UPDATE: And, scene.
There’s an elephant in the room.
Lost in all the hubaloo over the weekend is a more interesting point. We need to do a better job of our homework — MG is right.
It is of course very reasonable to expect that your address book data is on more than 50 servers right now (per Chris Dixon).
How did we get here?
In the walled garden that is iOS, aren’t basic privacy protections one of the conveniences we’re supposed to enjoy in exchange for agreeing to 45 pages of incomphrehensible new terms every few months? In Apple we trust.
From sections 17 of Apple’s App Store Review Guidelines for developers (it’s behind a developer signup wall and not linkable):
Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.
Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected.
Apps that target minors for data collection will be rejected.
So, why were Path and so many others ever accepted in the first place? Is my address book not deemed to be “about” me? Were Path and others not “requiring” me to share that info?
This all boils down to the lowest common denominator. Some of you reading this are very sophisticated about terms of service, availability of data, and advanced settings. Good for you. Most people don’t care, and don’t bother. And that should be totally okay.
Heck, even this post was boring as shit to write.
Path wasn’t doing anything nefarious, not by a long shot, but it’s the latest in a series of wakeup calls (which, incidentally, make pageview hay) whose collective message is — hey everyone, technology companies know a shitload of stuff about you, and some of them are bound to be evil motherfuckers.
Have you been watching the USPS commercials for…wait for it…mail? They’re the hilarious last gasp of a dying American tradition. Their main argument of course is that mail can’t get hacked (which it can, and does).
And it might be less funny if the commercials were airing during reruns of the Golden Girls, but they’re actually running in primetime. And as idiotic as the USPS has proven itself to be in recent years, we can safely assume that they didn’t drop $103 million on ads last year without a hunch that mainstream audiences might be receptive to the idea that electronic mail (and the Web generally) just isn’t safe.
Nick Bilton is not your guardian angel, not by a long shot. This starts and ends with Apple, not Path. We’re just slowly working our way upstream.
Millions of people put their faith in Apple (misguided or not) and in so doing trust Apple to do the job of vetting apps for basic usability and trustworthiness on their behalf. I don’t want to have to worry about privacy. I shouldn’t have to worry about privacy.
I have spent a shitload of money on a long series of iPhones, and the same goes for my annual expenditures in the App Store. I have always assumed a sort of implicit contract between me and Apple — I give them all of my money, and they give me great technology experiences. End of story.
Every once in awhile they take me out to the woodshed, but I like how notoriously choosy they are about what makes it into the App Store (fart apps notwithstanding), and I figure that they’ll always be more hardcore than I am, so it’s a halfway decent bet to outsource to them my own responsibility around personal privacy and data security.
Can you accuse me of being lazy, and wanting to abdicate responsibility for a key personal freedom at a critical juncture of the Web’s maturation? Sure, why not? Go for it.
But if I had actually read those damn 45 pages of Terms, it turns out that Apple actually does promise to hold up their end of the bargain.
In it, they tell me that Apple itself is actually allowed to collect more or less anything it damn well pleases, personal and non-personal information alike:
Personal information is data that can be used to uniquely identify or contact a single person.
Here are some examples of the types of personal information Apple may collect and how we may use it.
It goes on and on — read it all here (skip to Section D).
Third Parties get their own section, and here’s where it gets interesting.
At first Apple says all the right things:
Protection of Personal Information
Apple takes precautions — including administrative, technical, and physical measures — to safeguard your personal information against loss, theft, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.
But elsewhere it’s a different story — “not my problem, buddy”:
Apple websites, products, applications, and services may contain links to third-party websites, products, and services. Our products and services may also use or offer products or services from third parties − for example, a third-party iPhone app. Information collected by third parties, which may include such things as location data or contact details, is governed by their privacy practices. We encourage you to learn about the privacy practices of those third parties.
In summary, Apple tells developers not to do it (“it” being extracting and storing personal information like my contacts) and then tells users that it’s got it under control and that Apple can be trusted, and then the Terms pass the buck on actual governance of said guidelines and promises — a lot like creating a law and never enforcing it.
Of course, the real takeaway here is that there is absolutely no way to manage and monitor all of the privacy policies that I’m a party to, especially if and as they change. Mr. Graham, perhaps a new RFS is in order?
If not, consider this my own:
I should be able to manage my data the way I manage my health, or my wealth.
The solution is likely some bit of automation, collective intelligence, and expert guidance (i.e. lawyers). I should be able to store those agreements and recall them at anytime. When new agreements are issued, key terms should be revealed and discussed. Opt-in and opt-out permissions should be centralized, and maybe even I’ll get to see how my choices compare to the broader population (a potential privacy breach in and of itself, hehe).
Sadly, I can’t see the business model. What’s likely is that government intervention will eventually mandate some sort of data and Terms compliance that spawns a cottage industry of tech solutions for individuals and big enterprises alike, much like Sarbanes-Oxley did almost exactly 10 years ago.
Of course, for Apple it’s always quite simple — just update your Terms as needed (theirs were last updated in October of 2011). There is absolutely zero audit trail of previous policies and no demarcation of changes made, nor any effort to help normal people understand what’s going on.
If I’m a law student, I’m doubling down on Privacy Policies and personal information law as an area of focus — this stuff is going to be how much of the Web’s future gets hashed out, and Congress has already shown a willingness to get involved. Soon tech companies might be as regulated, if not moreso than, say, Visa and Amex.
I have not yet looked into Google’s equivalent policies but I’ll be really curious to find out how they treat these same issues.
Of course, I already know that Google tracks everything I do, aggressively (to their credit they at least made a big to-do about their recent change in Terms, and what was new in them).
Transparency and posturing aside, that glass is already broken, isn’t it? Heck, Do Not Track Plus has 20K users already after launching their Chrome plugin last week. We just assume the worst now, don’t we? Guilty until proven innocent.
Overall, MG and Alexia are absolutely right that this is not about Path, and that the apologies are getting ridiculous.
This is really a story about shifting winds in a storied sandbox, and as many mixed messages as any normal human can manage to sift through — confusion on purpose, and obfuscation at the very most basic levels of how the technology business operates.
I get it that we’re still figuring things out — but this is a particularly inefficient and annoying cocktail to drink.