The Path Fiasco Wasn’t A Privacy Breach, It Was A Data Ownership Breach

The upstart social networking app Path got in some very hot water recently when it was revealed the company secretly copied all its users’ iPhone address books to its private servers. The virtual postcard app Hipster got called out for the same thing. They aren’t the first to get caught doing this, and they won’t be the last. Mike Isaac, writing in Wired, explains why:

“Some social media companies, including Path, subscribe to a philosophy that says access to your personal data — if used safely and in the right way — can only improve your experience.”

Here’s the thing: Path is right. Personal data can make social experiences better. Knowing who my friends are can only make it easier to build a friends list. That said, there are a number of privacy and ownership issues tied up in who is allowed to share my friends list, with whom, and under what context.

On its face, the Path+Hipster dust-up looks like a series of privacy and/or Terms of Service violations. As Dustin Curtis puts it:

“[T]here’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database. Obviously, there are lots of awesome things apps can do with this data to vastly improve user experience. But it is also a breach of trust and an invasion of privacy.”

Actually, it’s not a privacy violation. A breach of trust, sure, but not a privacy violation. Nobody using Path, Hipster or almost any other social networking app could reasonably conclude that those apps couldn’t see their address books. And we’re not just talking about the notification screens you get when those apps are installed. Simply using those apps is a giveaway they know who your contacts are, if only by the friend suggestions they make.

No, the mistake Path and Hipster (and who knows how many other companies out there) made is in assuming that because they can see your data, they get to keep your data. This wasn’t a privacy violation. This was an ownership violation.

You can use my data to benefit me, to help me find my friends and improve my experience. You don’t get to use it to build a contacts list for your exclusive benefit, and you certainly don’t get to do so without asking me first. This is fundamentally different than a privacy breach, and the distinction is not insignificant.

Think of it this way: Just because I lent you my car that one time doesn’t mean you can borrow again it without asking me first. Me lending you my car once doesn’t make it your car. Path was invited by users to take their address books for a little road trip, but then it snuck into the garage and took it for a spin every night without asking.

Now, Path has apologized and deleted the user data. Hipster has gone one better, asking for an “Application Privacy Summit.” And, of course, the perfunctory demands for clearer EULAs — which nobody reads, no matter how clear they are — have made the scene. These are all half-measures and distractions.

What’s needed is a clear understanding that access does not equal ownership. Even if I leave the keys to my car out in the open where anyone can grab them, actually using them to open my car without permission is still a crime. Too many companies — and too many users — seem to have forgotten that.

The data you create belongs to you. How it gets used is your decision. This is the fundamental principle of data ownership. Until we make data ownership rights a priority, Path won’t be the last company to copy personal data, they’ll just be the latest ownership violator to get caught.

Don’t get Pathed. And, as always, have a good backup plan.