Path Now Hashing Data →

Good move by Path — though they didn’t have any choice at this point. I don’t think the story got big enough for the average user to care too much, but they definitely seem to have lost some trust among the early adopters. I think Path has an opportunity here and go even further and be the standard-bearer for educating developers, and users, on data security and privacy, especially in mobile where this issue is going to get bigger. They could pull off a Tylenol moment if they really wanted to.

Path, Instagram and Hipster’s Privacy Policies May Not Be Compliant With the Law

Here’s a snippet from the Online Privacy Protection Act of California, required of all websites or online services that collect information on California residents:

Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

What are those categories?

(a) The term “personally identifiable information” means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

(1) A first and last name.

(2) A home or other physical address, including street name and name of a city or town.

(3) An e-mail address.

(4) A telephone number.

(5) A social security number.

(6) Any other identifier that permits the physical or online contacting of a specific individual.

(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

Now here’s what Path, Instagram and Hipster have for their privacy policies. As far as I can tell, they don’t go into nearly enough detail as required by California law.¹

For Path, I couldn’t find a privacy policy statement from within their app. Here’s whats on their website:

We actively collect certain information you voluntarily provide to us, such as when you create an account and profile, send us an email or post information or other content to our site.

We automatically collect certain information when you use our site and our services, such as your Internet Protocol (IP) address, your operating system, the browser type, the address of a referring site and your activity on our site. We treat this information as personal information if we combine it with or link it to any of the identifying information mentioned above. Otherwise, it is used in the aggregate only.

We may also automatically collect certain information through the use of “cookies” or web beacons.

Instagram’s in-app privacy policy links to their website:

Certain visitors to Burbn’s websites choose to interact with Burbn in ways that require Burbn to gather personally-identifying information. The amount and type of information that Burbn gathers depends on the nature of the interaction. For example, we ask visitors who sign up for an account on http://instagram.com to provide a username and email address. In each case, Burbn collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction with Burbn. Burbn does not disclose personally-identifying information other than as described below. And visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.

I couldn’t find a privacy policy within Hipster’s iPhone app. From their website:

Certain visitors to the Website choose to interact with Hipster in ways that require Hipster to gather personally-identifying information. The amount and type of information that Hipster gathers depends on the nature of the interaction. For example, we ask visitors who sign up for a blog at hipster.com to provide a username and email address. Those who engage in transactions with Hipster are asked to provide additional information, including as necessary the personal and financial information required to process those transactions. In each case, Hipster collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction with Hipster. Hipster does not disclose personally-identifying information other than as described below. And visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.

None of these reflect the fact that these services can collect far more information from you when they access your address book, like your first and last name, telephone numbers or addresses which doesn’t come up in any of these privacy policies. Three things are unclear to me:

• What data they’re collecting from Contacts. It seems like Path and Instagram were scooping up your whole address book at a time, but it’s unclear if they were just focusing on the names or collecting things like home addresses in the process.

• If they have to disclose collecting information on other people in your address book,

• If services that don’t store your data have to disclose this at all due to the “maintain” language in the California code.

By the way, Facebook actually has a pretty decent privacy policy page.

Attacks on Journalists on the Rise →

According to Reporters without Borders, in 2011:

• 66 journalists were killed.
• 1,044 journalists were arrested.
• 5 bloggers were killed.
• 199 bloggers were arrested.

All those represent an increase from the previous year. 2012 looks like it’s going to be worse. In the few short weeks of this year:

• 4 journalists were killed.
• 153 journalists were imprisoned.
• 120 bloggers were imprisoned.

This is why security and privacy are important, and why Path should be treating this more seriously.

How Apps Like Path Could Lead To Imprisonment, Torture or Death →

Nick Bilton in the New York Times:

A person’s contacts are so sensitive that Alec Ross, a senior adviser on innovation to Secretary of State Hillary Rodham Clinton, said the State Department was supporting the development of an application that would act as a “panic button” on a smartphone, enabling people to erase all contacts with one click if they are arrested during a protest.

Also:

Lawyers I spoke with said that my address book— which contains my reporting sources at companies and in government — is protected under the First Amendment. On Path’s servers, it is frightfully open for anyone to see and use.

Bilton’s wrong in stating that address book data at Path is “frightfully open” and, later, that “Path was mining data and storing users’ address books on its servers, and it was also transmitting the data in ‘plain text.’ This would be like mailing a private letter to someone without the envelope.” Data was transmitted over HTTPS which is relatively secure and a reason that Path probably felt they could get away with not hashing the data.

But Bilton’s main argument stands. We don’t know how Path is storing the data and what their security measures are. It’s a serious concern, and as Bilton points out, bad security and privacy measures in app design could get people killed.

Path Apologizes and Deletes User Data. We Still Don't Know Enough →

Path issued an apology after being run through the gauntlet and deleted their collection of user data. They’re going to try to collect it again, of course, but this time they’re going to ask for your permission. And while it all sounds very sincere, they still don’t answer a lot of questions.¹ Path on your address book:

We always transmit this and any other information you share on Path to our servers over an encrypted connection. It is also stored securely on our servers using industry standard firewall technology.

