I hacked a dating app (and how not to treat a security researcher)

Not excusing this is any way, but this app is apparently a fairly junior effort by university students. While it should make every effort to follow good security (and communication) practices, I'd not be too hard on them considering how some big VC funded "adult" companies behave when presented with similar challenges.

https://georgetownvoice.com/2025/04/06/georgetown-students-c...

I hear you but if you're processing passports and sexual preferences you have to at least respond to the security researcher telling you how you're leaking them to absolutely anyone. This is a total clusterfuck and there are zero excuses for the lack of security here.

i have an idea, if you don't know anything about app security, don't make an app. "Whataboutism" not-withstanding, this actually made me feel a little ill, and your comment didn't help. I have younger friends that use dating sites and having their information exposed to whoever wants it is gross, and the people who made it should feel bad.

They should feel bad about not communicating with the "researcher" after the fact, too. If i had been blown off by a "company" after telling them everything was wide open to the world for the taking, the resulting "blog post" would not be so polite.

STOP. MAKING. APPS.

I've also hit this link trying to get any info on "Cerca". It's from April 2025 and praises app created two months earlier. It looks like a LLM-hallucinated garbage. OP's entry mentions contacting Cerca team in February. So either this entry is about a flaw detected at launch date or some weird scheme.

Nonetheless: "two months old vulnerability" and "two months old students-made app/service".

Ah that's a shame.

It's hard to tell these days what is real.

Linkedin shows 2024 founded, and 2-10 employees. And that same Linkedin page has a post which directly links to this blurb: https://www.readfeedme.com/p/three-college-seniors-solved-th...

The date of this article is May 2025, and it references an interview with the founders.

I think the date there is March 25

Stop pushing POCs into PROD.

There's nothing wrong with making your POC/MVP with all of the cool logic that shows what the app will do. That's usually done to gain funding of some sort, but before releasing. Part of the releasing stage should be a revamped/weaponized version of the POC, and not the damn POC itself. The weaponized version should have security stuff added.

That's much better than telling people stop making apps.

That sounds like you're excusing them.

You know what else was an app built by university students? The Facebook. We're all familiar with the "dumb fucks" quote, with Meta's long history of abusing their users' PII, and their poor security practices that allowed other companies to abuse it.

So, no. This type of behavior must not be excused, and should ideally be strongly regulated and fined appropriately, regardless of the age or experience of the founders.

These "devs" released an app to prod that took passport information and who knows what else. They had no business asking for any of that PII.

If all of the developers were named and shamed, would you, as a hiring manager, ever hire them to develop an app for you? Or would you, in fact, tell them to stop making apps?

They enabled stalkers. There's no possible way to argue that they didn't, you don't know, and some random person just looked into it because their friends mentioned the app and found all of this. I guarantee if anyone with a modicum of security knowledge looks the platform over there's going to be a lot more issues.

It's one thing to be curious and develop something. It's another to seek VC/investments to "build out the service" by collecting PII and not treating it as such. Stop. Making. Apps.

You're shouting into the void. The people making this type of product have zero regard for their users' data, and best engineering or security practices. They're using AI to pump out a product as quickly as possible, and if it doesn't work (i.e. makes them money), they'll do it again with something else.

This can only be solved by regulation.

Programming should require a gouvernment-emited license reserved to alumni of duly certified schools. Possession of a turing-complete compiler of interpreter without permission should be a felony.

If I were ever a hiring manager, hell would have frozen over. But I'm not one for immediately firing someone for making mistakes. Correct the mistake and move on. Some mistakes will never be forgotten, and that dev will forever remember that somethings need extra attention.

Also, if we're talking about a company that had a hiring manager in the process of making an app and did not hire employees with security knowledge somewhere in the process, then the entire company is rotten.

Let me flip this on its head though with your same logic. If you're the type of person that would be willing to provide an app your passport information. Stop. Using. Apps.

