The Magazine

Girls Around Me highlights foursquare’s biggest privacy flaw

8

on April 3rd, 2012

When you’re running a service that relies on users posting their current whereabouts, privacy has to be a top priority. Foursquare has done a pretty good job of navigating this minefield so far, with just a few minor missteps along the way. This weekend, though, marked foursquare’s first real step right onto one of those privacy landmines, highlighting their biggest privacy flaw in the process.

Cult of Mac was the first to post about the issue, which stems from their discovery of a Russian-built app called Girls Around Me. As its name suggests, Girls Around Me uses foursquare’s API to see the people — filtered by gender — currently checked in around a neighborhood (it’s powered by the same foursquare API endpoint that generates the “who’s here” list in the foursquare app). If they’ve linked their foursquare account with Facebook, it pulls public photos from their Facebook profiles and compiles them together for your shopping browsing pleasure.

Foursquare moved quickly to shut down the app following the initial post, telling Cult of Mac:

We have a policy against aggregating information across venues using our API, to prevent situations like this where someone would present an inappropriate overview of a series of locations.

Girls Around Me’s real transgression, though, doesn’t seem to be violating foursquare’s API policies. It was getting noticed by a publication with a following big enough to raise a stink. It’s not the first app of its kind to be built on the foursquare API, and sadly, it’s not the worst.

The honor of first goes to Assisted Serendipity, an app that monitored your favorite venues and then alerted you when the gender ratio tipped in your favor. The alert included the profile photos of the users (of your preferred gender) who were currently checked in. I liked the app (and still do), but in reality — other than the Facebook connection — that’s not too far from what Girls Around Me was doing. It shows just how fine the line between clean and creepy is.

Assisted Serendipity was hyped heavily by foursquare co-founder Dennis Crowley at a number of speaking engagements throughout 2010, opening the door to other developers to follow a similar path. It’s still working just fine.

In my opinion, the worst — if you ignore Girls Around Me’s creepy silhouetted pole dancers on the splash screen — is Nock Nock. It’s a web-based service (covering just New York, San Francisco, Bangkok and Hong Kong) that does exactly what Girls Around Me was found guilty of, except it doesn’t pull photos from Facebook. You’d have to click the Facebook link and do that digging on your own if you liked the user’s foursquare profile picture enough.

Nock Nock creeped me out enough that I contacted foursquare about it shortly after it launched. Like Assisted Serendipity, it too is still running.

Apps like Sonar.me, Ban.jo and Grindr offer most of the same functions. They’re touted as ways of “meeting new people,” with the common, but unspoken, understanding that it means “meeting new people… of the opposite sex.”

Those apps? Still working without a problem.

Girls Around Me’s developer defended his app in a statement to the Wall Street Journal, saying:

We believe it is unethical to pick a scapegoat to talk about the privacy concerns.  We see this wave of negative as a serious misunderstanding of the apps’ goals, purpose, abilities and restrictions.

Given the other apps that function in much the same way, it would appear Girls Around Me was indeed chosen as a scapegoat — an easy target to silence the critics.

The kerfluffle highlights foursquare’s biggest privacy flaw: the who’s here list. There’s a very fine line between legitimate uses for the data and creepy uses, making it ripe for abuse. Foursquare’s API is simply too open and there are too many apps for them to be able to monitor them all and make a judgement call about each one.

And to make it worse — as if the apps released to the public aren’t creepy enough — think of what someone could do on their own server with a lot of determination and a little programming skill that we’d never see. As just one example of the potential creepiness, it would take no time at all to build a simple script that monitors nearby venues for a single person and alerts you when they’ve checked in.

Foursquare users can opt out of the who’s here list (from the privacy settings page), but very few do. As I’ve had time to reflect on it over the past few days, I chose to opt out myself. I’ll still appear in the list for my friends, but no one else. As I’ve noted, the chances of abuse are just too great.

At this point, I don’t see how foursquare has any choice but to make the who’s here list an opt-in feature. Immediately. It serves very little purpose anyway. Unless you’re friends with someone, who really cares who else is checked in anyway?

That would have a significant negative effect on the apps who’ve built their business on that portion of the foursquare API, effectively shutting down the likes of Sonar and Ban.jo. It also would put an end to some of the serendipitous discovery of meeting new people via foursquare. It’s a steep price to pay, but it’s the right move for foursquare to make to show they’re serious about user privacy. As Girls Around Me has shown, it’s simply too easy to abuse.

