Anger for Path Social Network After Privacy Breach - NYTimes.com

Disruptions: So Many Apologies, So Much Data Mining

By NICK BILTON
| February 12, 2012, 11:00 am1
Ed Ou for The New York TimesAn Egyptian youth updates a Facebook page with new information about the protesters in Tahrir Square in Cairo.

Last week, Arun Thampi, a programmer in Singapore, discovered that the mobile social network Path was surreptitiously copying address book information from users’ iPhones without notifying them.

David Morin, Path’s voluble chief executive, quickly commented on Mr. Thampi’s blog that Path’s actions were an “industry best practice.” He then became uncharacteristically quiet as the Internet disagreed and erupted in outrage. Amid his silence, he did take the time to reply to the actress Alyssa Milano, who was one of hundreds who questioned Path’s practices. (His reply to her via Twitter contained his personal e-mail address.)

Mr. Morin seemed unconcerned about how people could be harmed by his company’s carelessness. Consider this: Amira El Ahl, a foreign journalist covering the Middle East, said bloggers in Egypt and Tunisia are often approached online who are state security in disguise.

The most sought after bounty for state officials: dissidents’ address books to figure out who they are in cahoots with, where they live and information about their family. In some cases, this information leads to roundups and arrests.

A person’s contacts are so sensitive that Alec Ross, a senior adviser on innovation to Secretary of State Hillary Rodham Clinton, said the State Department was supporting the development of an application that would act as a “panic button” on a smartphone, enabling people to erase all contacts with one click if they are arrested during a protest.

Mr. Morin eventually did bow to pressure with an earnest apology on the company’s blog. He said that Path would begin asking for permission before grabbing address books and that the company would destroy the data collected.

And with that, the knife fight turned into a pillow fight. Mr. Morin, who declined to comment, was lauded and exonerated for any wrongdoing by his peers in Silicon Valley. On Twitter, he was repeatedly “applauded” and called a “pro.” Christopher Sacca, a prominent angel investor, tweeted to Mr. Morin: “Impressed by how you handled the privacy issue today.”

Some even asked: What’s the big deal anyway?

The big deal is that privacy and security is not a big deal in Silicon Valley. While technorati tripped over themselves to congratulate Mr. Morin on finessing the bad publicity, a number of concerned engineers e-mailed me noting that the data collection was not an accident. It would have taken programmers weeks to write the code necessary to copy and organize someone’s address book. Many said Apple was at fault, too, for approving Path for its App Store when it appears to violate its rules.

David Jacobs, a fellow with the Electronic Privacy Information Center, noted that, once again, an Internet company showed a lack of understanding about the consequences of taking data.

Lawyers I spoke with said that my address book— which contains my reporting sources at companies and in government — is protected under the First Amendment. On Path’s servers, it is frightfully open for anyone to see and use.

The data extraction is even more problematic because it was not protected. Path was mining data and storing users’ address books on its servers, and it was also transmitting the data in “plain text.” This would be like mailing a private letter to someone without the envelope.

Mary Landesman, a senior security researcher at Cisco, says start-ups often do not build apps with security in mind: “Attackers are like electricity, they like to follow the track of least resistance.”

At Mr. Morin’s last job at Facebook, his boss Mark Zuckerberg apologized publicly more than 10 times for privacy breaches.

It seems the management philosophy of “ask for forgiveness, not permission” is becoming the “industry best practice.” And based on the response to Mr. Morin, tech executives are even lauded for it.

E-mail: bilton@nytimes.com

Stephen.Bates | +1 202 730-9760
mobile.short.typos