These apps are for people who are looking for mates, temporary or otherwise. There may be more nuance than "dummy gave passport info to app"

How is one supposed to know that it's just a bunch of script kiddies we shouldn't be too hard on if their apps get released under "Cerca Applications, LLC".

Not once ever in my quest of looking for a mate did the potential mate ask to see my passport. There are times when common sense must be used. If an app is asking for invasive data that just feels out of place, just stop. The juice isn't worth the squeeze

I had a feeling some would get hung up on the "passport" thing. The "private" intimate chats were leaked, too. And full name, city, university, phone numbers, sexual preferences, and geolocation. And photographs, obviously. I assume the passport/ID stuff was for "verified accounts", but again, none of that crap should be saved in a database - a boolean default false "VERIFIED" in the user table should suffice.

The disclosure didn't show every API endpoint, just a few dealing with auth and profiles. They also mentioned only a few PII, you can tell because there were multiple screenshots spread throughout the post. I'm harping on passport for the reason you specify, too; but mostly that information shouldn't be stored...

I vehemently disagree. 'Well, they didn't know what they were doing, so we shouldn't judge them too harshly' is a silly thing to say. They didn't know what they were doing _and still went through with it_. That's an aggravating, not extenuating, factor in my book. Kind of like if a driver kills someone in an accident and then turns out not to have a license.

You’ve successfully contributed 20 pts to your institutional privilege score; Impressive! You're just one step away from your next badge:

"Class Immobility" (95% of users unlock this without trying!)

How to unlock: Be denied access to an accredited education. Work twice as hard for half the recognition. Watch opportunities pass you by while gatekeepers congratulate themselves!

While previous is an over reactions, the wild west free for all we have is also a problem.

At the end of the day the masses will finally get tired of the fuckery of programmers doing whatever they want and start putting laws in place, and the laws will be passed by the stupidest people among us.

Programmers now should start looking into standards of professional behaviors before they are forced on them by law.

The problem isn't that anyone has access to programming, it's that corporate incentives prioritize profit over quality, security, and ethics.

And sure, if your follow-up is "that won’t change," I get it, but that doesn’t mean the open nature of programming is the problem.

>At the end of the day the masses will finally get tired of the fuckery of programmers doing whatever they want and start putting laws in place, and the laws will be passed by the stupidest people among us.

I agree laws will pass eventually but it won't start from the people. They rarely even think or hear about software security as something other than an amorphous boogie man, and there are no repercussions so any voices are easily forgotten. Eventually, it will be some big tech corp executive or politician moving into government convincing them to create a security auditing authority to extract money from these companies and/or shut them down.

I'm sure we can find some holier than thou types to fill chairs with security auditors for the new "SSC" once it's greenlit.

+1: if you cannot do security, you have no business making dating apps. The kind of data those collect can ruin lives overnight. This is not a theory, here is a recent example: https://www.bbc.com/news/articles/c74nlgyv7r4o

The claim that it should have come up in a government vetting process seems to be proof that one should publish one's own dating information before entrusting it to a site that might have lost it or worse might provide it to a government specifically.

If you cannot do security, you have no business making any app people use in significant numbers containing Personally Identifiable Information (PII).

Perhaps, like GDPR, HIPAA, and similar, any (web|platform)apps that contain login details and/or PII must thoroughly distance themselves from haphazard, organic, unprofessional, and (bad) amateurish processes and technologies and conform to trusted, proven patterns, processes, and technologies that are tested, audited, and preferably formally proven for correctness. Without formalization and professional standards, there are no standards and these preventable, reinvent-the-wheel-badly hacks will continue doing the same thing and expecting a different result™. Massive hacks, circumvention, scary bugs, other attacks will continue. And, I think this means a proper amount of accreditation, routine auditing, and (the scary word, but smartly) regulation to drag the industry (kicking-and-screaming if need by by showing using appropriate leadership on the government/NGO-SGE side) from an under-structured wild west™ into professionalism.

