X

Path and the disclosure dilemma

Path underdisclosed what it was doing with your address book; Pinterest didn't alert users it was making money from their links. Well, what did you expect? And was it so bad?

Rafe Needleman Former Editor at Large
Rafe Needleman reviews mobile apps and products for fun, and picks startups apart when he gets bored. He has evaluated thousands of new companies, most of which have since gone out of business.
Rafe Needleman
3 min read

Was Path's data privacy flap so bad? Or Pinterest's revenue revelation?

These Web ventures have both taken heat in the last day or so because they were doing things with their users' data or activity that those users didn't sign up for. I mean that literally. Implicitly, it's a different story.

 
Path CEO Dave Morin apologizes for uploading your contact data. Screenshot by Rafe Needleman/CNET
When people signed up for Path (before today's update), they didn't see a disclosure statement to the effect of, "We read your phone's address book and correlate it with other users' address books that we've read in order to connect Path users together." Moreover, there was no opt-out, at least on the iPhone version of the app.

Should Path have provided a disclosure? Or made an opt-out part of the sign-up process?

Of course it should have. And now it has.

But will anyone read it? Would you, if this wasn't a news item? Do you need Richard Dreyfuss to read you a EULA before you'll pay attention? Be honest. What most people do when they're all hot to use a new service is to blast past the terms of service page, if there is one, or any authorizations that pop up when an app asks for access to pieces of the user's account from a connecting technology like Facebook, Twitter, Android, or iOS.

The whole idea of a thing like Path is to connect your account to your friends' accounts, and the easiest, most hands-off, most Apple-like way to do that is to entrust Path with certain data. In this case, your address book.

I'm not saying that what Path did was right. In fact, it may have busted Apple's own terms of service for apps. CEO Dave Morin apologized, and Path is erasing the data it got without disclosure. He learned his lesson.

But I think users learned a lesson as well: If you're using a social network, your data is being shared. Because that's the point.

In the case of Pinterest, the issue is using customer activity to generate revenue: When a user posts a link to a product from a vendor who has an affiliate program, Pinterest slaps an affiliate tracking tag onto the link. Then, if someone later buys a product via that link, Pinterest earns a commission.

Affiliate arrangements are standard on the Web. Alicia Navarro, the CEO of Skimlinks, which provides the affiliate linking technology to Pinterest, told me she has 20,000 customers. She (naturally) sees nothing wrong with the affiliate link model.

Sites need to make money. And making money directly from links that users put up for free? Genius.

Now, in the interest of openness, Pinterest definitely should have told its users that it will make money from their activity, and specifically how. Had the company done this, it is unlikely it would have made much difference to Pinterest's early success.

So when it comes to how networked consumer services work, how much should be disclosed? In these recent cases, both Path and Pinterest clearly under-disclosed. But when you over-disclose you end up with the same effect. Nobody reads about what you're doing when they sign up, and they're surprised when they find out. The big difference: The developer's butt is covered.

What should users expect? Developers are going to continue to push things, socially and economically, because they need to, to get traction. But it's the platform vendors who end up as the final safeguards of our data. Apple has its rules (which I bet will change when it comes to sharing address book data), and Google already makes it a little harder to slip a sharing function past a user who's installing a new Android app. Facebook also enforces a disclosure step when users add a new app or use Facebook Connect.

The platform guys have the tough job of enforcing data sandboxing while at the same time encouraging cross-app and cross-network connections, because that's where the value is for the app developers.

And users really need to get this: You don't get something for nothing. Even companies that really have their users' best interests at heart, and I include both Path and Pinterest in this category, can't give you great free services for nothing. In a highly competitive, fast-moving tech economy, they're likely to get a little sloppy. With your data.