March 9, 2012 at 1:44 PM ET
Highlight — an iPhone app which notifies you when friends (or strangers with mutual interests) are nearby — is the darling of this year's South by Southwest tech and media conference. But there's just one problem: The app is a nightmare for anyone concerned about his or her privacy.
As Parker HIggins of the Electronic Frontier Foundation (EFF) explains, Highlight requires a connection to its users Facebook accounts as well as access to their iPhones' location features. It uses the data collected from those sources to connect you to fellow Highlight users of interest, but "unlike 'check in' services like Foursquare, Highlight collects and shares location data with other users continuously unless [users] manually pause it."
And since Highlight and its developer's website fail to provide any kind of privacy or data retention policy, we've got a recipe for trouble, Higgins writes:
It doesn't take much imagination to figure out how sending such a steady stream of location data to a third party with no posted privacy or data retention policy could go very wrong: the application could be indefinitely storing location histories on their servers for every user, including likely interactions between them. Further, Highlight has access not only to locally stored personal data but also can access the Facebook photos, profile details, and other data on that service.
As if that arrangement isn't enough to make one uncomfortable, things actually get worse, as TechCrunch's John Biggs recently learned. You see, if an acquaintance decides to "invite" you to download Highlight using the app itself, your phone number will be exposed to anyone who is invited by that individual at the same time:
I got a text message at about 8:39 [a.m.] from Highlight, the hot new social network thing that will disappear once everyone digests the last of their brisket on the plane ride home from SXSW. The SMS was pretty innocuous (“Download the app!”) but it included a list of 141 phone numbers. Had iOS been able to handle sending messages to 141 people at the same time, I could have made a lot of fun new friends this morning by texting a bunch of ridiculous stuff to strangers.
While annoyed by the situation, Biggs doesn't feel as if Highlight deserves all the blame:
After some discussion, it turned out that the Highlight app had sent the SMS on behalf of a PR guy a know, a person I trusted with my contact information (if trust is the right word here) and who, in a sense, did a data dump with the help of a standalone iPhone app.
He selected 141 phone numbers to SMS and the app did his bidding, albeit on behalf of Highlight. Had he selected 3,000 phone numbers, I’d have a list of 3,000 free numbers right now, but he was the one who pressed the button that sent me the message, not Highlight. Highlight put the gun in the room. He pulled the trigger.
EFF's Higgins isn't quite so quick to shift blame from the app to its users though. While he acknowledge's that Highlight's creators are "probably well-intentioned" and that "their practices seem to be common in the world of mobile app development," he doesn't think we should look the other way:
App developers need to think about both policies and practices from a privacy perspective, and do their part to respect their users from the ground up. Highlight may yet come out of South by Southwest as the most-buzzed about new service. But unless they remedy their privacy problems, they could be undone just as quickly by another privacy scandal.
Want more tech news, silly puns, or amusing links? You'll get plenty of all three if you keep up with Rosa Golijan, the writer of this post, by following her on Twitter, subscribing to her Facebook posts, or circling her on Google+.