Path issued an apology after being run through the gauntlet and deleted their collection of user data. They’re going to try to collect it again, of course, but this time they’re going to ask for your permission. And while it all sounds very sincere, they still don’t answer a lot of questions.1 Path on your address book:
We always transmit this and any other information you share on Path to our servers over an encrypted connection. It is also stored securely on our servers using industry standard firewall technology.
That last sentence is awkwardly phrased, making it sound as if they’re storing data on firewalls instead of behind them. It also makes me wonder how much the team at Path actually knows about internet security. According to an interview CEO Dave Morin did with Wired today, it doesn’t sound like much based on them having to hire an security consulting firm:
The problem I’m having with this is that it doesn’t answer the question of how the data is being stored. Is it being hashed? Who has access to it? These questions matter because Path is still going to have access to address books, but this time with your permission.
Privacy isn’t the issue here. Security is. Mobile developers have access to information that is far beyond what traditional privacy bugaboos like Facebook have. As Dustin Curtis points out, these developers have access to a lot of valuable stuff:
I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millons of records. One company’s database has Mark Zuckerberg’s cell phone number, Larry Ellison’s home phone number and Bill Gates’ cell phone number. This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.
It goes beyond emails and phone numbers. Consider home addresses. Now consider that people store information beyond “normal” contact information using the notes field in iOS’s Contacts. I know people who store bank account information, ATM PIN codes and home security passwords in there. Do developers have access to that information? No clue. Does Apple allow them to get that information? No clue. We should know the answers to that, but more than that we should have at least some real idea of how companies are storing the information that we as users are inevitably going to give them in order to see what our friends are doing while we’re taking a bathroom break.
Your phone, by itself, has always felt secure. With an iPhone you can password lock your phone, delete data after a certain amount of time and remote wipe your data if the phone gets stolen.
You can’t remote wipe your info off a server located gods-know-where.
I’m not a security expert and have no idea how companies should enact security standards. But based on the team size of many popular iPhone app developers, I doubt they know a lot about security either. Why wouldn’t a hacker group like Gnosis or some /b/tard try and see what they can get from Instagram or Kik or Path?
There have been some calls on Apple to fix this problem by requiring opt-in alerts from apps, which is fine. Apple’s already been pushing hard to control the experience on phones and this seems like an oversight that’ll be fixed. But what about Android or Windows Phone or bada users? This is a problem that shouldn’t be left to corporate gatekeepers.
While I tend not to be a fan of government regulation on the net, one highly beneficial thing government has done for Internet users has been forcing companies to publish privacy policies that explain what they do with data. If you thought they were doing it for some altruistic reason, think again. They’re doing it because the government (especially California) forced them to.
It occurs to me that perhaps we should start demanding similar statements on security. Opt-in means jacksquat when a database is breached.
I say “sounds sincere” because I hate apologies that say “We are sorry if…” That “if” undercuts things. ↩