This is exactly why I think software engineering should require a licensing requirement, much like civil engineering. I get that people will complain about that destroying all sorts of things, and it might, yes, but fight me. Crap like this is exactly why it should be a requirement, and why you won’t convince me that the idea is not in general a good one.

Setting aside all of the other info that was leaked, knowing that the only profiles you see are actual, real people would be nice.

Way back when I last used a dating site, a significant percentage of profiles ended up being placeholders for scams of some sort.

In fact, several texted me a link to some bogus "identity verification" site under the guise of "I get too many fake bot profile hits"... Read the fine print, and you're actually signing up for hundreds of dollars worth of pron subscriptions.

If the dating app itself verified people were real, AND took reports of spam seriously, AND kept that information in a way that wasn't insecure, it'd be worth it.

End of the day it's an ROI analysis (using the term loosely here, more of a gut feel). What is the cost and benefits of making an app more secure vs pushing out an insecure version faster. Unfortunately in today's business and funding climate, the latter has better pay off (for most things anyways).

Until the balance of incentives changes, I don't see any meaningful change in behavior unfortunately.

Agreed. My stance on this changed over the course of some years after a close family member married an actual engineer (structural) and I got a lot of insight into that world.

It's astonishing to me the ease of which software developers can wreak _real_ measurable damage to billions of lives and have no real liability for it.

Software developers shouldn't call themselves engineers unless they're licensed, insured and able to be held liable for their work in the same way a building engineer is.

> This is exactly why I think software engineering should require a licensing requirement, much like civil engineering.

Civil engineering requires licensing because there are specific activities that are reserved for licensed engineers, namely things that can result in many people dying.

If a major screwup doesn't even motivate victims to sue a company then a license is not justified.

> Programming should require a gouvernment-emited license reserved to alumni of duly certified schools.

Nonsese. I've met PhDs in computer science that were easily out-performed by kids fresh out of coding bootcaps. Do you think that spending 5 years doing a few written exampls makes you competent at cyber security? Absurd.

Yes, I will happily fight against authoritarian takes cloaked in vagueries.

I'm pretty sure the comment was sarcastic. The grandparent comment was so over the top with its moral outrage that sarcasm feels like about the only appropriate response.

I don’t believe engineering licensing is authoritarian, and I’d be interested in hearing why you believe that to be the case (especially, considering, most “real” engineering field have had licensing requirements for a century, without any real complaints against that process).

There is a point to your comment, but I am afraid you are shouting at the wrong thing.

Instead, I think this is the fair approach: anyone is free to make a website/app/VR world whatever, but if it stores any kind of PII, you had better know what you are doing. The problem is not security. The problem is PII. If someone's AWS key got hacked, leaked and used by others, well it's bad, but that's different from my personal information getting leaked and someone applying for a credit card on my behalf.

These guys should probably study something else.

Conversely, it's the scale, not magnitude. A single physical infrastructure failure can usually only harm a very limited number of people. A digital infrastructure breach can trivially harm millions.

Observing that each individual harm may not be worth the effort of suing over is evidence that the justice system is not effective at addressing harm in the aggregate, not evidence of lack of major harm.

I would agree with you. Dating app data might not be legally protected like some PII out there, but there are easily foreseeable bad consequences from compromised dating app data of any kind. Security should be accounted for from the very beginning.

You don't see how gate-keeping who can create software is authoritarian?

The distinction between creating virtual software and physical structures is fairly obvious.

Of course physical engineers that create buildings and roads need to be regulated for safety.

And there are restrictions already for certain software industries, such as healthcare.

Many other forms of software do not have the same hazards so no license should be needed, as it would be prone for abuse.

> They didn't know what they were doing _and still went through with it_

You don't know what you don't know; sometimes people can think they do know what they're doing and they just haven't encountered situations otherwise. We were all new to programming once; no one would ever become a solid engineer if they prevented themselves from building anything out of fear of doing something wrong that they did not account for out of lack of experience.

