Ryan Singel at Wired News has been covering the story of reported breaches of privacy for Foursquare users, and the company's horrible (and horribly slow) response to the matter. It all started on June 20, when the startup received an unsolicited message from a white-hat hacker: it was leaking user data on a massive scale, and violating its own privacy policy:
The company asked the white hat, Jesper Andersen, to give it nine days to deal with the problem that it was publishing all users' location data to the entire web despite its privacy-policy promise to users that "You can opt out of such broadcasts through your privacy settings."
At the same time, the company was wrapping up a protracted and very public finance round that stalled for a while as the company reportedly almost sold itself to Facebook.
So when the nine days were up, the company told Andersen in a private e-mail Tuesday morning that it had fixed the "privacy leak" (the company's own words) by modifying how an existing privacy setting worked, and that it had no solution yet for two other privacy holes that Andersen also reported, saying it was trying to figure out how to balance usability with privacy.
As for its blog, the only thing the company disclosed Tuesday was that it had closed a monster round of financing: $20 million in venture capital from some of the hottest investors in the country. Nor did the company contact users to tell them that it had found and sort-of fixed a hole in its service that violated the promises it had made to users.
Foursquare Puts Money Before Privacy (Wired News)
