The Sorry State Of Online Privacy


The Cloud is looming large, offering us ways to store and share our data in ways that were never before possible. We can effortlessly share our documents and photos with our families and friends, while maintaining control over their spread using powerful granular privacy controls. But it’s quickly becoming clear that the cloud isn’t ready for us. Because the services we rely on are letting us down with a frequency that is simply unacceptable.

I’ve been putting this post off for a while, mostly because I didn’t want to point to a single breach and call it a trend. But in only the last two months, we’ve covered at least three major web services that suffered security lapses tied to software bugs or scaling issues. In our posts covering these problems, one of our commentors will inevitably say something along the lines of, “that’s what you get for uploading your data to X service“. And the more problems I see, the more I’m beginning to agree with them.

For a recap, let’s revisit some of the problems we’ve recently seen.

In March I wrote about a bug in Google Docs that would share your files with people whom you’d never given access to. Granted, it would only share these files with contacts you’d previously interacted with, and not the entire world, but this did little to ameliorate the issue – in some cases it would be better to share a supposedly private document with a stranger than a coworker.

Two weeks later, we were alerted to a bug on Facebook that would allow users to circumvent any ‘limited profile’ lists they’d been placed on by their friends. For example, if you had placed your boss on a ‘Limited’ profile list so they couldn’t see your latest party photos, they’d be able to get around it. This ‘exploit’, if it could even be called one, was so easy to carry out that I’m sure many people did it accidentally.

Finally, earlier this week Twitter posted a note to its Status blog saying it was having issues with “misdelivery of direct messages”. In other words, some supposedly private messages were being routed to the wrong users. Given Twitter’s problems with bugs in the past this didn’t come as a huge surprise, but it’s unnerving nonetheless.

When faced with such security lapses, most services try to downplay them by pointing out how few people (relatively speaking) were affected. In the case of the Google Docs issue, Google promptly explained that only .05% of all documents were wrongly shared. But when we’re talking about userbases of millions, even an apparently trivial percentage becomes significant, with thousands of people affected. What’s worse, I’m sure this sort of phenomenon is far more common than we realize. The other services involved just aren’t big enough (or honest enough) for anyone to notice.

So why is this happening? There seems to be an accepted notion among many engineers that as their service scales, there is no way that it will be 100% secure. To some extent, I acknowledge and agree with this. Very smart people are always going to be trying to access valuable data by whatever means necessary, and complex security exploits are unfortunately a fact of life on the web. But that doesn’t mean that it’s acceptable for the service to wrongly share user data simply because of a bug. It’s the difference between having your bank apologize for losing your money because someone robbed it, and it telling you that the teller accidentally withdrew a few thousand dollars from your bank account and handed it to someone else. This sort of thing just can’t be happening.

My real issue with these security lapses isn’t so much about the misdirected messages or the wrongly shared photos – the odds of these being truly damaging really are quite low. It’s that these problems serve to undermine the public’s trust in ‘the cloud’. Once we get past the security problems, having our data immediately accessible no matter where we are is incredibly valuable – and probably inevitable. It’s only a matter of time before our health records are going to be stored online in some form, simply because having instant access to them can be lifesaving. But if the public loses faith in the integrity of their data stored online, or the security measures protecting it, then it could take years to regain its trust.

So what can we do? Though I’ve dabbled in programming for years, I unfortunately am not an engineer by trade (a fact that I’m sure opponents of this post will promptly point out to show that I can not possibly know what I’m talking about). But the answer seems clear regardless. If an application is cracking under load, or is too complex for its own good, then new signups and features should be put on hold until the damn thing actually works properly. The word ‘private’ should not mean “this will remain hidden until we accidentally break something”.

To close, I want to make clear that I understand that these engineers are dealing with extremely difficult problems, scaling their incredibly complex services at unprecedented rates. And I respect the hell out of that. But the more often issues like these pop up, the more the general population is going to distrust the security protections of these online services, no matter how good they eventually become. Which is why we need to sort these problems out now.

Image by Subcircle/Nick Carter, via Flickr

More TechCrunch

Consolidation is here in cybersecurity, as bigger players in the space pick up startups that will help them grapple with the ever-expanding attack surface for enterprises as they move more…

CyberArk snaps up Venafi for $1.54B to ramp up its machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

21 hours ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

3 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

3 days ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’