That last sentence is awkwardly phrased, making it sound as if they’re storing data on firewalls instead of behind them. It also makes me wonder how much the team at Path actually knows about internet security. According to an interview CEO Dave Morin did with Wired today, it doesn’t sound like much based on them having to hire an security consulting firm:

What’s more, [Morin] says, his company’s servers are secured behind a firewall, and Morin and his team are meeting with TRUSTe, a privacy policy certification service, on Wednesday afternoon to discuss Path’s measures in keeping user data safe.

The problem I’m having with this is that it doesn’t answer the question of how the data is being stored. Is it being hashed? Who has access to it? These questions matter because Path is still going to have access to address books, but this time with your permission.

Privacy isn’t the issue here. Security is. Mobile developers have access to information that is far beyond what traditional privacy bugaboos like Facebook have. As Dustin Curtis points out, these developers have access to a lot of valuable stuff:

I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millons of records. One company’s database has Mark Zuckerberg’s cell phone number, Larry Ellison’s home phone number and Bill Gates’ cell phone number. This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.

It goes beyond emails and phone numbers. Consider home addresses. Now consider that people store information beyond “normal” contact information using the notes field in iOS’s Contacts. I know people who store bank account information, ATM PIN codes and home security passwords in there. Do developers have access to that information? No clue. Does Apple allow them to get that information? No clue. We should know the answers to that, but more than that we should have at least some real idea of how companies are storing the information that we as users are inevitably going to give them in order to see what our friends are doing while we’re taking a bathroom break.

Your phone, by itself, has always felt secure. With an iPhone you can password lock your phone, delete data after a certain amount of time and remote wipe your data if the phone gets stolen.

You can’t remote wipe your info off a server located gods-know-where.

I’m not a security expert and have no idea how companies should enact security standards. But based on the team size of many popular iPhone app developers, I doubt they know a lot about security either. Why wouldn’t a hacker group like Gnosis or some /b/tard try and see what they can get from Instagram or Kik or Path?

There have been some calls on Apple to fix this problem by requiring opt-in alerts from apps, which is fine. Apple’s already been pushing hard to control the experience on phones and this seems like an oversight that’ll be fixed. But what about Android or Windows Phone or bada users? This is a problem that shouldn’t be left to corporate gatekeepers.

While I tend not to be a fan of government regulation on the net, one highly beneficial thing government has done for Internet users has been forcing companies to publish privacy policies that explain what they do with data. If you thought they were doing it for some altruistic reason, think again. They’re doing it because the government (especially California) forced them to.

It occurs to me that perhaps we should start demanding similar statements on security. Opt-in means jacksquat when a database is breached.

Path and Hash Policies →

Speaking of Path, as the inimitable Matt Gemmell pointed out in the comments section to the blog post that broke the story, one of the other no-no’s Path is doing is uploading the address book data instead of hashing the data and sending that. As Gemmell asks:

Why are you uploading the actual address book data, rather than (say) generating hashes of the user’s email addresses locally, then uploading just those hashes? You’d be able to do friend-finding that way, and similarly if you uploaded hashes of all email addresses in the user’s address book, you’d be able to do your notifications of when a friend joins. At no point would your servers ever need to see the actual email addresses or phone numbers from our contacts.

Hashing is basically a way to encode data and is used as a security measure. Instead of storing “USERNAME” and “PASSWORD” in plain text in a server somewhere that anyone can look at, it stores something like “3740 2365 AHSF” and “7324 HJF8 OHA3”. That’s a gross oversimplification, but not hashing data is one of the reasons the Gawker hack from a year ago was so bad.

We know that Path — and Instagram and every other app that’s got a social component — is storing your address book on their servers. It’s possible that they’re hashing the data already — but that Path is not sending the data as hashes means we can’t assume that they’re treating our data with any integrity. And that’s a much bigger problem than any privacy concerns.

It's Not Just Path →

There were apparently people that were shocked — shocked — to find that Path, the slick, occasionally pretentious don’t-call-us-a-social-network social network was uploading your iOS address book to Path servers.

Among Path’s errors was not notifying users of this, but as Mugunth Kumar has pointed out, uploading your address book to third-party servers is hardly new. Hipster, FourSquare and the über-beloved Instagram all do the same thing, with various levels of skeeziness.

Given the choice, none of these apps would ask for permission. After all, that just increases friction in the sign-up process and these startups have read every possible thread on Hacker News about making user acquisitions as smooth as possible.

But even among the apps that do ask for permission, the question they’re asking doesn’t match what they’re doing. WhatsApp says “‘WhatsApp’ Would Like To Access Your Address Book”. Viber has the slightly more forthcoming “The Viber service needs to access your address book, and sync your contacts list.”

The harm in these notifications is that they sound like they just want to take a quick peek at your contacts and see if any of your friends are using the same app. Of course, that’s not what they’re doing, or even what they want to do. Users probably wouldn’t want this either, as it would make things a lot more difficult to find out when a friend of yours joined Instagram.

But if they were honest these notifications would say, “We want to take your address book and upload it to our servers.”

A message like that is probably going to make people a little more hesitant before pushing “Okay” with their thumb.

Then we’d hit “Yes”. We always do.