While the idea is good, I'm not sure how this would get implemented realistically. The industry standards/audits are silly checkbox exercises rather then useful security. The biggest companies are often terrible as far as secure design goes. The government security rules lag years behind the SotA. For example how long did it take NIST to stop recommending changing passwords?

Civil engineering works well because we mostly figured it out anyway. But looking at PCI, SOX and others, we'd probably just require people to produce a book's worth of documentation and audit trail that comes with their broken software.

Still not excusing them, but these HN responses are very hypocritical.

US tech is built on the "go fast, break things" mentality. Companies with huge backers routinely fail at security, and some of them actually spend money to suppress those who expose the companies' poor privacy/security practices.

If anything, college kids could at least reasonably claim ignorance, whereas a lot of HN folks here work for companies who do far worse and get away with it.

Some companies, some unicorns, knowingly and wilfully break laws to get ahead. But they're big, and people are getting rich working for them, so we don't crucify them.

I would say the risk of identity theft for over 150 million people justifies some preventative measures. And yes, there also were hundreds of lawsuits.

https://en.wikipedia.org/wiki/2017_Equifax_data_breach

Or how about four suicides and 900+ wrongful convictions?

https://en.wikipedia.org/wiki/British_Post_Office_scandal

Not to mention the various dating app leaks that led to extortion, suicides and leaking of medical information like HIV status. And not to forget the famous Therac-25 that killed people as direct result of a race condition.

Where's the threshold for you?

I agree creating software in general shouldn't be gatekept, but requiring that app developers who process PII have more to show than vibe-coding experience would probably be beneficial.

I don't think anyone is proposing that Flappy Bird or Python scripts on Github should be outlawed. Just like you can still build a robot at home but not a bridge in the town center.

There are pretty major exceptions to what require engineering licenses, and it is pretty unclear where software should fall in.

You can sign a liability waiver and do all sorts of dangerous things.

>most “real” engineering field have had licensing requirements for a century, without any real complaints against that process).

Most newer engineering fields are trending away from licensing, not towards it. For example, medical device and drug engineering doesn't use it at all.

I'm curious how you think this would be implemented. Do you think you should need a license to publish on GitHub? Write code on your own computer and run it? Because this was just a startup that some kids founded so saying that a license would have to be a prerequisite to hiring somebody would not cut it. You'd have to cut off their ability to write/run code entirely.

Some engineers like to go on about this, but the reality is they offload the work to marginally qualified techs and unlicensed engineers and stamp the document, just like in software.

There are all sorts of failures in the structural space. How many pumped reinforced concrete buildings are being built in Miami right now? How many of them will be sound in 50-75 years? How likely is the architect/PE’s ghost to get sued?

PE’s are smart professionals and do a valuable service. But they aren’t magic, and they all have a boss.

I mean, kind of? You can't really start any kind of trade business without credentials (other than low-paying under the table work for people who don't care).

You can't stop someone from doing electrical repairs on their own home but if the house burns down as a result, the homeowners' insurance will probably just deny the claim, and then they risk losing their mortgage. Basically, if you make it bureaucratically difficult to do the wrong thing, you'll encourage more of the right thing.

OP didn't qualify the statement "This is exactly why I think software engineering should require a licensing requirement".

No mention of PII or any specifics.

SWE already has regulations. I see no need for a license requirement...

Concerning PII, it's kind of hypocritical for the gov to regulate when the NSA was proven to be collecting data on everyone against their will or knowledge.

We could probably stand to stop treating software engineering like some holy calling for geniuses only and start treating it for what it is: a skilled trade that can be regulated and accredited like all the rest of them. It's really not a wild idea and it wouldn't stop kids (or anyone, really) from learning on their own. My parents taught me how to use tools as a kid and I learned how to fix my own toilet, but I didn't decide that made me qualified to go start plumbing professionally without apprenticing first.

