How sorry is Path, really?
Badly behaved iPhone app developers have been issuing grovelling apologies this week, after they were caught uploading peoples' address books without permission. The CEOs of photo app Hipster and social network Path both said sorry for purloining users' contact lists.
“We are sorry", said Dave Morin, co-founder and CEO of Path, in a blog post. He explained that users selecting the ‘Add Friends’ feature had their address books uploaded to its servers without permission. This feature is designed to help you find buddies who are also using Path, and to be alerted when your friends join the service. Unfortunately, the service uploaded the full names, emails and phone numbers of all the users' friends to its servers, and then stored them without the user's permission.
Hipster did the same, but with some variation. It didn't store users' address book information on its servers–but it did upload them in an unencrypted form, meaning that they were passing over the Internet in plain text and would be relatively easy for an attacker to intercept.
“We blew it, we're sorry, and we're going to make it right," said Hipster CEO Doug Ludlow in a heartfelt apology, blogged on Techcrunch.
Both companies say that they're doing their best to fix their problems. They are launching new versions of their apps that will make the address book uploads opt-in. Hipster will introduce encryption for its uploads. Path has also deleted all of the address book data currently stored on its servers, so at least people start with a clean slate.
I'm interested in Path's approach, though, because in his apology, Morin stated that the address book data is “stored securely on our servers using industry-standard firewall technology." He didn't say that the address book data was encrypted on the server, and this is important.
Firewalls can be broken and plaintext data can be stolen. This is how Sony lost a million customer records last year. But encrypting data stored on a server can be expensive, because it takes extra time to decrypt it when you want to use it. So it will be interesting to see whether Path is sorry enough to make the extra investment. I mailed them, and we'll see if and how they respond.
The mistake here wasn't made simply by Path or Hipster, though – it was made by Apple. The company has always maintained an iron grip on apps developers, putting them through a long winded and often opaque approval process before publishing their apps. You would hope that it would have checked for things like this. Why didn't it?
Danny Bradbury, MSN Tech & Gadgets