Hacker Newsnew | comments | show | ask | jobs | submit | mishmash's commentslogin

I've just:

  1) saved their Privacy Policy and Terms of Use
  2) requested a complete deletion of our family's account
  3) requested deletion of any/all stored information
  4) considering contacting our lawyer
As I emailed to Path's support, our 3-4 year old children's schools, bus companies, physicians, pharmacies and our family lawyer were in that contact list - that's an insane, willful, and quite unexpected violation of our privacy.

Worse, it could have easily been solved by adding an entry to their Privacy Policy (under the "What Personal Information Do We Collect?" section) and/or a simple dialog prompt.

Unbelievable.

-----


As I emailed to Path's support, our 3-4 year old children's schools, bus companies, physicians, pharmacies and our family lawyer were in that contact list

Ok, I'm going to pick on you for a second.

Hold the downvotes everyone! Let me explain.

This seems like a bit of a knee-jerk reaction akin to "think of the children!" or the whole child porn scare-mongering that politicians engage in that we on HN are always criticizing. I recognize that Path screwed up, big-time, but I'm unclear on why them having the information you cited, along with dozens or hundreds of other contacts from your address book, for millions of users, constitutes some kind of terrible threat to your children. I mean, their schools, their bus companies? How is that even remotely useful information to anyone?

I think there's plenty to criticize here from just the high-level perspective of "they used my contacts without my permission", without use the children scare-mongering tactic. But maybe there's a specific threat in mind that I'm not thinking of?

Anyway, just thought your response was a little over the top, and more informed by emotion than reason.

Ok, now everyone can downvote :)

-----


Having all that information (school, doctor, lawyer, pest control company, health insurer, employer, credit card company, ...) about one person or a family, together in one place, is a social-engineering / identity-theft cornucopia. Imagine if Path had a data breach resulting in this contacts database floating around the internet.

Now most people's response to that kind of threat is to think "I'm just nobody important, no one would ever go to the trouble of using this information to impersonate me or otherwise make my life difficult." Probably you are underestimating one or more of: (a) your importance, meaning how much money someone stands to gain by impersonating you, (b) the gullibility/apathy of customer service reps at the companies you interact with, or possibly (c) the amount of free time and/or perversity of someone who will fuck with you just for the lulz.

-----

[deleted]

One of my kids has special needs. This means he rides a certain bus and goes to a certain school. It would be trivial to uniquely identify him for the rest of his LIFE with only the information contained in my contacts list.

So now, without consent, this "private" "friends and family"-based app I installed on my phone, plus it's company, plus any other company they choose to do business with, or any entity that acquires them in perpetuity, or any data mining, social profiling, credit bureau, can start building far-reaching and long-lasting profiles of a four year old little boy that needs a extra help.

What part of that confuses you?

p.s. this could have been avoided with a dozen lines of code via a dialog box.

-----


Actually there is a simple solution for your problem. Don't use social apps. Especially not if they are free!

Do you also buy snake oil if it comes with a document using lots of difficult sounding words but ends saying it cures everything?

-----


> I'm unclear on why them having the information you cited

First of all, my wife and I actually read and attempted to analyze Path's Terms and Privacy Policy before joining. They did not in ANY WAY have our permission, either implicitly or explicitly to collect private information about our children, who are, 3 and 4 years old.

> along with dozens or hundreds of other contacts from your address book

From path.com/about

  Path should be private by default. Forever. You should 
  always be in control of your information and experience.
I was never once asked, agreed to, or gave consent to allow anyone to collect sensitive information about where are children are schooled at, what buses they ride, where they receive medical treatment at, or OTHER PLACES I LEFT OUT OF THE ORIGINAL LIST BECAUSE THEY ARE PRIVATE TO MY FAMILY. :)

> for millions of users

"kill one, it's murder - kill 1,000,000 it's a statistic" - this isn't about your children - it's about mine. ;)

> constitutes some kind of terrible threat to your children

Where did I say this was a "terrible threat" to my children? Maybe it is, maybe it isn't - bottom line is we did not consent to it. And perhaps we just want to protect our underage children from having behaviorial profiles or credit risk assessments built up on them before they reach kindergarten.

Interestingly enough, according to Path it is VERY reasonable that I should protect my children's information:

  We take reasonable measures to protect your personal information 
  in an effort to prevent loss, misuse and unauthorized access, disclosure, 
  alteration and destruction. Please be aware, however, that despite our efforts, 
  no security measures are perfect or impenetrable and no method of data 
  transmission can be guaranteed against any interception or other type of misuse.
Combined with:

  (You)...accept all risks of unauthorized access to the Registration Data and any other information you provide to us.
My risk, right?

