Sat 07 December 2019

Decoupling, or: where's my data?

#privacy #ios #android

Privacy, data rights and ownership are hot topics in 2019. The increased focus on these topics grew over the past few years from a few different things. Snowden's 2013 leaks showed the general public that the data you put out there is not as private as once assumed. An increasing number of database leaks over the past few years have made more people aware that not all data on the internet is necessarily safe and secure. Europe's General Data Protection Regulation (GDPR) woke many companies up to legal liabilities of not taking this stuff seriously, and an increasing number of countries and locales are starting to follow suit (examples include Japan's Act on the Protection of Personal Information (APPI), becoming more restrictive, and California pushing through with the California Consumer Privacy Act (CCPA)).

This is all generally net good for consumers. It pushes forward towards building products that have more respect for users and their rights, and normalizes the conversation in the public eye. However, there's an interesting area of study that I haven't seen as much attention paid to, though - back in the early years of the iPhone and App Store, there was an explosion of apps released that took user data and withered on the vine, to to speak. What happened to the data these apps held and had access to?

I started looking at this for an app I had personal experience with: Couple.

What is (or was) Couple?

Couple (originally branded at launch as "Pair") was an app that debuted in the 2012 Y Combinator batch. The general target market was people in relationships: a supposedly closed off, intimate place to chat, leave media, notes, drawings, and thoughts for each other, along with a shared calendar and a map to send each other your location. It described itself in 2014 with the following text:

Couple Homepage circa 2014

An Intimate Place for Two.
Keep all your moments private & make your memories last forever.

You might be thinking to yourself: why would anybody use this? Well, remember that this was 2012 - a few years into the App Store, where various social networks and services were still fighting it out. The appeal of having a special app on your homescreen to differentiate your partner from the myriad of other chats and social networks was very enticing. It launched on Android as well, so it found a decent enough market of connecting people across the two platforms (over 4 billion downloads and seemingly billions of messages).

Now, back in 2012, I was fortunate enough to have met the woman who'd eventually become my wife. She was studying overseas, and I was on a business trip. We started dating. It became a situation that will sound familiar to many people: long distance, an excruciatingly annoying experience when you're utterly infatuated with someone. An app like Couple seemed like a great idea - a way to put more of an emphasis on the relationship than another chat line in your app of choice.

We used it until we were no longer long distance. The app eventually disappeared from the App Store, and while the servers would periodically crash, it seemingly still worked - I know I was able to sync the data to my current phone, and apparently people were using it as late as this year.

Others, like me, wondered about what actually happened to all the data that was on Couple's servers. Note that this thread has a comment mentioning the service had been hacked - I've been unable to verify that this was the case, and as it's one comment on one thread I'm inclined to not believe it until determined otherwise. Take it with a grain of salt.

So what happened here?

If we try to trace this, a few things become apparent:

Now, it's important to state this: the data sent over and stored on Couple's servers was often very personal data. To the best of my knowledge, and having searched quite a bit, there's never been any communication from any owner of Couple regarding what exactly happened to the data. The service 503's now; if you try to delete your account or data from within the app, it simply won't work. Some might consider this to mean it's just gone, but if you've built any service like this, you know very well that there's a real possibility the data is still sitting on some S3 bucket somewhere.

Why on earth is it acceptable that Life360 can spin this back out without any notice beyond a quick tweet? It blows my mind that this just happened without much notice or coverage.

What to do from here?

So, here's the thing - I'm absolutely, totally fine with the service shutting down. I'd just like to know what happened to the data that was held by this service. Former users who trusted the service with their data deserve to know if the new owners were given everything; a transfer like that is not something that should be announced over Twitter alone. The type of content or data that's involved here is very personal in nature - personal thoughts, photos, videos and more.

Furthermore, in a world of GDPR, CCPA and so on, I'd love to know: where does something like this fall? Considering the download numbers that this app did, and given that it was available worldwide... I have to think that it absolutely falls within the realm of GDPR. CCPA comes into enforcement on January 1st, 2020 - around 3 weeks from time of writing this. When the new entity doesn't respond, what's next? Kick this up the chain to state or national agencies?

If someone involved in the app could publicly clarify what exactly happened here, it would do every former user a world of good.

Ultimately, it's worth remembering that the focus on privacy and user rights that we have today weren't always at the forefront years ago. Many services existed then that might still contain your digital footprint, and it's good to review and take stock of these. You don't always know where your data wound up.

Ryan around the Web