Founders and Funders: Stop Screwing Users on Privacy

by Ryan Singel on February 13, 2012

Michael Arrington comes to the defense Sunday of one of his Crunchfund portfolio companies, Path, arguing that the New York Times‘s Nick Bilton is just piling on after Path “showed its belly” by apologizing for secretly copying and storing its users’ contacts in a company database.

But Arrington’s just wrong – it’s not piling on – and just because Path apologized, that doesn’t mean that it or the industry should get a free pass.

Bilton’s main point is spot-on: Path CEO Dave Morin, a Facebook veteran, should have known and did know that secretly copying users’ contact information was wrong and that his behavior is becoming all too familiar in the Valley.

Set aside Morin’s tenure at Facebook. Simply look at this exchange with Gawker in regards to the same issue with the first version of Path – where Morin states “Path does not retain or store any of your information in any way.”

Knowing that was an issue, Morin went on to launch a future version that secretly plundered the contacts from users’ iPhones. Path didn’t  even bother to use hashes to protect the data and stored it on their own servers in plain text. Path isn’t even using encryption to keep contact data on their servers, instead saying it’s protected with an “industry standard firewall,” which is just laughable to anyone who has followed the exploits of Anonymous over the last year.

But Arrington says it’s time to let up on Path because the company apologized and deleted the data. After all, Morin thought he could solve the problem by saying Path was being “proactive” in building a consent mechanism into upcoming versions of the app.

Bullshit. It’s time to stop letting start-ups and big companies (I’m looking at you, Google and Facebook) pretend they don’t understand basic fair information practices and then just “apologize” later after backing slightly off a huge insult to user privacy.

For start-ups that don’t know – the rules are really simple and basically boil down to “Don’t be a secretive asshole.”

Fair Information Practices have been around since the early 1970s. There are five of them. Notice, Choice, Access, Security and Redress. Basically that means you tell people why and how you collect data and what you do with it. You give them a choice about whether to provide it and a way for them to see/correct/delete. You use real security (e.g. in Path’s case, if they didn’t use MD5 hashes instead of collecting the plain-text, then the database should be encrypted and access to the database should be extremely limited inside Path). The company should also say what it plans to do if it violates that agreement.

This stuff is extremely basic, and Bilton is right to continue criticizing Path after it showed its belly. Path (and other apps) made the decision to blatantly abuse their users’ trust, *exactly* because it thinks it can be like Facebook and just ride out the storm after an apology, if they got caught.

As Bilton writes:

<blockquote>It seems the management philosophy of “ask for forgiveness, not permission” is becoming the “industry best practice.” And based on the response to Mr. Morin, tech executives are even lauded for it.</blockquote>

Instead of lecturing Bilton on being mean to Path, Arrington ought to be wondering why the hell he invested in a company that has absolutely no respect for its users, their privacy and basic standards of decency. Instead, he penned a column about how the net can become a “mob,” and what a shame it is that you can’t reason with a mob.

While I’ve always appreciated Arrington’s passion for start-ups, I find it very disturbing that he considers the users who raised their voices after being betrayed by Path on its march to the big bucks a “mob”. They aren’t a mob – and while they may not get every detail right, the people we call “users” are usually smart enough to know when they are being screwed.

And they got screwed, intentionally by a company you invested in, Michael. That should worry you more than a column from Nick Bilton.

Related

{ 1 comment… read it below or add one }

Christopher Lomas February 13, 2012 at 8:32 am

Couldn’t agree more! Sites should also declare if they are making money from your activity, which Pinterest has recently revealed to have been doing, which is perhaps lesser known: http://j.mp/ypDmKn

Reply

Leave a Comment

Previous post:

Next post: