UNTETHER Asks: how pissed should we be with Path?

Following our recent 1 billion word triumph, UNTETHER Discusses Asks returns to answer the interwebs’ burning questions. Last night, news broke that Path secretly uploads users iPhone contacts to its own database without notification or permission.Now, Path is certainly not the only company to do this, but for a micro-social networking app that is trying to be the anti-Facebook, having a Facebook-like privacy issue so early in its lifespan is concerning. So the question I pose is this: how angry should we be with Path? For insight from a developer perspective, I’ve added regular UNTETHER contributor Jeff Bacon.

Jeff, let’s start with you to understand just how common something like this is among mobile apps. Is it prevalent across iOS/Android/BlackBerry? I would think not for BlackBerry apps, simply because the BlackBerry OS ask users permission for just about any API access.

Jeff Bacon

Generally I believe that you should be told by an application what they are doing with your information — either explicitly with a link before sign-up or before the personal information is accessed, even if it’s in the form of a privacy policy you need to read through. Good practice would be to provide a more “average joe” style privacy policy in addition to the official legal one but most people don’t actually do that. In terms of accessing your address book, there are tons of apps that do that and if it’s all for the purposes of local use (i.e. the data is used by the application locally to enhance the experience) I don’t see any issue with it. The BlackBerry OS does warn the user fairly well now when the applications want to access your personal information but since most people just click ‘allow’ on those warning, I’m not sure that’s really an effective guard to rely on.

In the case of Path, I think they probably just took a lazy “get it working and into market” approach rather than going the extra mile to use hashed data that would not compromise a user’s privacy if the Path servers were compromised (or at least mitigate the impact). Usually when companies do that maliciously they tend to try and hide their tracks better so I suspect it was simply an oversight — though a large one based on the PR impact of it.

Douglas Soltys

If would be great to see iOS and Android follow RIM’s footsteps and lock-down the address book API so that users HAVE to agree to give up access first.

I agree with you that I don’t think Path’s intentions were malicious, but I also think that’s besides the point. While it is a cool Valley startup with an interesting product, it is also a very small company that I know little else about in terms of security or data practices, and now it has all the contact information of my friends and family. Many people today have issues with larger, more established, and (hopefully) more secure companies like Facebook and Google having access to that data – are we really ready to give that info to a company of 10-20 simply because it has office space in the Mission?

Jeff Bacon

Don’t forget that any time you use Facebook Connect or authorize an app to use Twitter that app/company/service has access to a ton of information about you. Yes, they throw up a warning first, but warnings are only good if people pay attention. What Path did was bone-headed and it should not get a pass for it, but I do think that we’ve moved too far (or are dangerously close to moving too far) towards removing all responsibility of people to pay attention to what they do and accept when using services online. No one is forcing someone to use Facebook (or insert other social network here), so as long as their privacy policies are well stated, it’s up to an end user to decide of the value of the service is equal to or greater than the value of the personal information they are exposing.

Note: one of the complaints many end-users had on BlackBerry was the volume of warning that would come up for accessing APIs. RIM tried to streamline that into a grouping of general access when you install the app or a summary page giving bulk permission to the app (at the press of a button by the end user) so really RIM is moving away from the warn-about-everything behavior to be less intrusive… but also easier for user to just click “accept all” permissions.

Jennifer Daly

I agree with Jeff on his comments re: “get it into market” and it simply being an oversight. They likely started to develop the application prior to the FTC handing out follow up actions to the likes of Facebook, Google and Frostwire for similar violations in 2011. I also agree warnings are only as good as people paying attention. But don’t forget with the case of Google Buzz, the whole alert system was too vague/lax. The FTC stated that app developers have to be very explicit in their warning word choice. The Google Buzz case makes it harder for people to simply hit “accept” without something catching their attention.

Path might pay for this from a PR perspective like Jeff alludes, but I don’t think it’s going to hurt them in terms of subscriber uptake. If they have slow growth… it’s likely to do with loss of interest. Like how I feel about Pintrest, About.me and Google+. Seriously, I can’t keep on top of all these “look at me” apps, regardless of my Klout score benefit.

As cranky as people get about privacy settings on social networking tools, it will never stop them from using them and inputting/posting their deepest darkest secrets on a daily basis. I can use myself as an example: as long as my direct messages, passwords and banking information aren’t being accessed, I am not upset and these sorts of news stories don’t faze me.

For the record, companies don’t have to follow RIM’s footsteps and lock down the info: it’s already outlined by the FTC, PCC and UK’s data privacy act. App developers cannot take this information (without prior consent) without it being a direct violation of the law. If they choose to, they will be receiving a letter from their various government organizations to show up before the appropriate council for disciplinary action. Although, currently it’s only either a monetary wrist slap or an action file press release. Path is basically beating the FTC to the punch by already modifying and apologizing to its user base.

Jeff Bacon

I wonder how long it will take before companies treat data privacy like tax laws and base their businesses off-shore in places that do not have the same regulations around privacy violations. Eventually (potentially), regulatory restrictions will tie the hands of businesses to the point where they can’t compete with new and innovate services that are developed and managed off-shore and require the unrestricted access to your information in order to do [cool new thing X].

Jennifer Daly

Oohhh I like that idea.

But I have to mention that money is property of the state. Therefore, tax laws effectively have jurisdiction to govern. Hence the reason why if corporate money/operations monetizing business are moved to said state with different laws loop holes are created.

Data, is not property of the state. It’s property of the person (and corporations are people too). Therefore, I think the real future revelation will be a global accord for data privacy, similar to other multinational treaties.

