If the 100,000,000th uploaded file was actually named Startup-Revenue-Forecast.ppt or 2011-Tax-Return.pdf I'm fairly certain that the name or contents wouldn't have been mentioned. I think the fact that it was cat.jpg spawned the idea of referencing it at all, and honestly if I were in their place I would have made the same joke. I think most people would have. But good on them for pulling a reverse Streisand Effect (<a href="http://en.wikipedia.org/wiki/Streisand_effect" rel="nofollow">http://en.wikipedia.org/wiki/Streisand_effect</a>) which frames the discussion in a positive light ("how can we change and do better?") instead of a negative one.
Honestly, people are decisional if they don't think this happens everywhere.<p>I've seen tens of thousands of pieces of private data across all the companies I've contracted for. Data guys need to explore, they need to learn what types of customers use what type of features and why.<p>Heck, I talked to a guy online (didn't know his real identity, or I would call him out personally) that wrote a script that automatically checked his employer's database against outstanding warrants in the US (fuzzy matching first name, last name, city, age) and pulled in 2 to 3 times his salary just by the rewards. That is how bad some people are.<p>What you <i>can</i> trust is that a company almost certainly won't intentionally leak your data to the public, but rest assured that they <i>do</i> flip through it. Some awesome companies will obfuscate the email addresses or company names so that it is much harder to back calculate who owns what, but honestly unless a company is promising full encryption on their side I would just assume they can see everything.<p>If you want real privacy use encryption (or some other zero trust protocol) it really isn't that hard to use.
I'm not really worried that 37signals are maliciously going through customer data, because I honestly believe they aren't.<p>However, I'm disgusted by the number of people in this thread that justify the violation of customer privacy because it's what's normal.<p>As an industry, we all face in our sales cycle the fear from customers that we will violate their privacy. Self-regulation by holding each other to account is the cheapest and best way to address the issue.<p>While I would be stupid to believe software vendors don't look at my data because I know better, that isn't my expectation.<p>It's not my expectation that my lawyer, my accountant, my doctor, my therapist, my social worker, or my librarian trade on or reveal or delve through my private information. That's why they as professionals are licensed and self-regulated by their professional colleges.<p>As information professionals, we should act professionally with information as well. This is not crazy talk. We also see credit card numbers and personal information stolen every month. Last year over 100 million credit cards had to be reissued due to data theft. That's why the card industry created PCI compliance to self-regulate the industry, as imperfect as it may be.
While the tone of the post is fantastic, I can't quite believe that anyone would be as offended as they suggest. I would <i>like to believe</i> that people can apply common sense to this situation and realise that they disclosed 'cat.jpg' exactly because the name was entirely inoffensive and anonymous.
This is why our policy at Fog Creek is to explicitly get permission from users before accessing their data. It's enforced by the sys admins (which we screen more extensively during the hiring process), who give temporary access to the person who needs it once the user has given their permission. When we're done, the sys admins remove access to that account again.<p>It's a pretty painless process (we have snippets to ask permission from the user and shortcuts to request access from the sys admins) and it helps prevent both willful and accidental leakage or modification of our users' data.
37signals really doesn't want to be the bad guy. They're not. And this whole thing is ridiculous. If you were to evaluate 37signals on a 0-to-9 scale, based on how "evil" they are, you might give them a 0 or a 1. What if the scale went the other way as well? There isn't just <i>evil</i>, there's <i>apologist</i>. And it too can lay the groundwork for unfruitful results.<p>37signals' target demo is smart, well-to-do, logical. They shouldn't have to apologize. As their <i>logical</i> demo, we should know better. We know that if the filename was <i>MyBossIsAnAsshole.docx</i> or even <i>MyWeddingPhoto.jpg</i> that 37signals wouldn't have had to think for a second on the appropriate thing to do. As logical thinkers, we know why cat.jpg is funny as it pertains to our demographic. We know that MyWeddingPhoto.jpg wouldn't be funny.<p>The whole <i>burn 'em at the stake</i> routine is asinine.
Well done. I wish more companies would own up to mistakes instead of weaseling out of them.<p>To DHH if you are reading these comments: Since 37signals is such an industry leader why not take this opportunity to release a "trust manifesto" that other SAAS companies can learn from instead of just updating your privacy policy? Present it as a few straightforward bullet points instead of paragraphs of legalese.
The real lesson here is that if you <i>really</i> want your data to be private, you have to take responsibility for encrypting it or not uploading it <i>anywhere</i>.<p>Even in the best-case scenario, at least some employees can access data as part of their jobs. This has been true of every job I've ever worked at.
