Friday, February 10, 2012

Just How Dangerous Is Path Really?

Considering that I recently posted a glowing review about the iPhone app, Path, the other day, I felt it was important to address the recent security hullaballoo that they created, even if it does wander a bit away from my usual topics.

Adding friends in Path

There's a lot of FUD out there regarding Path. You can read the Gawker article on it where they set themselves up as bastions of integrity offended by the very existence of Path, or you can read the original blog article by Arun Thampi and Path's response.

As far as I understand things, in order for Path to see if friends and family of yours are on Path, they need to cross reference your address book with their database. Phone numbers and email addresses are how they tell one John Smith apart from another. It's how they know which John Smith to recommend to you. Where Path erred was in not letting people know this was how they did their matching magic. Also, they used a built in iPhone developer command to download the entire address book onto their server the moment folks signed up to the service. Whoops.

As convenient as this user search process is, it is unnerving to have family members' contact information on Path's servers. Many people weren't just unnerved, though. They became unglued. As is usually the case with online fury, there was a lot of saber rattling. I'm glad Path deleted that database as a gesture of good will. However, they could have created encoded hashes for each entry to make comparisons with, and not kept our data on their servers in plain text. With corporate servers being the happy playgrounds of hackers, people were right to be upset that their address book was residing somewhere on Path's premises. Of course, many of these same people used Facebook, Google+, and Twitter to voice their complaints. Many of these same people sync their address book to a cloud, whether iCloud or others. Each company has taken flack for privacy issues. Each one has access to their users' address books. The train has already left the station and Path's not at the helm.

As we all move online, I don't see how this type of info sharing is going to be avoided. And people staying with Facebook or flocking to Google+ isn't going to be the answer. Those services are hardly stalwartly examples of privacy ethics. Google+ is now integrated with your Google search results. You do realize that Google tracks your search usage, right? And Facebook just got themselves into hot water for allowing Politico unprecedented access to user info. Where is the mass exodus from Facebook over that one? Where there just not enough tech pundits complaining about it?

Short of turning off the internet and using stamps and envelopes again, perhaps what would be helpful is if companies stopped being cavalier with our personal data. On the iPhone, Apple should let us flag certain address book entries as private so that we have control over what information companies have access to. Does Facebook need to access my daughters' phone numbers to help provide me better social connections with them? Does Path need to keep a copy of my actual address book in order to help me connect with others on their network? Why on earth would Apple allow just anybody to request a complete download of our address books anyway?

Lifting the torches and clamoring for the heads of one company over the other won't solve this problem. The problem starts with the makers of our phones and computers. They need to give us tools to help us retain ownership of our data. Marketing data is a major driver of commerce. There is a lot of abuse out there, but there is a lot of harmless, even helpful use out there, too. Still, it's a tricky issue. I don't care if Smith's knows I buy a lot of Zone bars, but I would care if they had a dossier on which child of mine shared them with me. As consumers we like convenience, but privacy is still important to us.

As for Path, I will continue to use the service. It's stylish and beautiful—wrapping Instagram, Twitter, and Facebook all into one package. The new update gives us an option to opt out of sending our address book to their servers. You just won't be able to scan their user list and run a comparison with your address book anymore. In the future, though, I would hope Apple focuses on these issues. I'd like to see them address consumer security as efficiently as they've recently addressed enterprise security.

Follow me on Twitter as @SplinteredMind. I also explore iPhone photography with Instagram as douglascootey (peek). And if you're a glutton for punishment you can friend me on Facebook as well, or find me on Path where I explore my coping strategy process with varying results.