Update: Much has changed since I wrote this blog post! I’ve written a follow-up here and I encourage you to read that first.
If you were one of were one of the many thousands that attended the Outside Lands festival in San Francisco over the weekend and were unfortunate enough to drop your wallet – your full name and private information are now available for public consumption.
Traditionally, Lost and Found is facilitated via the exchange of information; the loser of sunglasses identifies said sunglasses with enough detail to ascertain their ownership. This safeguard exists to prevent someone from stealing items that don’t belong to them.
The organizers of Outside Lands listed all the items in their Lost and Found inventory on their web site. With good intentions no doubt, they also added photos and detailed descriptions of those items. This is rather pointless, but it also effectively defeats all security – anyone could very easily claim most of these items just by using the photos and descriptions on their site.
Most importantly, they made a critical error by listing the names on the drivers licenses and credit cards they found. Not only is this absolutely pointless (no misidentification is possible), it exposes a huge privacy invasion to unsuspecting persons (who could even be minors). For instance, using name matching alone, you can clearly identify the full name of a student at University of Central Oklahoma (name listed on ID), what state she’s from (name listed on drivers license), where she went to undergrad (name listed on ID), and where she shops for gas (name listed on Credit Card).
This is a great reminder to all us developers: with great power comes great responsibility. Just because you can make a Lost and Found web site doesn’t mean you should do so without first considering the implications.
Update: Soon after writing this post, I got a call from Travis Laurendine, the organizer of the hackathon that developed this web site for Outside Lands. He communicated that the site was released prematurely and he too was concerned about the points mentioned in my post. They took the initial version version down while they made repairs.
My intention in writing this post was certainly not to attack a group of hackers who stepped out on a limb and made something people want. I simply noticed what I felt like was an improper disclosure of information by a company that should know better, and wrote a blog post about it to find out what others thought (after emailing Outside Lands directly). The amount of interest the article generated was unexpected, but I very much appreciate the quick response taken by Travis & team; it is a testament to the ever interconnected world we live in. I look forward to seeing the newly revised version of the site when it is re-released.
So what do you think? I’d love to hear your perspective over on Hacker News.