Wired says that a few days ago, a white hat hacker found a way to capture the location data of all of Foursquare (which we can only describe, for those who remain unaware of it, as a location-based, social media experiment in solipsism that distinguishes itself by offering Starbucks coupons) — even if users had opted-out through privacy settings.
The company also didn’t respond to two separate e-mails from Wired.com Monday and Tuesday, asking for comment. And to the company’s benefit, the news cycle focused on what Foursquare board member and venture capital investor Bryce Roberts tweeted as “the wire transfer heard ’round the world.”
Even after Wired.com’s story on the breach ran Tuesday, the company had no reaction to the news of the breach. The company’s blog trumpeted its big funding, with links to its new office and entreaties for programmers to apply for a job, saying, “Look forward to more great product from us soon we’re really just getting started.”
In response to a follow-up e-mail Wednesday morning, Foursquare’s PR manager Erin Gleason said the company had been “swamped for the past couple of days preparing for yesterday’s announcement, and your message was buried in my inbox.”
The response is quite telling. Foursquare had nine days to write a simple blog post, acknowledging the hole, explaining the fix and telling users they could opt out in the future and giving credit to Andersen. That’s how responsible disclosure works. But the company didn’t do any of those things.
From that it’s clear to see that Foursquare isn’t focused on its privacy practices, and seems to be ignorant of the consequences of violating its privacy promises to users.
Since the two Wired articles went up Foursquare has posted a notice to users. You can read it here.
We think the first comment on the apology post sort of sums up the way people feel about this issue:
For more about the security hole, check out Wired’s original article.