism".

I've pretty much stopped listening to "tech podcasts" and subscribing to "tech magazines" because of this problem. They're not delivering anything even vaguely related to technology any more. They're telling me about the latest iPhone or iPad press release, or how some cell carrier is doing something that I really could care less about. Just like I don't care about the latest digital camera, or the latest MP3 player.

Which tech magazines do you read and recommend?

Maximum PC. Hands down the absolute best computer tech magazine on the market. Also highly recommend "This Week In Computer Hardware" (http://twit.tv/show/this-week-in-computer-hardware) for a tech-related podcast.

I've stopped listening to "Buzz Out Loud" because of its wall-to-wall smartphone coverage. And I'm about to give up on "This Week In Tech" (along with four or five other podcasts) for the same reason.

What do you look for in a tech magazine?

First and foremost I want a dead-tree version of the magazine. Call me old-fashioned (and old, for that matter), but I like paper. I've tried the Nook and the Kindle, but they're just not my cuppa.

Second, I want real technology news. I don't want to read anything about smartphones, or cameras, or tablets, or gaming / gaming consoles (my favorite magazine, Maximum PC, does waste too much space on gaming for my tastes), or MP3 players.

Bottom line is that I don't want to be "entertained" by any magazine or podcast. I want to learn something.

EDIT (belated): Always in the market for tech magazine and tech podcast recommendations if anyone has some!

Have you looked at ArsTechnica or Anandtech? They're always really high queality, editorial base journalism

usenix ;login: 4 life.

Very nice! Off to spend some money!

To put it another way:

If your address book data was stolen and made public because of poor practices by one of your apps, you'd be pretty upset right? PandoDaily mocking that type of situation is somewhat alarming.

However, if PandoDaily doesn't care about that type of scenario then go ahead and publish their address books. Otherwise, it's no laughing matter.

Edit: I agree with Dave's point. They wouldn't share it because no one wants this to happen. Therefore they shouldn't be mocking something that is fairly serious.

Thank you. That was the point of the challenge.

The author of the Pando article is 18 years old. He's not at the age where he has been burned by something he did when he was young and dumb. He's hard at work building a great foundation for what that moment arrives, though!

A net naive.

My open challenge to PandoDaily is to stop being utter shit. That's it. No clever attempts to trap them into defending their beliefs, just improve to the point where they in some way, shape or form resemble a credible journalism outfit.

I think the point of the PandoDaily post was that you're already trusting apps with access to your data. You've granted permission for the app to access it any time. When I grant permissions for an app to access by data, this doesn't mean I am allowing my data to be published for the world to see. That's what privacy policies are for.

...and Dave response's point is that there's no way to guarantee the privacy policy is obeyed, unless it is enforced one way or another. User expectations with regards to the private data were supposed to be guarded by App Store approval process and Apple's iOS access restrictions, however this and now photos somehow slipped through.

Pando's mocking of the situation with clipboard example is off the mark. User's expectations from the clipboard is to actually share data (between the applications). Yes, there's a chance that app will publish the contents of your clipboard, but I don't think many users will store sensitive data in the clipboard anyway. In other words - vulnerability of the clipboard is an acceptable trade-off, however accessibility of contacts, photos, other private data is really not.

Privacy policies can rarely if ever be enforced or guaranteed. This isn't something new. I can't think of many cases where a third party guarantees adherence to privacy policies. Ultimately if you give someone access to your data, you have to trust that they treat that data appropriately.

The whole point of the PD article was that you trust developers to not do these things because market forces keep them in check. If an app was abusing your privacy, it would be revoked by the marketplace (Apple, Google, BN, or Amazon) and its developer's reputation would be tarnished.

Of course, maintaining a database of sensitive information is rife with risk, and it's completely fair for journalists to point that out. However, Path, Hipster, Instagram, etc. have no intention of leaking your data. An article reminding us to give developers the benefit-of-the-doubt in these cases is not even remotely the same thing as an article defending leaking personal data.