Jeff Bacon

If data is the property of the person, not the state, than how are states able to regulate what companies do with the property people are willingly giving to them? There’s way too many pieces of regulation that are designed to protect people from themselves, and while I’m being a bit of a devil’s advocate saying that it’s a black-and-white issue whether you see people’s data as something the state should be allowed to regulate, the point is that where the greatest concern is over the privacy of information (the U.S., as that’s typically where new, innovative services are created) is also the place where there are the most lax rules for civil lawsuits. Simply providing the financial incentive for companies to be responsible by making it easier for individuals to recoup losses based on a companies behavior is, I think, better than true government regulation.

… I can’t believe I just made a case for supporting the ridiculous civil lawsuit process in the U.S. I am so ashamed…

Jennifer Daly

You should be, haha.

With that said, the government is responsible for acting in the best interests of the people, which is why they can tell companies what do with the data. They are essentially protecting “the people.” Maybe this sort of legislation should be championed through a referendum vote to safeguard that it is actually the people that have vested the power to the federal courts to regulate on their behalf.

Yes, the US is the most lax for civil lawsuits… however corporations that violate what the FTC sets out are punishable by federal jurisdiction. It is debatable whether those governing bodies are any better than their civil legal forums – for the sake of the American people, I would hope they are.

Douglas Soltys

Good points all, but let’s take this back a notch. As a user, do you feel betrayed by something like this? Or is the reality that we have to be willing to give our personal information to almost any/every company out there to take advantage of free services? I’m inclined to think that people feel the latter, but the recent dust up over Carrier IQ (http://untether.tv/tag/carrier-iq) tends to indicate otherwise. Would the average consumer be more pissed if they had a full understanding of what specifically they’re giving away?

Jeff Bacon

Carrier IQ was a trumped up story by the media and totally mis-represented, as are most privacy stories out there. When I explained to my mom what information was actually shared when you signed up for a Facebook account and actually participated on it, she was surprised — at how little it was unless you provided it. She – and she’s not alone – thought that from the media’s view on privacy that just by going online your life’s story and all your private info was available for all to see. In actual fact, there’s very few of these services that REQUIRE your real information (though most work better if you provide it). You can go on Facebook and control what information is shared and what information Facebook has on you by choosing what to input into the system.

Jennifer is right though, most people just add info and data willy-nilly when they create accounts and don’t think about the implications. I’m not sure the average consumer would be “pissed off” if they knew the fine details of the data mining and sharing behind the scenes, but they would probably be smarter about what information they choose to give up.

Rob Woodbridge

From my simple mind, this is a simple case of a developer thinking from a developers perspective. We see this all the time: implementing a feature that “helps” the user while not thinking of the implications it has on everything else – like privacy. The argument is sound:help the user connect with their contacts faster. The implementation was not but they will quickly rectify with their next release.

The bonehead move by Path was knowing about it and not informing anyone. That is a small business mistake that could cost them.

One last point is that we all have a price for giving up our privacy but when it involves not just us but our contacts – especially without permission – it becomes a larger, more complicated issue.

Douglas Soltys

Update: Path has followed the advice of their investors and nuked all the data they were holding without awareness or consent.

It seems as though Path is sincerely apologetic about the situation. I will give them the benefit of the doubt (this time), but I still worry about all the other mobile apps out there with less noble intentions, doing things we don’t know about (yet) with our data.

In the end, I feel it’s up to the platform holders (Google, RIM, Apple) to enforce disclosure, and up to the consumers to demand it. Every startup with a mobile app should also be taking notes and thinking twice.




About the author

Douglas Soltys

Douglas is the former Editor-In-Chief of Inside BlackBerry, BlackBerry Cool, and QuicklyBored, which he launched as a mobile gaming industry site. His knowledge of mobile and social media led him to a job at RIM (BlackBerry), where he got to travel the world and do lots of cool things. He is often left-handed, but rarely sinister.

  • I actually write a related article on privacy a couple months ago on BaconOnTheGo.com: 
    http://bacononthego.com/2011/12/01/innocence-is-bliss-privacy-issues-are-mostly-overblown/

    Though it related user users’ mis-use of their own data:

    Real privacy violations are very important and should be written about a lot — and companies that are offenders should be punished harshly. Most “privacy” violations aren’t really violations at all and could have been mitigated, prevented or avoided by the user who was violated taking steps to protect the very information that they are so offended has been compromised. 

  • Jeff,

    Good points, but there are different types of violations: those that violate the letter, and those that violate the spirit of the law.

    Often, information on how data/information will be used is buried/difficult to find in the EULA, or unclear/purposefully vague on the ramifications.

    For the benefit of the consumer, there should be a real push to make this information clear for everyone to understand, and bring it above the fold so that the repercussions are patently obvious. Unlike other nuggets that are contained within EULA’s (which are mostly legalese to protect a company’s backside from litigation), the copy relating relating to information privacy is vitally important, because the genie can never be put back into the bottle.

  • Pingback: Where’s the Money? Episode #2: Is Path on the road to revenue? | UNTETHER.tv()

  • True, but that issue is not specific to piracy. The legal system has evolved to the point that wording of basically everything in a contract or legal document is difficult to interpret by the average person. Changing that would be good for everyone, the obscurity of the privacy clauses in the documents is a function of the greater issue of the document structure companies are required to use by law.

  • Pingback: Facebook has more than one mobile problem | UNTETHER.tv()

/* ]]> */