Arun Thampi, a programmer in Singapore, recently discovered that the mobile social network Path had been surreptitiously copying address book information from users' iPhones without notifying them.
David Morin, Path's voluble chief executive, quickly commented on Mr. Thampi's blog that Path's actions were an "industry best practice." He then became uncharacteristically quiet as the Internet disagreed and erupted in outrage. Breaking his silence, he did take the time to reply to the actress Alyssa Milano, who was one of hundreds who questioned Path's practices. (His reply to her via Twitter contained his personal e-mail address.)
Mr. Morin seemed unconcerned about how people could be harmed by his company's carelessness. Consider this: Amira El Ahl, a foreign journalist covering the Middle East, said bloggers in Egypt and Tunisia are often approached online by people who are state security agents in disguise.
The most sought-after bounty for state officials: dissidents' address books, to figure out whom they associate with, where they live and information about their families. In some cases, this information leads to roundups and arrests.
A person's contacts are so sensitive that Alec Ross, a senior adviser on innovation to Secretary of State Hillary Rodham Clinton, said the State Department was supporting development of an application that would act as a "panic button" on a smartphone, enabling people to erase all contacts with one click if they were arrested during a protest.
Mr. Morin eventually did bow to pressure with an earnest apology on the company's blog. He said that Path would begin asking for permission before grabbing address books and that the company would destroy the data collected.
And with that, the knife fight turned into a pillow fight. Mr. Morin, who declined to comment, was praised and exonerated of any wrongdoing by his peers in Silicon Valley. On Twitter, he was repeatedly "applauded" and called a "pro." Christopher Sacca, a prominent angel investor, commented to Mr. Morin via Twitter: "Impressed by how you handled the privacy issue today."
Some even asked: What's the big deal anyway?
The big deal is that privacy and security are not a big deal in Silicon Valley. While technorati tripped over themselves to congratulate Mr. Morin on having finessed the bad publicity, a number of concerned engineers e-mailed me noting that the data collection had not been an accident. It would have taken programmers weeks to write the code necessary to copy and organize someone's address book. Many said Apple was at fault, too, for having approved Path for its App Store when it appears to violate Apple's rules.
David Jacobs, a fellow with the Electronic Privacy Information Center, noted that, once again, an Internet company had shown a lack of understanding about the consequences of taking data.
Lawyers I spoke with said that my address book -- which contains my reporting sources at companies and in government -- is protected under the First Amendment. On Path's servers, it is frightfully open for anyone to see and use, because the company did not encrypt the data.
Mary Landesman, a senior security researcher at Cisco, a U.S. multinational corporation that produces computer networking products and services, says start-ups often do not build apps with security in mind: "Attackers are like electricity; they like to follow the track of least resistance."
At Mr. Morin's last job at Facebook, his boss Mark Zuckerberg apologized publicly more than 10 times for privacy breaches.
It seems the management philosophy of "ask for forgiveness, not permission" is becoming the "industry best practice." And based on the response to Mr. Morin, technology executives are even praised for it.
Copyright International Herald Tribune Feb 14, 2012
NICK BILTON
_________________________________________________________________________________
Комментариев нет:
Отправить комментарий