It's therefore disingenuous of the author to suggest that reminding people to be civil in the ways they react to these situations implies that we should all be comfortable publicly posting our personal rolodexes.

Someone else's contact information is not your IP to divulge; however, that doesn't mean we need to start a witch-hunt about it.

There are hundreds of thousands of apps. Not all of them have reps that can be tarnished.

Here is another great article about the credibility issues the Silicon Valley industry has because of its conflict of interest: http://www.latimes.com/business/la-fi-hiltzik-20120222,0,704....

This is a false comparison.

Uploading your address book to Path is not the same as an app locally reading the contents of your clipboard and asking if you want to use that data. It's not even in the same league.

And, loathe though I am to defend PandoDaily, the OP misses the point of their article. Uploading your address book to an app is different than posting it publicly because people trust Path their their data. If they didn't then the really shouldn't be using it in the first place.

> Uploading your address book to an app is different than posting it publicly because people trust Path their their data.

Are you sure about this?

Has every Path user really reviewed Path's data security policies and deemed them satisfactory? Do Path users even have access to that information? And if they did, would most of them be in any position to evaluate it knowledgeably?

Or isn't it more likely that they trust Path because they don't know the full scope of what Path has access to? Blind trust is easier to extend to someone the less information you're trusting them with, after all.

Yes, I think it is quite a clear statement. Uploading to an app is not the same as posting it publicly.

Other points that you are mentioning have more to do with user's willingness to take privacy seriously. Most don't take it seriously because a) it's tedious and time-consuming b) they probably don't understand it c) it is easier to trust the company like everyone else and get onto using the app and 4) ... as long as it does not include criminal, financial, health or their telephone records, everything is pretty much a go go for a user.

Users don't care about their privacy unless it has elements of the 4 categories stated above. Users hate hassle and they have pretty much resigned from the fight for privacy mainly because they have found that the benefit of sharing things with others outweighs the willingness to be clear of a trouble that rarely every shows up in their conscience anyway .... think about it ... when was the last time a major security breach occurred that compromised so many millions and devastated so many thousands that it has left a blip or a bad mark on users conscience.

We maybe very techi ... but average users are far more occupied with other concerns. So blind trust plays a strong role for them.

I didn't read all the disclosure documents on my mortgage, but I bought the house anyway.

I'm not saying Path is right for what they did, but neither do I think it's the same as publishing everything where identity thieves can get at it. Such black & white thinking is of little use in creating policy.

"I didn't read all the disclosure documents on my mortgage, but I bought the house anyway."

You should have read them. All those people who got stung by Adjustable Rate Mortgages? Didn't read the terms either.

Now imagine that an app has terms that are a bit like Adjustable Rate Mortgages.

I'd argue that ven if they read the security policy they wouldn't understand it anyway. When you're surrounded by hackers it's easy to think everyone has some basic understanding of computers but in reality most people are lucky if they know how print a damn Word document.

This really is a false comparison. Accessing an address book for the app's use only and accessing the address book for public publishing are so far apart it's ridiculous. Security policies don't mean anything. If data is stored digitally there will always be a way to compromise its security no matter how much encryption, SSL, etc. you use. Security, especially on the web is a total misnomer. All you can really do is make it inconvenient to access.

Trusting a company isn't about their data privacy and security policies. It's about their brand to a large degree. Their track record and other peoples' experiences with the app. I'm in the camp that understands these policies and what they mean but thats not the reason I trust the company behind an app. I trust Google with my docs because they have a good track record. Facebook I trust as a necessary evil. Scratch that, I don't trust Facebook but I use it anyway because I'm banking on the odds. I think that's what it boils down to for most average folks. If the odds are that they'll have no trouble then that's a risk they're willing to take. If there's a breach of security and a bunch of people have their data exposed (but I'm not affected) well that makes me think twice not because of the breach itself but because of all the pile-on press coverage.

I'm one who firmly believes that people don't make their own minds up about this stuff. The average person's view of this whole app uploading address books thing is based purely in whichever side of the manufactured debate is the loudest and seemingly most expert-y. After watching how people use the web, their computers, and their smartphones for some time now I've become really cynical when it comes to this stuff. People don't seem to care until someone writes a blog post that tells them they should care.

> People don't seem to care until someone writes a blog post that tells them they should care.

But that's the point, isn't it? They shouldn't have to care! People shouldn't have to be security experts to use a phone. The phone should protect them by default and make them have to jump through hoops to waive that protection, rather than the other way around.

The phome ismt what's insecure though in this case. We're talking about the security of the servers that these apps are sending data to. For some reason people think about phones differently than any PC running whichever OS. If the app store didn't exist and we got smartphone apps the way we all used to (and to large degree still do) download PC programs I doubt anyone would be upset with Apple. All the blame would be solely on the app developers. Apple polices the app store and locks down iOS a lot as it is. If Path were a native Mac or Windows program and it was accessing data from other programs we'd all be screaming that it's some kind of spyware. We'd probably sayng that Path itself should be asking permission to access data, not the OS. But because we have the app store and have come to have this strange relationship with Apple where we bitch about how locked down the devices are but at the same time want them to protect us from apps like Path we're placing some responsibility on Apple. I don't think it's right. We need to decide if we like our locked down devices or if we want Apple to stop playing babysitter for us.

Amen to that. I couldn't have said it any better. I have been arguing the same thing - history of the web and these companies have been a pretty clean one.

It's different in that having your address book uploaded without your permission is actually being the victim a crime in most countries. At least posting it publicly is a voluntary act.

Putting yourself in a situation where you are very likely to get mugged would be better comparison. Winer is being mild in his challenge.

So yeah, I agree it's not in the same league, but not in the way you mean.

Sorry but I think you're missing some data here. Every app on the iPhone can upload your address book, pictures and calendar data to their servers, whether or not they have anything to do with contacts. Every app. It's worth taking a look at the trivial crap we put on our iPads and iPhones thinking they're harmless, when each of them could be leaking all our private bits everywhere.

No, I'm aware of that. What I am saying is that uploading data to an app, no matter what that app may be, is not the same as posting it publicly.

When you upload to an app, the makers of that app have access to your data. Don't get me wrong- that's a bad thing. But if you upload your data publicly, anyone in the world has access to your data. Drastically different.

Because there's no way that your data, once uploaded to the app vendor's servers, can ever leak out. Right?

No way they are running their operation on the cheap and don't have their servers secured against intrusion.

No way they can be inexperienced developers and build an API that leaks information to improperly authenticated requests.

No way they can have a disgruntled employee throw a torrent of it all up when he gets fired.

No way they can get bought by someone with fewer scruples and hand your data over to them as part of the acquisition.

These are all perfectly valid critiques of the notion that "my data is protected by Path's privacy policy", and they are excellent reasons why Path was right to apologize and correct a genuine problem with their app's behaviour.

But they aren't really relevant to the parent comment's point, which is that, even with these (potential) holes giving your address book to Path is fundamentally different than posting it publicly. In one instance, your data is public, immediately and unconditionally. In the other, there is potential for abuse that could result in your data becoming public if an arguably unlikely sequence of events were to occur.

So it doesn't make any sense at all for Winer to be challenging PD to engage in a behavior that is simply not analogous to the issue at hand. All that Winer's post does is distort the issue, intentionally or not, and distract from the important debate/conversation that Path's policies initiated. I honestly don't see how that's helpful at all.

[UPDATED: Minor correct for clearer syntax]

Nothing personal, but I think it's naive to assume that.

I once did a deal with a software publisher that required me to turn over the source code.

One day I came into the office and found a disk clearly labeled as the source for my product, on the receptionists desk.

That was pretty close to public, and I remember that every time I let something sensitive out of my control.

Also every few months I have to change my credit card number because a charge appears that I didn't make. Luckily the credit card companies have developed good algorithms for detecting these. Now you might assume that every company that you give your CC to is being careful not to make it public, but if you believe that, you aren't reading the news.

