We hope that a quick look at the way Textie Messaging handles your address book data will illustrate that there are better “industry best” practices out there. You needn’t settle for less.
Let’s say you’ve installed Textie and now you want to know who else has the app (setting aside that Textie Messaging does not require the other party to have Textie). How is this going to happen?
A basic approach to getting this “Find My Friends” sort of feature would be to upload every email address from a your address book to some servers, and then have the servers run a comparison with all existing users’ addresses. (So many popular apps do this today, it’s frightening.) This is the easiest method for the app creator to code, and it has the added “benefit” of revealing to their servers a whole collection of email addresses of people who don’t yet have their app, but might want it. So tempting! But is it right?
We have a design principal: Touch the minimum private data necessary for servicing the user’s intention. And as it happens, prying into all these addresses is not necessary to answer the question “who else has the app?”.
The following screen cut from Textie for iPad shows where a user accesses the “Find My Friends” feature:
First of all, it’s optional. Second, as we say, “Privacy is protected by one-way hashes so that servers never see actual addresses.” (Please tweet suggestions for better wording to @Textie)
Using a cryptographic technique called one-way hashing, the Textie app creates encoded tokens (or “hashes”) for each address that you have, and only those hashes are sent to the server for comparison. Because the hashes are “one-way”, it is impossible (in all practicality) for the servers to reverse them and determine the email addresses that each was created from. The only way the hashes are recognizable is if they have been computed independently, and to do that, the email address would have to already be known by us. Indeed, Textie servers compute the hash once for each new user who signs up and verifies their email address. Now with our pre-computed hashes saved, Textie servers can tell you which addresses it recognizes without learning of the ones it doesn’t.
(Developers, note that you’ll need to find good ways to canonicalize the addresses. We’ve found lowercasing to be a good start.)
Using this approach, Textie is pretty well assured not to scrape up any new email addresses when you go to find out if your friends have Textie. We avoid being burdened with private data that we don’t need for servicing your request, and there’s no way for us to be tempted to start spamming your contacts or keep a massive database of who knows who according to private contacts lists.
If that kind of thing sounds good to you, please help the future of online privacy by insisting that all your apps treat the address book with similar respect.