> But maybe there's a specific threat in mind that I'm not thinking of?

Yes, there is. And I acknowledge that you might live in a world where you have no problem allowing anyone in the world to know any detail they can illicitly sneak out of your phone about you, your family, and your friends - but most of the rest of us don't.

For fuck's sake a UIKit dialog box and handler code is less than a dozen lines of code and then NONE OF THIS WOULD BE AN ISSUE.

> Anyway, just thought your response was a little over the top, and more informed by emotion than reason.

I'm curious, do you have a spouse or children?

-----


> They did not in ANY WAY have our permission, either implicitly or explicitly to collect private information about our children, who are, 3 and 4 years old.

What are you talking about? Do you expect them to perform complex data analysis to figure out that certain contacts are young children, and then explicitly ask permission to share those? Or do you expect them to preemptively ask for any potential sensitive contact information? "Can we use your children's information?" "Can we use your in-laws' information?" "Can we use the address of the President's safehouse?" Etc.

-----


> What are you talking about? Do you expect them to perform complex data analysis to figure out that certain contacts are young children, and then explicitly ask permission to share those? Or do you expect them to preemptively ask for any potential sensitive contact information? "Can we use your children's information?" "Can we use your in-laws' information?" "Can we use the address of the President's safehouse?" Etc.

Just a "Can we upload your entire address book?" would have worked. Or perhaps listing "Your entire address book" in the "What personal information do we collect?" section of their Privacy Policy.

-----


That still wouldn't be specific permission to share children's information specifically, which is what it seemed like your were requesting.

-----


No, but giving him the information would have informed him sufficiently so that he could have decide whether he wanted to (a) not use the app (b) delete sensitive contacts before using).

-----


I think you're spot on here mash but I have a disconcerting question. How do you intend to handle this situation with every other app you, and presumably your wife, have ever downloaded? Specifically those that may not be as 'transparent' as Path?

I ask because we would be foolish to think the developers of some less then typical quality apps have, or will, certainly exploit this for their own monetary gain.

-----


> How do you intend to handle this situation with every other app you, and presumably your wife, have ever downloaded?

Not sure yet. Path is actually the first (and will certainly be the last) social network I've ever joined - and it was precisely because it was supposed to be private and they had a pretty reasonable privacy policy. I remember something of this nature after the App Store was first released but had honestly thought it was a fixed issue.

On our lap/desktops we use prompting firewalls and on occasion will even watch suspicious apps or behaviors, if you will, where on iOS this is much harder.

I have an idle FreeBSD box and may start mitm'ing like OP did, but seriously pouring through the kind of output a home network produces doesn't sound like fun at all and I already know that going back to a dumb phone would probably be just as easy.

-----


I was worried that would be the response. Not that I think it's a bad idea, its just such substantial shift from what I'm used to.

I would be curious for someone to do this with other apps. Even those that aren't social networks. I have a strong inkling that most of the top free apps are doing this without any of us knowing.

-----


> I'm curious, do you have a spouse or children?

What for an argument is this. So if he doesn't have a spouse or children he can't be right. What kind of populist are you?

-----


Seems to be an ad misericordiam argument. It's bad they share private information of people in your contact list without your or their permission. But adding children in the mix is just used to add effect to your argument.

Don't really like this kind of argumentation.

-----


considering contacting our lawyer

What do you expect to achieve with this step?

-----


To get his money back, of course.

-----


To get perspective, actually. Most lawyers are wicked smart and it sucks you aren't in a position to have such a valuable resource available in your own life. HTH.

-----


Lawyer? God, get a fucking grip. No wonder companies treat their users like morons.

-----


Because asking for advice from those wiser than oneself clearly makes one a moron.

-----


It would be nice to go a single week without seeing how utterly complete the notion of privacy has been destroyed.

-----


The responsibility entirely rests in a large part on the shoulders of the geek community - the enablers. I find this entire thread surreal. These were the obvious issues that were front and center way back when chat servers showed up. Some have been raising this issue both publicly and privately since early 90s if not earlier and were marginalized precisely for being bad news bears.

Here is to RMS and his kind.

At this point, if you want a solution, you need to contact your representative and demand data and electronic privacy laws like that which is written in the constitution of Switzerland.

-----


Here's a question: was there a concept of privacy 100 years ago? Or 500? Whenever someone had a baby, or bought a cow, or had an affair on their spouse, didn't everyone in town know about it? Did they ask people's permission when the first telephone book was published?