Well, the credit card example you give is a good one- you can go through life without paying for anything by credit card, and your credit card will never be stolen. If you do pay for things by credit card, there is a chance that it will be stolen. If you post your credit card details publicly there is a 100% guarantee it will be stolen.

I think the same applies to apps. There is a sensible middle ground in there somewhere, and the new permission request alerts from Apple will go a long way to helping with that. But no, never any guarantees about anything.

But this is like someone on the subway reaches into my pocket and takes the credit card, copies the number and then publishes it in a blog post.

I trust Path with some of my data -- most of it generally created for the specific use within Path.

This is apples to oranges. Most users, use applications because they find about it from trusted sources. They are more interested in just using the application and moving on. Users have shown time and again that as long as the source is trusted (friends, media, overhyping blogs) then they leave it up to the company to make sure their data is private. Calling to a challenge of posting everything to public is misstating what users actually provide: a permission to take their data and keep it private versus here is my data for the rest of the world to see. There is a social contract between the user and the company that is bound by the trust that "my info will not be leaked" and looking at the history of the web I think the companies backed by competent teams take this contract very seriously.

So it's okay that Twitter, Facebook, Path, etc, all have my contact list and possibly more? The point isn't that users trust they are keeping the data safe, its that they took it without asking up front. Those apps may be out to make its users lives easier, but I would like to know when they are taking my personal data and keeping it for 18 months in an archive

Either way, TC was/is lame. PandoDaily is too.

It is not okay in the legal sense. But it has been given a green light far too many times by tacit approval of the users who could care less so long as the info is not leaked.

In what bizarro world do consumers trust companies that steal their private data without permission?

Companies I trust don't break the law and violate my privacy. Contract, especially unwritten "social" contracts don't override the law.

Theoretically speaking, in every conceivable world, would the users not trust the companies who steal their data. However, practically speaking, users trust the companies who "steal" their data so long as that data is not publicized/leaked. In fact, I would argue as much that most users know that there is information being collected of them that they are not aware of, and they have accepted it because they haven't seen huge negative consequences in their personal life or in the media that make them worried of the collection of their information.

In my opinion, it would have to take a data breach of the likes of katrina, tsunami 2004 and BP oil spill all within a few weeks for users to get hammered with the point that they should be more concerned about what is happening with their data.

Having said that, there will always be a small group who would be up in arms about the simple act of stealing whether a negative consequence follows or not. And kudos to them for they are doing a service to us all by keeping an eye on these companies.

The point that I am trying to get across is that the history of the web along with the time consuming nature of reading huge agreements has led to users entering into social contracts of trust with these companies. They could care less about how much you try to alert them. Companies can continue to take one action after another to alert the users of all that the things company will do and the user will merely see that has an obstacle to get to the app and therefore will simply accept/agree robotically and move on. Why?

Users behave in herd mentality, respond to only the most imminent of threats or fear of extremely dire potential consequences. If they see everyone else doing something they will do it too, even if that means you get them to agree to very stiff contracts. They will simply accept it as a way of life and move on.

When creating privacy policies, companies play this balancing act. What to constantly alert a user about, how many of them will actually care, we as a company know that all their data will be protected and not used criminally anyway?

Whatever path, facebook, twitter and others do with our data is irrelevant to most users so long as most of their trusted circles are doing it too. It just isn't a big issue for them as they maneuver around other pressing issues in their lives. Kudos to those few who have made it a big issue and have kept these companies at their toes. Their effort is worth commending and appreciating, and not mocking as has been done by others.

Exactly. This 'challenge' has absolutely nothin to do with what PandoDaily is talking about. There's a huge difference between giving your information to a trusted company versus just throwing it out in public.

"When you said X, you probably meant Y. But I bet you don't believe Y, thus you were lying about X."

How many pointless arguments take this form? He should articulate why he considers the situations comparable, so the Pando people have something to disagree with.

This is a little abstract for me, so I'm not sure I understand the objection.

Their point is that we are being silly for caring where our personal data goes.

If we're being silly, here's an easy way to prove it. Show us how careless you are with your own personal data.

