Remember when Gmail started and Google told us how they have major architecture in the way of your personal data ever getting out of their deep dark well while they analyze it? They made sure to anonymize you completely before passing your content to their analyzer, etc. This way, nothing personally about you could ever escape.
According to an Australian app developer, he was able to see a list of all the people that bought his app. The list included approximate locations and emails; the developer says it'd be trivial for him to, for example, harass anyone who gave his app a bad review. Assuming his claim is true, this is an interesting failure. It's not just a simple bug, after all. It means that architectural safeguards like what was claimed around Gmail are no longer in place. This suggests that they no longer value our privacy as deeply as they once [claimed they] did.
Update: Apparently the above is a by-design behavior because the apps are not sold by the store, but rather by the developer, through the store. I can accept this as a business decision, though I still find it a little odd. In most other stores I can buy an item anonymously (just walk in and pay with cash). I guess it comes down to if people are actually aware that their info is sent to the app dev. While it is stated in the terms of service, if it's not commonly discovered, I'd argue it's still an iffy model. Given that it made the news, it seems this is not commonly known.
Other incidents such as Street View cars collecting WiFi and device information were swept under the rug as bugs in Street View programming. I think it's pretty hard to accidentally log things you never intended to log ... it could be a bug that they didn't remove it despite intending to, however making the data public suggests otherwise. They at least didn't carefully scrutinize what they collected, and more likely were hoping no one would raise a fuss. Android phones tracking user locations over time were also dismissed due to the data being anonymized. Magnus Eriksson's questions include, rightly, "what internal processes are used to vet any possible privacy concern?"
At a maximum, this is a symptom of "serving ads for dollars, no matter the cost". At a minimum it means that incidents like this will keep happening and we can't treat them as a premier secure partner.
Even regardless of intent, continued sloppy handling of sensitive information should lead us to a single conclusion: they just don't handle your personal information in a way you can trust.
No comments:
Post a Comment