The Path to Data Privacy and Security

The advent of social networks and cloud computing have brought with them questions about privacy and security, both from technical and ethical standpoints. This was brought to the forefront again this past week, as many iOS users might know, when a social network called Path was found to be uploading its users’ contact information without notifying them that it was doing so.

The reaction in the online media was pretty much one of condemnation. Certainly Path made several mistakes. First, they should have alerted users that they were going to upload contact information, request permission to do so, and inform them as to exactly why they were doing this and what they were doing with this information. They also should not have sent the information to their servers in plain text rather than as encrypted data, because doing so allows anyone on a public Wi-Fi network to potentially gain access to your contact data if they are sniffing network traffic at the time the contact information is sent to Path’s servers.

What seems to be forgotten in the rush to bash Path, though, is that there are a lot of iOS apps that access this data and send it to servers without notifying the user. Certainly Instagram published an update to their app├é┬áimmediately after the Path revelation which added an alert to users that the app was accessing and uploading their contact data to Instagram’s servers. Obviously Instagram was using this information prior to this update, they just weren’t telling anyone. But they received almost no attention for this. People were too busy focusing on Path instead.

Interestingly, when Instagram released their updated app in iTunes, the addition of a contact data access notification was shown in the change log. However, if you look at either the version change list in iTunes or on Instagram’s web site now, there’s no mention of it. Personally, I find that just as sneaky as what Path was doing. Rather than be transparent about it, apparently Instagram has decided it’s better to not draw attention to themselves.

The real question here isn’t about individual apps or services, but how social networks and any other services with a cloud component need to handle sensitive data such as contact information. Apple has stated that they are going to change iOS such that when an app needs to access contact data, the user will be notified. This type of notification currently exists for applications trying to access location data. But it still leaves open the question of share of responsibility developers have in safeguarding privacy and security of customer information. Sure, Path is the one who was caught this time, but they’re far from being the only ones who felt that access to user data would improve their app without stopping to look at how this might appear from the user’s point of view.

I believe it is incumbent upon application developers to take customer data privacy and security importantly. It needs to be considered priority one, above all other considerations. When Path uploads contact information in clear text, they are putting their customers in a compromising position. Now the person who signed up for Path’s social network is responsible if Path gets hacked and contact information for their friends, family, and business associates becomes public. And Path doesn’t even have to be hacked, since they aren’t even bothering to encrypt the information. Anyone on the same network with a packet sniffer can just grab the data and use it however they wish.

Say what you want about the collective group of hackers known as Anonymous, one thing they have done right is to remind everyone that online information is only as secure as its weakest security link. Information stored on the internet can and will be hacked if it is valuable data that is not properly safeguarded. Anyone storing your information online is responsible for making sure that it does not wind up in the wrong hands or become publicly available unless you specifically wish for it to be.

A lot of people like to characterize Apple as evil and controlling for their walled garden approach to the iOS app store and other business practices, but Apple has consistently rejected handing over user information to third parties without user consent. This was one of the stumbling blocks with publishers regarding bringing magazines to the iPad. The publishers wanted subscriber data, and Apple was telling them that they needed to let the readers opt in to providing this information. Apple consistently seems to safeguard its customer data, while companies like Google and Facebook race to sell it to advertisers.

If Apple is taking this approach, then in my opinion anyone developing any type of social network, cloud application, or iOS or Mac apps needs to follow suit. Respect your users the way Apple does, and you’ll have loyal customers. Abuse their trust by giving away or not safeguarding their data as you should, and people are going to get upset. It’s that simple. Do what Google says, not what Google does, and Don’t Be Evil.

Leave a Reply