[poll id="26"]
  • Mike

    What Foursquare ought to do is a compromise…disable the API call to get the list of people checked in at an arbitrary location. That kills off the “stalker apps” – but leave it in the mobile app so actual users can see who else is checked in at a venue where they are. This is not a privacy issue, it is part of the fun of using Foursquare. If you are this paranoid, either check in off the grid or don’t use the app.

  • Beej

    Honestly, people who are on foursquare should be hyper aware if their privacy. If they aren’t, then they should be barred from any social media service.

    Heh.

    My suggestion, check with users every 3 months and remind them to check their settings.

  • http://smalltownbigcincy.wordpress.com Rachel

    I LOVE Mike’s idea!! Problem solved. I personally love the who’s here. I have found myself a few times checked in somewhere and realize someone I know I’m not foursquare friends with. So I easily click on them and send request. Or if you meet someone new, same thing.

    With foursquare trying to branch out to be your one stop social app, that is killing any social aspect what so ever. no more adding new friends, or realizing you may have missed one along the line. Especially with 4sqDay coming up. Look at Cincinnati’s event. A little smaller, but it gave you the chance to meet and talk with everyone there, and get to make new friends. Getting rid of the feature just kills any sort of social networking they were shooting for…

  • http://foursquare.com/bauserdotcom Michael Bauser

    While I agree Ban.jo seems to be developing a creeper problem, implying that Banjo is Foursquare’s problem misses an important technical point: Banjo is really a Twitter app, not a Foursquare app. (Easy proof of this: You can use Banjo without a Foursquare account; you can’t use it without a Twitter account.)

    Banjo’s list of nearby strangers is populated by a Twitter search for geolocated tweets. It just looks like it’s searching Foursquare, because it’s finding Foursquare-generated tweets (and helpfully puts a Foursquare icon on those users’ profiles).

    (Sonar’s new “People” tab is also Twitter-powered. Its “Places” tab is still Foursquare-powered.)

    If you link your Foursquare account to Banjo, you can check-in and see your Foursquare friends’ locations, but it seems to be ignoring “herenow” data. Overall, Banjo seems to be accessing less Foursquare data than even the official Foursquare apps.

    (Incidentally, Banjo use is not that anonymous, either. You can can look up who’s viewed your profile!)

    • Chris Thompson

      Thanks, Michael. I know Banjo used foursquare data at one time, but I uninstalled it when the push notifications got too damn annoying, so I haven’t seen anything they’ve changed lately. Haven’t seen the new features of Sonar either.

  • LiteSalt

    To my knowledge, Grindr uses neither Foursquare nor Twitter. You create your own profile and find others who have created their own profiles through a smartphone’s phone’s GPS. Additionally, one on Grinder isn’t interested in the opposite sex- the app is only for gay men.

    • http://foursquare.com/bauserdotcom Michael Bauser

      I completely missed the mention of Grindr!

      LiteSalt is right; Grindr doesn’t use outside APIs. It only finds people who use Grindr. Totally opt-in.

      Really, all of these “meet nearby stranger” apps can be divided into two groups. The “members only” apps like Grindr, Glancee, and Highlight only find people who use the same app. The “API scanners” like Girls Around Me, Banjo, and Sonar use public APIs to find people who don’t use the app.

      Right now, the API-scanners have a marketing advantage: They find more women, because not many women are joining the members-only apps. (As I often say, Grindr is the most successful in this category, because it’s the one that doesn’t need women to succeed.) It’s really hard right now to sell women on “this shows strangers where you are,” precisely because they’re concerned about the creeper behavior that Girls Around Me encourages.

      So, really, there ARE responsibly-designed “meet nearby strangers” apps that respect privacy, but they’re not doing as well as the API-scanners, because users of those apps don’t want privacy. They want pictures of pretty girls.

  • Pingback: Foursquare alters API to eliminate apps like Girls Around Me

More on About Foursquare

  • Subscribe

    Enter your email address above

  • Disclaimer

    About Foursquare is not endorsed or certified by Foursquare Labs, Inc. All of the foursquare® logos (including all badges) and trademarks displayed on this site are the property of Foursquare Labs, Inc.