I worked on a project that was using federal tax information and had IRS 1075 compliance requirements. Those follow some version of NIST that was out of date at the time.

We had two security teams. Security and compliance. It was not possible to be secure and compliant, so the compliance team had to document every deviance from the IRS standard and document why, then self-report us and the customer to audit the areas where we were outside the lines. That took a dozen people almost a year to do.

All of that existed because a US state (S Carolina iirc) was egregiously incompetent and ended up getting breached. Congress “did something” about it.

I completely agree! Thank you for this

well software generally harmless until you integrate in your car (see: Tesla)

I think there defo a line where bug in your puzzle app don't need a license vs AI that drive your 50k+ tesla

I am now realizing that it was most likely sarcastic after reading your comment and am now wondering how I didn't take the extreme speech as obvious sarcasm before.

Should've know when they said interpreters and compilers.

Incidentally I replied with sarcasm to theirs as well so it all works out.

I mean this is Tech industry, everyone here gather data big tech or not,

I'm not saying I'm pro identity theft or data breach or something, but the industry culture is vastly different

people here are pro on move fast break things some of idea, I think you just cant tbh

" Crap like this is exactly why it should be a requirement, and why you won’t convince me that the idea is not in general a good one."

If you're looking for a regulatory fix, I would prefer something like a EU-style requirement on handling PII. Even the US model--suing in cases of privacy breaches--seems like it could be pretty effective in theory, if only the current state of privacy law was a little less pro-corporate. Civil suits could make life miserable for the students who developed this app.

But no one was killed here, so your comparison really falls flat to me - there’s a reason we have a sliding scale of punishments that scale to the crime, and security issues are nowhere near the same level of severity as murder. It feels more like fining kids for putting up a lemonade stand without a business license.

There's no governing body that continually researches, vets and updates standards of security. There should be, honestly, but there isn't. Thats not true of professional engineering organizations, or medical boards, or the Bar Association etc.

They all update their recommendation and standards routinely, and do a reasonably good job at being professional organizations.

The current state of this as regards to the tech sector doesn't mean its impossible to implement.

Thats why all the usual standards (PCI, SOC2 in particular) are performative in practice. There's nothing that holds industry accountable to be better and there is nothing, from a legal stand point, that backs up members of the association if they flag an entity or individual for what would be effectively malpractice.

This is why delegated authorities should be managing things instead of congress itself. Because congress has no idea what they're doing on technical topics generally.

Everyone in business is move fast and break things and let people die if it's cheaper until regulations force them not to be. Software is just new enough that mostly doesn't exist yet.

It’s also why other regulatory zones outside the US, with much stronger privacy laws like the EU, don’t seem to produce as much innovation, while the US and China keep churning out new stuff.

It’s a trade-off between shipping fast and courting risk. I’m not judging one over the other; it comes down to what you’re willing to accept, not what you wish for.

They believe any regulation is authoritative overreach so I doubt you're gonna get anywhere.

Check their comments there's screeds about compelling labor over like basic concepts.

I feel like people who suggest governing bodies for this kind of stuff always imagine some perfect unicorn organization that makes perfect recommendations where as I usually imaging every UX turning into the worst possible 20x step process because of "regulations" and it will actually just be theater and not actually solve whatever problems it claims to.

I’m happy to discuss specifics, so long as they don’t start with the premise “regulation is authoritarianism” and also are in good faith. Kids don’t have to have an engineering license to build a bridge out of popsicle sticks, I doubt you think that someone saying “building a bridge should require a civil engineering license” should apply to that. I’m not unreasonable. I just think there has been entirely too much demonstrated harm to start with the premise of “anyone can build any software they want at any time, with zero liability”.

These students may be liable for things after the fact, but that is hardly any consolation to the people that may have had their intimate personal data leaked. Even if they are successfully sued by everybody on the site, how much money could they possibly squeeze out of a bunch of college students? I don’t know how you can prevent this without some up front thing, such as a license, rather than making them liable after the fact.

