the point that’s getting missed with this whole Path thing.
Incase you missed it, Path was caught uploading (and potentially/probably/definitely storing) users’ contact information from their phones without the users’ permission or knowledge. This information was explained to be used for better friend finding in Path, more on that later, while the actual method in finding your friends is an industry standard, I feel most commentary that I’ve been seeing on the matter has been missing the point.
So, what is Path? In a nutshell, it’s a social network that allows you to share every minutia of your day (location, weather, wake, pictures, music, mood, sleep, etc…) with your close friends and family, and they mean close friends and family, as you are limited to just 50 people you can share with. Like many other sites, it’s also got hooks into Facebook, Foursquare, Twitter, etc… so you can then push out from path to all the other services.
Now, what’s happened to path these past few days is nothing new, young and ambitious startup wants to change the world and how people share, overreaches a bit and experiences backlash. But the sides people are choosing and the justifications they are making I find odd. From defending to the status quo, to just making up seemingly unfounded justifications.
It was discovered that upon signing up for the service, Path would also upload your entire address book to their service, “in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more,” says Path CEO Dave Morin. Now, this is all well and good, and is in practice an “industry accepted best practice”. But I think we all knew that, and expected that especially when we click something that says “find friends using this service using my address book.” There is sort of an implied authorization right there, maybe some companies explain this a little better than others, or some send hashes of names and emails instead of actual names and emails, no surprises.
But that’s not what is happening here, upon signing up for the service, you send it your username, password, maybe a profile photo, and the service automatically fetches your entire address book: names, emails, and phone numbers. I think we would agree, that at this point, no explicit or implied permission has been given. When I go to the friends panel and select “find friends from Facebook” I expect that then and there they go and make the call, and that’s exactly what happens, as facebook pops up a window asking me to authorize Path to access my data, but, very importantly, not until I hit that point and make that selection. It’s analogous to: if we’re friends, and you ask to borrow something of mine, I will likely say yes; if you just come over and take it, I will likely be unhappy. Asking is polite, socially acceptable, and the right way to go about it. Path is the acquaintance I barely know coming over to borrow/take something without asking first.
It’s about trust, like many other websites, I trust Path with the data I’ve given it (I mean, I signup for websites using unique email addresses for a reason), but trust is something that is gained over time, I give a little and get something cool back, I give a little more and continue to get cool things back (like when Foursquare reminds me that I go to my local bar entirely too often), this is how the trust is created between the user and the service. Anything I don’t trust Path with, I usually don’t want on the internet anyway and I do what I can to keep off the internet, automatically grabbing at data on my device intrudes on that.
One argument that I’ve seen is that you have to give some data to get a cool service/app in return, and that is entirely valid and I agree; if no one shared anything, all these social networks would be entirely empty. But, this is still the user actively deciding to give data, data isn’t getting taken from them. I’m fairly open with a variety of social accounts: Facebook, Foursquare, Twitter, etc… and I also like to keep truly private things off the internet all together, if a service is prefetching my data off my phone just incase I want to use it, it certainly makes it incredibly hard for me to maintain that personal/public separation. How far do I have to go to maintain this separation? Pen and paper for all personal communications? A hardwired landline phone for truly private usage?
People have compared this to what Google does with data. Which I feel is a bad example, seeing as how much fire Google comes under when it comes to privacy, rather recently: SSID and MAC Address data collection from Street View cars. But I’m choosing to use Google as my search engine, and I can turn off my Web History if I want. I choose to use Gmail, I choose to share things on Google+ (okay, may be not this one), Google isn’t upon my registering for a Gmail scanning my desktop for email to preload into Gmail for me (in order to better serve my import process, of course). Google is also a great example of how short lived the internet’s memory is, remember when they launched Latitude, and the privacy outcry that came with it? Which leads me to believe that Path will get over this, and everyone will carry on… and hopefully learn a lesson. After thinking about it, a Google comparison is terrible, because that company rarely catches a break when it comes to privacy and policy.
Still don’t get the difference? It’s like this, if my friends want to borrow a dvd, I will likely say yes. But they have to ask first, and the exchange goes “Hey Dave, can I borrow that DVD?” and I’ll likely reply “Sure, here you go.” But Path is the person you kinda sorta know and have seen around once or twice that comes over uninvited and grabs a dvd and heads off with it. All you had to do was ask, but now it’s the principle of the matter.
I believe that the problem here is not the process that they used to find a user’s friends, it’s when in the process they did it. I know that other apps have made this sort of privacy blunder before, and this is probably the most public out of any reaction to a smaller startup. But hopefully we all learned something from this. Path has since apologized and went ahead and deleted all the data they’ve collected and are starting a new, this time, making sure the users damn well know what is about to happen.
And if you didn’t know that this is how services find your friends, what did you think happened when you clicked something labeled “find my friends using this service from my Address Book/Facebook/Twitter”? No, users shouldn’t have to know how the internet works, but they should know enough to think critically about what their actions mean.
tl;dr ask me to borrow something, don’t just take it.