If there's a limit, something you won't do to show how casual you are about it, then we found something that we agree on.

My belief is they haven't thought it through, and are just being cute for the sake of being cute, about something that is very serious.

Actually trying to help them find a good place. Because where they are now, is not good.

Of course imho and ymmv.

"My belief is they haven't thought it through, and are just being cute for the sake of being cute"

What I find scary sometimes is if you make challenges like you did to Pando you are assuming they even have the same sense of care and responsibility about their data as you or an average person would.

This reminds me of someone who runs an amusement ride and says "I let my kids ride that ride" as if that is to imply ultimate safety. It doesn't. To wit: There was a story or two recently about parents who let their teenage daughters sail around the world solo. I don't think most parents would do that.

The article referenced an app accessing the clipboard (x) and your challenge involved uploading all of one's contact information and pictures (y).

You missed the bigger story that they were making light of.

I didn't miss it.

Nice post. If an application on our computers would upload all our contact details, our bookmarks etc to their servers to make it "easy" for us, would we agree to that. Guess we are just using these apps without worrying about the security. Good that people like Dave are bringing it out to the open.

Pando Daily's cynicism is only matched by society's indifference to data privacy.



PandoDaily appears opaque about their bias to me, so I don't read it.

Edit: needs a question mark after "editing".

Don't download an app unless you trust the folks who made it. It's not on the company, it's on you. You are responsible for yourself and the security of your information. It's not Instapaper's job to watch your shit.

Also, call a spade a spade. If you want to issue them a challenge, ask them to download the Facebook app or the Path app or any of the other infringing apps. But they already have. They have already done the thing they're being accused of being uncomfortable with.

How sharing information from your iPhone with a company and publishing it online for the world to see are equivalent, I can't fathom.

So, since every single application in your computer can access all of the same data and do whatever they please, has had that ability since forever and we see that as an advantage (see problems with adding sandboxing on the Mac), why are we so concerned about it on our phones and completely ignore the issues otherwise?

The only reason I could come up with is that on the phone we have apps that actually use that data, social networks of various fashions, while on our computers we mostly use apps to do stuff and social networks stay in the browser.

Should we be asking OS vendors to add those checks to our computers too?

People are much less careful with what they download and install on their iPads and iPhones because of Apple's assurance that the apps are safe.

Exactly. There's an implicit promise to Apple's sandbox and theirs and Jobs' statements about how they're protecting users from Internet scaries (including porn and other "offensive" content) has given users an incorrect impression that data on their phones is safer than data on their computer. Add to that the fact that most adults remember an era when cellphones had no connectivity, or only USB or serial connections, and its not hard to see how people missed this.

Now the platform owners (Apple, Tootle, Microsoft, etc) must respond to keep the promise they've made, whether stated or implied, or eventually users will rebel. But until the response or rebellion happens, how much damage will be done?

The platforms will adapt, and users will eventually upgrade or move to competitors, but it will take months or years.

Nice try. No Pagerank for you!

....do...you even know who Dave Winer is?

why does that matter? I'm judging the content of the article, and it's just accusing another blog of something, just drama.. no valuable content here. just pointless, trivial drama looking for an ego boost.

Hint: scripting.com has a better pagerank than PandoDaily.

He's the guy who practically invented blogging.

again, that doesn't matter. Even after knowing who he is now, trivial content is still trivial content. And he might've invented something, but blogging most definitely isn't it. Blogging was going to be come about inevitably once someone invented the internet - that was the hard part. Blogging is just an extension of people expressing themselves.

Please, please. Why go there? You've got this thread where you could be having a discussion on an interesting and important topic, but you're wanting to fork it into a personal attack over something that's irrelevant to the topic and that has been discussed ad ad nauseum on tens of thousands of other such threads.

Oh god. Stop with the hero worship. The guy is a verified lunatic living off a legacy that he helped build. If you'd stop kissing his ass for one minute you might see what a whacko he's become.

I'm not involved in any hero worship at all. I'm saying that it's downright ridiculous to accuse Dave Winer of making a popularity play.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact