Last week, the social networking service Path found itself in a hotly contested discussion regarding user privacy after Mclov.in discovered the application was uploading user address books without permission. After taking quite a bit of flak on Mclov.in, CEO Dave Morin responded by saying that the data is used to “notify (users) when friends and family join Path. Nothing more.” Path also later issued an apology on the Company’s blog, and has since updated their policy to be an opt-in approach, requiring users to give the application explicit permission before the data is accessed.
Path’s mobile application was discovered to be uploading user information without explicit permission.
You have to admire the reaction of Path: In less than 24 hours, the San Francisco based startup revised their policy and deleted all address book data. The truth is that no organization acts perfectly on a proactive basis; the fact that Path quickly responded to the feedback and discussions by rectifying the issue with updated terms and a speedy solution is what should be remembered.
Startups walk a slippery slope in these situations. For each of these social networks, data is the commodity that drives the service. Facebook makes no money without access to your information. If a user is asked to opt-in to provide info, chances are that privacy concerns will cause hesitation, and ultimately, provide this data at a lower rate. If this hurts the core model of what the startup provides, they run the risk of not gathering the data that makes their service spin. However, the consequences illustrated by Path’s faux pas will likely influence future startups to switch to an opt-in model for providing personal data.
I’m reminded of the old adage “It is better to ask for forgiveness than to ask for permission.” In the case of user privacy, is this true? The reality is that if your app doesn’t ask for permission, the user may never discover it and raise an issue. However, as we’ve seen in the case of Path, the quickly turning online world can spawn an angry mob in the matter of hours. Startups should account for the risks of asking for forgiveness post facto.
The usual Internet lynch mob quickly assembled to crucify Path in the name of user privacy and data integrity. Critics cried out for greater transparency. Is the problem truly transparency? I think not; let’s view this issue through the lens of another recent privacy circus. This one, sparked by a recent privacy shift by Google, was an issue almost entirely because of the transparency involved. I got almost a dozen emails from Google regarding the privacy change as well as notifications on all of the affected sites. Despite complete transparency, Google came under a similar amount of criticism. If Path had disclosed that the application automatically uploaded the info, it’s likely that the level of unhappiness would be just as high. The issue at hand is hardly transparency.
Let’s be honest here: there is no no reason to believe Path had any intentions for being irresponsible with user data. The purpose of the data was to improve user experience and given Morin’s history with Facebook, we know that he is not the type to play loose and fast with user information. However, Morin failed to recognize that this could become an issue and Path has paid the price.
As a user, a certain level of concern should be paid to where you invest your data. Startups can change hands overnight and the intentions of ownership can shape how safe your data is. However, it’s equally important to not confuse a misstep with a serious privacy breach. In this case, Path’s intentions were to help improve the service, but the lack of disclosure created enough negative publicity to cause pause for both users and other startups.