This post and comments has made me reconsider the word "trust" entirely.<p>"Trust" is an emotion-laden, rhetorical word used by a someone who wants you to do something. "Just trust us."<p>Trust is not fragile, trust is an illusion.<p>Replace the verb "trust" with the word "assume" or "take a calculated risk" and you're closer to reality.<p>Instead of "trust us," how about, "Look at our record. Note that we have had not a single incident of data disclosure in 6 years. Decide for yourself if it is likely that we'll have one now, with your data."<p>Instead of "trust us," how about, "Think about our business: imagine the consequences if we were found to have looked at our customers' data, and see if that disincentive allays your concerns sufficiently."<p>Instead of "trust us," how about, "Here are the ways we are protecting your data. Consider whether they meet your requirements or not."<p>I'm voting "trust" off the island.
I think this post highlights a missing component of the IT ecosystem -- a professional code of ethics.<p>Many companies, especially large ones with lots of lawyers, have developed policies and procedures relating to what's acceptable and what's not. But most smaller companies and startups don't seem to have time to formulate these policies.<p>A professional code of ethics, specially with regard to privacy and user data, would be very useful.<p>Right now, most developers operate on a "do unto others" philosophy. While this may be good intentioned and work well a lot of the time, it's highly subjective -- as evidenced by the comments on this thread.
When I was in college and working for a bootstrapped startup I was handed an unprotected thumb drive with an excel spreadsheet containing all the credit card numbers, expiration dates, address, social security numbers, etc of all the clients (thousands) and told to take it home for when I was working out of the office. I was too ignorant to realize how terrible, and I'm sure illegal this was. Of course I never abused it but it definitely makes me wary of my data these days. I imagine this happens much more than people think. Don't worry, the company I speak of was localized and failed now I think. It's prudent to cancel your cards once or twice a year and be careful who you trust. Some companies value convenience over security and put way too much trust in the employees.
There is a strong case to be made that 37signals should have access to this data for debugging purposes or similar. And as others have suggested, customers trusting 37signals with data should expect this at some level, unless the customers are encrypting everything at their end first.<p>But should everyone in the company have that level of access, or should access be restricted to the minimum necessary? What I don't see in others comments here (except tghw's [1]) is any recognition of that. It's all very well saying you want to give your devs access, and that you can be trusted, but over time and as your company grows you're exposing yourself to the risk of a rogue operator. And it only takes one person to do something bad to severely damage the trust your customers hold in you.<p>It's a balance, to be sure, but I'm inclined to think a blanket "we trust our devs, so they have the access they need" could be exposing yourself to a large risk you don't need.<p>[1] <a href="http://news.ycombinator.org/item?id=3471338" rel="nofollow">http://news.ycombinator.org/item?id=3471338</a>
FWIW, there's an Italian startup called Iubenda trying to do something around privacy policies, so that it's easy to have a good one:<p><a href="http://www.iubenda.com/en" rel="nofollow">http://www.iubenda.com/en</a>
Reminds me of my somethin' my ex-colleague came up with in a discussion over lunch.. Trust is a complex variable. it has some real part/value that both the parties involved can be secure about, and an(two??) imaginary part where both the parties have a guess about what else they will/can trust the other about..
In this case, i think the filenames would count as imaginary part. Not to imply, it's not private, but would be surprised if it had been in the terms of service..
HN Discussion of the incident a few days ago: <a href="http://news.ycombinator.com/item?id=3456819" rel="nofollow">http://news.ycombinator.com/item?id=3456819</a>
Seems reasonable, but can adults stop boasting that they're behaving like adults? Unless 37 signals is being run by children, in which case: good job kids.
At any large organization with million of customers and public opinion affecting stocks, even mentioning to the that random people on the dev team have access to customer data can be pretty career altering. The fact that you're even looking at confidential information is generally highly frowned upon.<p>What if Mint.com celebrated their 1 "billionth" processed transaction by posting what it was? Wouldn't that cause outrage?
I routinely look into my customers' data and didn't really have second thoughts about it.<p>I even automated process of looking into customer's data. The main goal is to catch spam and scam and delete such accounts.<p>May be it's specific of my business (job board), but isn't scam and spam is risk in any business to at least a certain extent?
I'm not too troubled by employees reading file names in the logs, but for some reason it bugs me that the apology post included a promotion (a link) for "Basecamp Next." In this context it didn't seem necessary.
I was one of the people who was vocal about this being a serious gaffe when the post went up.<p>This is the absolutely the best response conceivable. Bravo!
People really got <i>that</i> upset over them knowing the name of the 100 millionth file? They're not going to look at the log anymore? I don't know how they operate on the server side of things but if no one is going to look at logs anymore then why have the log at all? I look up to 37Signals a lot but I think they were a little too apologetic this time. Why not apologize but explain that the log files tell you basically nothing about the contents of your files? How does anyone not make the connection between the cat joke and the file named cat.jpg? I mean, they even spelled it out in the original post! I'm not trying to be critical, I'm just kind of left wondering how something like this offended a single person. Weird.