I can buy that. If I were dictator of the world, I wouldn’t say “making pong clones requires a license”. Even if you grossly negligently screw up the scoring system in your clone, I wouldn’t say you should be liable for anything. I think there are probably more cases where liability should exist, even without processing of personal data of any sort, and I don’t have an easy “one size fits all” regulation in mind either, it’s surely not going to be that easy, and I fully acknowledge that. I just wish we as an industry would start having that conversation in good faith.

> medical device and drug engineering

is a special case exception, where rather than requiring licensing for the engineers building the product, we put detailled restrictions and regulations on what needs to be done (extensive testing, detailled evidence, monitoring programs, etc) before the product can be sold or marketed.

That is hardly an example of a field where risk-taking is encouraged and unlicensed persons are able to unleash their half-developed ideas on the public.

Do you have any other examples of fields which are "trending away" from licensing?

I mean, bridges collapse sometimes. It’s not really about making things perfect from the get go, it’s about making sure that the industry as a whole learns from mistakes. And I agree that some of the existing standards and audits are checkboxes at best, and actively suggesting problems at worst. But, we need to be evolving those actively anyways, that has to be baked into the DNA of whatever this licensing scheme ends up being.

Anyways, I’m not the one who should be deciding the specifics here, it should be a collaboration between lots of different parties, even if I may have a seat at that table. But we have got to get away from the notion (as seen in other comments in this thread) that any sort of attempt to prevent this kind of harm before it happens is authoritarianism.

Fair point, but come on. Not returning the OTP (which is supposed to be a secret) in the response payload is common sense, whether you are a seasoned developer or a high school student.

It is also a commercial product, not something they made for fun:

    In-App Purchases
    - Cerca App $9.99
    - Cerca App 3 month $9.99
    - 10 Swipes $2.99
    - 3 Swipes $0.99
    - 5 swipes $1.99
    - 3 Searches $1.99
    - 10 Searches $3.99
    - 5 Searches $2.99

That is the 20th century innovation. Unfortunately, the king doesn’t like it.

Sadly, it's not common sense. I've worked with dozens of people who just throw arbitrary state into front-end response payloads because they're lazy and just push to the front-end whatever comes from the service API.

this stops applying when your cute little app starts storing people's passports

When I was a student I was leading a project where we made a timeclock web software.

I enforced a no-login policy, because I didn't want potential users to even think about entering a password into a form on the website. I didn't trust myself or my group to handle it correctly, so I decided it was best to just side-step the problem. Naturally this made the application a lot less useful - but it was a student project, who cares.

Software engineering students have an obligation to ethics just like all other engineers. We need to think these things through, and decide if we even want to implement features. And we need to be thinking in terms of risk, not design.

Storing sensitive data is risky, even if you're really talented. Companies will try to put processes in place to mitigate that risk. But students are almost certainly not doing that, so they should be questioning if they should even be doing what they're doing in the first place.

The difference is…this isn’t an automobile and the accident isn’t fatal.

You haven't thought thought this through. What happens with open source? I need a license to make a PR on github. It will also push all software engineering to places where there isn't a license requirement or onto the darknet.

You aren't thinking through the broader implications.

Will I need a license if Flappy Bird has a online function for uploading high scores to a leader table stored online somewhere?

Will I need a license to put a PR on Github?

You and many others (reading through the comments) are pretending that an information leak is on the same scale and severity as major safety concerns people may have about the safety of physical structure. It is obviously asinine comparison and why you will always get such push-back and people instinctively know they fundamentally different.

You also haven't thought about how many unintended consequences it will have. It will affect things like open source, hiring and how it will affect smaller niche cultures that rely on pseudo-anonymity or just want to do fun things.

Just off the top of my head:

Am I going to need a license to build a EDuke32 package for AUR?

Am I going to need a license to add a plugin to a piece of software?

