If you lost your wallet at Outside Lands, your information is now public

Update: Much has changed since I wrote this blog post! I’ve written a follow-up here and I encourage you to read that first.

If you were one of were one of the many thousands that attended the Outside Lands festival in San Francisco over the weekend and were unfortunate enough to drop your wallet – your full name and private information are now available for public consumption.


Traditionally, Lost and Found is facilitated via the exchange of information; the loser of sunglasses identifies said sunglasses with enough detail to ascertain their ownership. This safeguard exists to prevent someone from stealing items that don’t belong to them.

The organizers of Outside Lands listed all the items in their Lost and Found inventory on their web site. With good intentions no doubt, they also added photos and detailed descriptions of those items. This is rather pointless, but it also effectively defeats all security – anyone could very easily claim most of these items just by using the photos and descriptions on their site.

Most importantly, they made a critical error by listing the names on the drivers licenses and credit cards they found. Not only is this absolutely pointless (no misidentification is possible), it exposes a huge privacy invasion to unsuspecting persons (who could even be minors). For instance, using name matching alone, you can clearly identify the full name of a student at University of Central Oklahoma (name listed on ID), what state she’s from (name listed on drivers license), where she went to undergrad (name listed on ID), and where she shops for gas (name listed on Credit Card).

This is a great reminder to all us developers: with great power comes great responsibility. Just because you can make a Lost and Found web site doesn’t mean you should do so without first considering the implications.

Update: Soon after writing this post, I got a call from Travis Laurendine, the organizer of the hackathon that developed this web site for Outside Lands. He communicated that the site was released prematurely and he too was concerned about the points mentioned in my post. They took the initial version version down while they made repairs.

My intention in writing this post was certainly not to attack a group of hackers who stepped out on a limb and made something people want. I simply noticed what I felt like was an improper disclosure of information by a company that should know better, and wrote a blog post about it to find out what others thought (after emailing Outside Lands directly). The amount of interest the article generated was unexpected, but I very much appreciate the quick response taken by Travis & team; it is a testament to the ever interconnected world we live in. I look forward to seeing the newly revised version of the site when it is re-released.

So what do you think? I’d love to hear your perspective over on Hacker News.


The importance of privacy

In this day and age where web apps can be built in a day and released to millions, it’s vitally important that we leave time to consider the implications our products have on the world. I’m thankful that the folks at Outside Lands took notice and cared enough about their fans’ privacy to review and improve their Lost & Found web site when I wrote a blog post voicing my concerns that it exposed too much information

Anyone who has worked with me knows that I’m a proponent of rapid iteration. The best way to learn if a product is something people want is to actually get a simple version of the idea out the door for them to use. In fact, Hackathons themselves can be thought of as applied product brainstorming – the group doesn’t know which ideas will work best, but after 24 hours, you all have a pretty good idea which products will survive in the real world.

This is what makes hackathons such special places: they concentrate all our mental energy on the sole purpose of releasing a new product into the world. They remove all the red tape and unnecessary barriers that typically slow down dev cycles. A hacker who spends his time writing up a Privacy Policy isn’t doing it right!

When I learned that the Outside Lands Lost & Found web site was developed at a hackathon, I felt sad to think that my blog post, taken out of context, might negatively impact their ability to host another in the future. As a strong proponent of such events, this was never my intention, and I certainly hope this doesn’t happen. The folks behind this hack took a good idea and got it out quickly – there’s a lot of merit in that. Maybe they didn’t consider all the issues, but when the problem was brought to their attention, they fixed it and continued to iterate. This is how successful hacks become successful web sites.

I feel strongly that as software developers, it’s our responsibility to be aware of the privacy implications of the products we put out in the world. In a day and age when personal privacy is being challenged at every turn, it’s important that, even if we ourselves aren’t concerned about the privacy of our own information, we respect the rights of our users to control the privacy of their own.

This applies even if you’re releasing presumably “harmless” data as in the first iteration of the Lost & Found site, which exposed the type of credit card a person owned and where they went to school; without that person’s consent, you have no right to expose it publicly, even if it makes your product easier to use or simpler to build.

A part of this is just having an awareness of the issues – if we come from a place of respect for our users’ wishes, that respect will carry through to the products we create. But it’s also important that we recognize that protecting our users’ right to privacy is a vital part of releasing our products to the world – and that doing so is our responsibility as developers.

I’m certainly not advocating that we start inviting the EFF to hackathons (though I’m not against the idea, given the right construct!) – simply that we make considering privacy implications a step in the path towards public release, much as we might consider a production hardware upgrade. Am I retaining more information than I should about my users? Am I making it clear to them what information is being stored? Am I releasing information publicly that they wouldn’t want me releasing?

It seems to me that privacy has become a grey area over the years, with more and more people (especially us developers) no longer considering it an important right to defend. I personally don’t know what’s best for humankind as we forge ahead in this ever interconnected world we live in, all I know is that privacy matters to a lot of folks, so I’m going to do my best to respect that.

What do you think? I’d love to hear your perspective over on Hacker News.


Memories in the cloud

My wonderful grandmother Mary passed away last week. She was a beautiful person, filled with so much love for all.

My sister and I are putting together a slideshow to play during the memorial service, filled with pictures of her and my grandfather’s life together. It’s really wonderful how easy Dropbox has made it to compile photos from various family members.

Photos are one thing, but it’s amazing how quickly you forget everyday things about someone who has died, like the sound of my grandmother’s voice. Video is still rather difficult to share and keep readily accessible, and frankly, we just don’t have much video of her.

A wonderful surprise came when I realized that because I’ve been using Google Voice for several years, I have archives of every voicemail that my grandmother ever left me. It was such a treat to hear her voice again, and be reminded of her amazing spirit in a way that no photo could.

Messages cannot be downloaded directly, but if you use Google Takeout, you can download your messages all at once as mp3 files.

As our lives move to the cloud, it’ll be easier to look back and recall cherished memories. I’m thankful for that.

Life goes by so fast.