For a country seemingly obsessed with reality television and tabloid journalism, the United States is suddenly very worried about privacy. And I’m not talking about celebrity privacy; I’m talking about your privacy.
For Facebook users, questions of privacy and security are nothing new. In fact, concern over those topics are regularly raised by users and critics alike. Even the Federal Trade Commission has looked into (and mandated) how Facebook handles your private data.
But Facebook is a big fish. Today, there are hundreds, if not thousands, of smaller fish — many in the form of apps for smartphones, which are dealing with the same kind of access to your data that Facebook enjoys but with far less scrutiny.
Last week, one of those new products, a social networking app called Path (founded, perhaps ironically, by some of the people who were at Facebook in the early days) came under fire after a programmer discovered a major issue. Namely, that when you logged into the app on an Apple iOS device — an iPhone or iPad — it automatically uploaded your entire address book to its servers. Without asking.
Ostensibly this was done so you could locate your friends who were also using the service. But if you’re never prompted (which is what most apps do), it looks like a big intrusion.
The discovery was made when the developer used a tool called a “man-in-the-middle,” which could watch what data was sent to and from an application in real time. What he noticed was that the app was sending all of your address book data, in plain text, to Path’s servers. It’s unclear what they were doing with it after that.
As far as invasions of privacy go, that’s a very big one.
The company’s chief executive quickly apologized for the practice and immediately issued an update that removed the offending functionality. Path also promised to delete any data it had stored.
The situation set off a firestorm online among users, app developers and tech bloggers, who hotly debated the practice. Angry members of Path’s network threatened to delete the application, and the media began to investigate just how this was possible in the first place. The assumption was that if one app could pull your contacts without permission, then certainly other apps could as well.
Sure enough, there were others out there. Although many developers have scrambled to squash the functionality, research from a variety of media outlets (including my own, the Verge) shows that the issue is far from over.
But how could Apple allow this to happen?
Although Apple is known for its stringent security and opt-in mentality, in five versions of its mobile operating system, there seems to have been no safeguard against the practice. Even in the Android version of Path, users are warned that their data will be collected before they install the program.
Outraged users weren’t the only people asking questions. This week, Congress issued a letter to Apple with rather specific queries about just how Path was able to pull users’ data without warning.
On Wednesday, an Apple representative said the company was “working to make this even better for our customers,” adding that “any app wishing to access contact data will require explicit user approval in a future software release.”
Problem solved, right?
It’s great if Apple wants to make it harder for people to get your data, but this isn’t really just an Apple problem, an Android problem or even a Facebook problem. Simply acknowledging that you’re going to take data doesn’t make it a good idea; it just means that now we know you’ve got it.
The question we should all be asking is why. Why is it necessary for services such as Path to take or hold our data at all? As several developers and writers have pointed out, there are other ways to capture encrypted data. One method is called “hashing,” which creates specific, anonymous strings of numbers and letters from plain text data such as your name or phone number.
Using that method, applications pulling the same content will get clear matches while exposing zero user data to a third party. Your data stay private, but you’re still able to find your friends within a service.
Hopefully this is the start of a big wake-up call, because it seems clear that we all need to be thinking more seriously about where and how our information is used. If there are better ways to protect privacy, we need to push back hard and make companies adopt those practices. Then we need to keep watching to make sure they stick to it.
When the controversy about Path broke this week, I think people got a little bit scared. And maybe that’s a good thing. In a world where our private lives are increasingly lived online and your most precious information is up for grabs, maybe a little bit of fear is exactly what we need.
Joshua Topolsky is the founding editor in chief of the Verge (www.theverge.com), a technology news Web site.