Foursquare Was Leaking Your Data, Too Busy With Funding To Tell You

Wired says that a few days ago, a white hat hacker found a way to capture the location data of all of Foursquare (which we can only describe, for those who remain unaware of it, as a location-based, social media experiment in solipsism that distinguishes itself by offering Starbucks coupons) — even if users had opted-out through privacy settings.

The company asked this helpful hacker to give them nine days to fix the problem. After the nine days were up, the company said they’d fixed one of the security holes, but were still working on two others. Then they announced that they got $20 million in venture capital and mysteriously didn’t mention the fact that they’d been broadcasting everyone’s location data to the entire Internet in violation of their own privacy policy. Teehee!

From Wired:

The company also didn’t respond to two separate e-mails from Wired.com Monday and Tuesday, asking for comment. And to the company’s benefit, the news cycle focused on what Foursquare board member and venture capital investor Bryce Roberts tweeted as “the wire transfer heard ’round the world.”

Even after Wired.com’s story on the breach ran Tuesday, the company had no reaction to the news of the breach. The company’s blog trumpeted its big funding, with links to its new office and entreaties for programmers to apply for a job, saying, “Look forward to more great product from us soon … we’re really just getting started.”

In response to a follow-up e-mail Wednesday morning, Foursquare’s PR manager Erin Gleason said the company had been “swamped for the past couple of days preparing for yesterday’s announcement, and your message was buried in my inbox.”

The response is quite telling. Foursquare had nine days to write a simple blog post, acknowledging the hole, explaining the fix and telling users they could opt out in the future and giving credit to Andersen. That’s how responsible disclosure works. But the company didn’t do any of those things.

From that it’s clear to see that Foursquare isn’t focused on its privacy practices, and seems to be ignorant of the consequences of violating its privacy promises to users.

Since the two Wired articles went up Foursquare has posted a notice to users. You can read it here.

We think the first comment on the apology post sort of sums up the way people feel about this issue:

Translation: A smart hacker we won’t credit (Jesper Andersen) totally busted us violating our privacy policy, but we didn’t say anything until after we cashed the $20m check and we hoped it would just go away. But a blogger e-mailed our funders so we had to put in a real fix this a.m. and write this blog post.

For more about the security hole, check out Wired’s original article.

We wanted to update you on recent improvements [Foursquare]
Foursquare Puts Money Before Privacy [Wired]

Comments

Edit Your Comment

  1. GuyGuidoEyesSteveDaveâ„¢ says:

    I think this is a non-issue. From what I have read, they are taking the “tell my friends” option, and assuming it’s a privacy setting. It’s not. It’s just a way to check into a location and not have it appear on your “activity” feed. On the location’s page, your picture still shows up as a “who’s been here”. I don’t understand why anyone who uses FourSquare would want their check in at a location to never have happened. Then why check in?

    • mythago says:

      It also doesn’t notify your friends of where you are (if you’re one of those people who checks in when you’re actually present) if you have ‘tell my friends’ unchecked; leaving the option off also greys out the option of telling your Facebook page.

      • GuyGuidoEyesSteveDaveâ„¢ says:

        That’s why I mentioned the “tell my friends” option. I sometimes turn it off if I’m hitting a usual haunt so I don’t clog my activity feed.

  2. sanjaysrik says:

    You know, I’ve heard the name foursquare and it made so little sense to me that I never bothered to look into it.

    Meh, one more facebooky stupid ideas.

  3. iggy21 says:

    I liked foursquare better when it was a recess game :P

  4. qwickone says:

    I have a feeling there will be NO consequences. People get all upset their privacy is violated, but there seems to be very little move away from volunteering all of this information about yourself (whether or not someone/website tells you it’s private). People haven’t really run away from facebook despite all their highly publicized privacy issues.

  5. aloria says:

    Before the plethora of requisite “foursquare is dumb” comments…

    Foursquare comes in handy for me in two ways. First, I have a really crappy memory and sense of direction, so keeping a lot of all the different restaurants and bars I have tried is really helpful. For example, a girlfriend and I were having drinks and were in the mood to go to a hookah bar; I remembered a little place nearby I had tried and liked, but not the name or address. Looked it up in my foursquare history, was there in minutes.

    Second, I have friend scattered all across Manhattan and Brooklyn. There have been times where I’m in a particular neighborhood and wouldn’t mind catching a drink with any friends who might happen to be around– foursquare lets me find out that info easily without spamming my entire phone book with “anyone in the LES?”

    Is it annoying when people announce every single place they have been in a day (work, the laundry, the post office, the bus station, the gynecologist, home?) Absolutely. But it’s been a handy little tool for me, despite its reputation as enabling oversharers.

    • sanjaysrik says:

      They invented these really neat things a wihle ago, they’re called maps. Oh, and there’s Al Gore’s invention of the internet that might come in helpful to look stuff up. I have heard people use it for that.

    • ekthesi says:

      I have a strange recurring dream of using Foursquare as my alibi to beat a murder charge.

    • whogots is "not computer knowledgeable" says:

      I’m with you about the social aspect. Most of my friends have left town now, but I was always delighted when people randomly came looking for me at my default coffee shop. I’d absolutely be on foursquare if that sort of thing was still a possibility in my social group.

      • aloria says:

        That actually happened to me Tuesday. Was stopping by the local karaoke bar for a quick drink and a song… some friends saw I was there and swung by, which made the night a lot more fun. Of course, there are times when I just want to pop into a place for a quick bite and go home… but in those instances, I simply don’t use foursquare.

    • Hooray4Zoidberg says:

      Now it’d be a real privacy concern if you showed up as a location on your gynecologist’s foursquare.

  6. BuyerOfGoods3 says:

    All of your users info, for say…20 mil? Good?

  7. coren says:

    Foursquare is leaking? SUMMON THE AMBER LAMPS

  8. Brunette Bookworm says:

    Yes, it’s a security breach/privacy concern but…how private does someone think their location is on an application that’s sole purpose is to track your location and publish it? Your location data is out there somewhere, it just wasn’t clearly stated who was seeing who had checked into a location.

  9. rubken says:

    The issue isn’t limited to the fact that information posted to Foursquare may have leaked. It is also the company’s attitude to the problem. Perhaps Foursquare just know their members don’t give a monkey’s but I think that any platform that relies on the input of users to function should pay attention to issues like this.

  10. DanGarion says:

    The resources used for getting funding and for security are two completely unrelated areas. Why are they being married together as if one is related to the other?

  11. krom says:

    Great time to be declaring software-company legitimacy… when IMO Foursquare’s critical mass is before the end of this year.

    I use 4sq, but there is tons of unmanaged misuse (people adding illegitimate or frivolous locations, employees logging their workplaces, etc.), and rather few legitimate locations offering any kind of benefit to users/mayors. Eventually the lack of real value to people, coupled with the negligent tilt towards blatant dishonesty, will be their downfall. And it’ll happen probably pretty soon, especially if their userbase jumps.

    Also, their model completely depends on lots of people patronizing lots of places lots of times. While I’ve toyed with the notion that FourSquare has helped the economy, it works both ways; if people stop patronizing places, they won’t be logging into 4SQ, especially when there’s very little real value to be had from it unless you’re either a 18-26 deep-pocketed socialite or you just plain cheat.