Given the tribulations that both Facebook and Twitter have suffered recently over the thorny subject of privacy, one would think that other social media sites have learned from the big guys’ mistakes. Foursquare, however, has just suffered a security lapse, as reported in detail by Ryan Singel on Wired.com.
In a nutshell, the story is this: a white-hat hacker contacted Foursquare last week, claiming that a security hole on the site was making users’ details public, regardless of how they’d arranged their privacy settings. The hacker, Jesper Anderson, built custom software to go through the data on its pages, and scraped around 70% of all the check-ins in San Francisco–around 875,000 of them–over the previous three weeks.
Foursquare immediately responded, saying that they knew there was a bug, and asking for a week to fix it. They also, according to an email, worked on their privacy settings, allowing the Foursquare crowd to opt out of being listed on the pages of each location. What they didn’t do, however, was tell anyone about the leak. Which is fine, until you remember that earlier this week, Foursquare landed itself another $20 million of funding from Andreessen Horowitz.
So, did they tell their backers–which, Andreessen Horowitz aside, include Union Square Ventures and O’Reilly AlphaTech Ventures–about Anderson’s findings? According to Singel, who emailed both the PRs of Foursquare’s partners, both declined to reply to the questions asked. Should they have? Put it this way, there were 20 million reasons not to.
After the Wired article went up, Foursquare posted a list of “improvements” to the site on its blog. Fastcompany reached out to Foursquare founders Dennis Crowley and Naveen Selvadurai. What protocols, we asked, would Foursquare be putting in place to protect for the future? How would the site be “better” than Facebook at privacy? And, given the ruckus that has dogged Facebook on this issue, and Twitter’s recent security lapse, how did Foursquare let this one get past them? Almost immediately an autoreply pinged back from Crowley, saying that he was out of the office until July 10. Selvadurai had not responded by time of publication.
As long as there is social media, there will be security issues. As long as people are interested in social media, there will be security lapses. As long as there are hackers, these security lapses will be made public. Would it be such a bad idea if the dev teams of the various networks got together and built one almighty security quilt, rather than surreptitiously patching the individual holes and hoping that no one puts their toe through it? If they’re not careful, this is the remedy that the FTC will prescribe for them all.