Or was the first response, "hey, that's an invasion of my privacy!" I doubt anyone said that before the 1950's.

I think privacy is an invention of the late 20th century. I am truly curious if any real notion of "invasion of privacy" existed for most of man's history.

-----


This is a patently absurd notion.

I haven't heard an assertion so patently foolish and I'll considered since the Path CEO claimed that uploading every users "little black book" onto the Path servers without permission or notification was an "industry standard best practice."

What a bunch of hogwash.

-----


Your comment seems trollishly silly, but... the internet and residential electricity are also both inventions of the 20th century - I guess we could destroy those too without bothering you?

-----


>Am I insane for being completely satisfied with $80,000/yr to do really cool multithreaded programming work on some seriously beefy hardware? (Midwest area.)

In 10 years of midwest experience, $80k is probably a bit on the low side for systems-level work. Just a few years ago I would see DreamWeaver jockeys pick up full time for ~$50k/year. One hire did NOT know the difference between HTML and an HTTP server, someone else called me into a training session she was hosting and asked why her form wouldn't work. She had set the form's action param to email:

  <form action="mailto:example@domain.com">
Sadly I'm not kidding. :(

On the high-side, I've seen C/C++ contractors charge $100-$250/hour, depending wildly on the individual consultants.

So I don't think you're crazy for being happy. And great working conditions can have an often immeasurable impact on life. Happiness, is, after all, the end game - and a guaranteed $80k/year might be worth more than an unknown $120k/year for some people.

-----


Mailto actions were widely supported in early (pre-Netscape!) browsers, weren't they?

-----


Cool, I didn't know that (started late 90s here) but that wasn't what this person attempting to do. Apparently she had asked for the source from another dev's script and saw something like:

  action="process.php"
And just thought This Should Work™ too and put the mailto: into the form. When it happened, in front of 50 other people, I just stared at her for a moment and said it was complex and we could look at it later. Not really much else you can do in those situations.

-----


http://www.google.com/search?q=mailto+form+action

-----


No. Mosaic did not have an integrated email reader, and there was no protocol for starting your mail client of choice. OmniWeb did support mailto: by passing it over to the mail app on NeXTStep, but that was an uncommon platform.

-----


When I first learnt HTML in the late nineties, the book I used contained mailto actions on forms, which I remember worked just fine for me in IE (4 or 5). Some searching suggests that IE interfaced with Outlook Express to do this.

-----


Interesting. How on earth did that work? Did browsers have built in SMTP clients?

-----


Netscape included a mail client.

-----


> Anyone have any ideas on how to get the IP blocks of MPAA member companies?

It's been tried before. Maintaining the list is very difficult for the exact same reasons that would have made PIPA/SOPA technically inept.

e.g. http://en.wikipedia.org/wiki/PeerGuardian

-----


Also it's definitely a shotgun approach, and tons of innocent people would be affected. For example, bluetack's most conservative list level1 (http://www.iblocklist.com/list.php?list=bt_level1) includes any organization with significant intellectual property.

-----


Such lists continue in wide use. Of course they are not foolproof, but it does help.

-----


peerguardian and it's ilk don't help at all. they make uninformed people feel safer.

-----


Is that true? Could you let me know where you got that info from so I can check for myself? Thanks!

-----


Great commercial and easily relatable.

Just yesterday I was looking for shirts at a top3 US retailer and encountered something I'd never seen before:

  - there were six rows (shelfs) and about 7-8 columns
  - there was a maybe 14x10" "70% OFF" sign at eye level
  - HOWEVER, there were two qualities/brands contained in the cells
  - one brand had the clearance 70% off marked on their tags
  - the other brand DID NOT and was marked full price
  - the clearance and full price cells were randomly placed
  
So the display resembled this simplified matrix:

  [FULL][sale][FULL]
  [sale][FULL][FULL]
  [FULL][sale][sale]
I had already carted four shirt designs before realizing three of them weren't on sale. Tricky bastards. ;)

edit: formatting

-----


# or $ gives the reader an indication of what type of account should execute the command.

-----


Thanks to everyone involved!

-----


Instead of hockey stick growth, would this be like light pole growth? ;)

-----


Both of your examples are of people who are and were extremely well known both before and outside of GitHub.

-----


Well, I've met some extremely talented people through GitHub who would otherwise be unknown. People who have built now popular libraries and frameworks.

-----


Same here. Our turn-around is usually two days. We routinely get the "we've received" emails but our next ones won't ship for 1-3 days after that. It's annoying considering the "unlimited" plan claim.

-----

More

Applications are open for YC Summer 2015

Guidelines | FAQ | Support | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: