Good for the most part, but does anyone feel like they deliberately left out what it was they're apologizing for?
I can imagine a user unaware of the recent event stumbling across this article and leaving confused about what wrong was committed. They sort of just assume you knew what happened, instead of explicitly explaining what they'd been doing.
But, they're taking steps to resolve the issue, apparently; so good on them.
"We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts."
Dave explained the issue well enough in the first paragraph.
I don't think that explains anything to someone not familiar with the scenario. It doesn't say how they handled transmission and storage of phone contacts, just that they did it in a bad way.
I don't think it's intentional, though. When writing this I doubt the audience in their minds were the people who don't know about the issue.
Given that they've removed all the data and updated the app, I'm not sure it's necessary that they give highly granular details as part of the apology.
That was a deliberate mistake. at the first they said it's not a big deal (just like Airbnb did) but then when they saw the social media getting on fire they apologized.
Better they should not have done it, but good they took measures.
If you put yourself in a user's shoes that doesn't know what the issue was then that is still generic. As a user who doesn't know the story I'd be wondering:
- Did they get hacked and now some unknown party may have the contents of my address book?
- Were they selling my information to others?
- Did something happen as it relates to storage that mixed up or deleted information
- Was my data being transmitted in the clear
- Was mt data being transmitted without my knowledge or approval?
Two of those things did happen but the user doesn't know for sure. To be fair though, I think their statement was enough. They really don't have to go into more details unless the situation calls for it and it doesn't right now. Those who know get the apology they deserve and those who don't continue using Path as if nothing ever happened. Win win.
Paragraph four, which answers questions 2 and 4 in your list and suggests that the answer to 1 and 3 is "No":
"In the interest of complete transparency we want to clarify that the use of this information is limited to improving the quality of friend suggestions when you use the ‘Add Friends’ feature and to notify you when one of your contacts joins Path––nothing else. We always transmit this and any other information you share on Path to our servers over an encrypted connection. It is also stored securely on our servers using industry standard firewall technology."
The actual problem was number 5, and they tell you exactly how they are fixing this: by deleting all existing data and letting people opt in to sharing it.
Actually, in the blog post by the guy who discovered that, he said he was able to read the data - meaning that it was transmitted NOT encrypted (please correct me if I am wrong).
Also, I hope that their "industry standard" firewall is better than their "industry best practices" data sharing practices.
Speaking as someone who has never heard of path before today I have no idea what they are apologizing for, and I'm scanning the HN comments hoping someone will list some background.
I can imagine a user unaware of the recent event stumbling across this article and leaving confused about what wrong was committed. They sort of just assume you knew what happened, instead of explicitly explaining what they'd been doing.
But, they're taking steps to resolve the issue, apparently; so good on them.