Will I need a license to stick a gist on github?

Many people that currently make the laws in industry (just look at the UK online safety act) don't understand/won't care about any of the nuance.

>I just think there has been entirely too much demonstrated harm to start with the premise of “anyone can build any software they want at any time, with zero liability”.

Actually it is the opposite. I and many others could argue that it has improved the world immensely. I can talk to people that share my interests from all around the globe, I have the ability to work internationally and never leave my home. I've just recently I've taught myself how to fix many of my own vehicle problems at home using Youtube and do some basic maintenance around the house.

I can get any niche product delivered to my door in a matter of days. All of these are massively positives that have benefited the world immeasurably.

> These students may be liable for things after the fact, but that is hardly any consolation to the people that may have had their intimate personal data leaked. Even if they are successfully sued by everybody on the site, how much money could they possibly squeeze out of a bunch of college students? I don’t know how you can prevent this without some up front thing, such as a license, rather than making them liable after the fact.

A license will guarantee nothing. You should assume that anything you put online can be leaked. I can control the amount of information I put on most sites by either giving them false information or being pseudo-anonymous / anonymous.

However regulation in my country is going to force photo ID for platforms such as Discord (and many others) under the guise of age checks. This will mean that I have to give a third party my ID which has all my data or not use the service. This will tie my identity on Discord (which is pseudo-anonymous) to my Discord account.

So licensing/regulation actually guarantees more data leaks. Because I can't vet the company that deals with the ID check, not can I easily circumvent information gathering. Sure I will probably be able to defeat most of this with a VPN. But it is more of a PITA.

Yes, I have. You aren’t allowed to build a faulty bridge, even free of charge.

Maybe you are allowed to build that faulty bridge in, I dunno, Laos or whatever, and if people go to Laos specifically to drive on your bridge, then that’s on them if it collapses. But countries can and do successfully regulate how software is handled in their jurisdiction, see GDPR for example. It’s not an unsolvable problem, and even if there are cracks (like there are with GDPR), the solution isn’t to throw our hands up and say “welp, nothing to be done, just have to accept that sometimes people’s intimate personal details gets leaked.”

If you think my suggestion is bad (which it very well may be), happy to hear your take on how to prevent things like this and and other negligent software.

[flagged]

Your statement similar to : If you cannot cook an egg on the normal pan without sticking problem, you should not serve food in chicken.

They are merely unconstructive statement, developer have free will, they spent time and money to make the app, customer spent time and money to use their app. If there are any mistakes, util you prove that they were intentional harm the customer - or - violating the contract of data safety between the app and the customer, they are free to keep their business. The free market will decide what will happen next.

And the link you gave as an example was just made nonsense. The victim was being fired from the position which worked for security of government because he did not have honesty from the start, did not inform that he use a dating app. With his private data in a dating app, even if they were not leaked: the data can be exchanged illegally in the background, which can lead to social engineering, harm the government and nation he is working for. Actually, that firm and the nation was lucky that his data was being leaked - on purpose by someone. It was his vault.

> I'm pretty sure the comment was sarcastic.

I can't tell because I've seen the same exact argument being made with a straight face in other discussions.

Systematically violating people's privacy while not caring about protecting their data is not culture, it's called a problem.

Perhaps they could move even faster and scale better by collecting and storing less data. Moving forward fast instead of moving frantically while looking for things to break seems more reasonable to me. But then again I'm not the kind of person to become a billionaire tech CEO who's unironically bragging about being called the Eye of Sauron, so what do I know.

This is where the 'unknown unknowns' quote comes in useful. I don't know anything about blockchain technology, but I know that I don't know anything about it. When you make software which involves handling people's information your first thought should be 'do I know all I need to know about handling this information properly?', and your second thought should be 'do I really know all I need to know about handling this information properly?'.

> because they're lazy

Exactly my point. The reason is not being a university student. It's laziness, or not taking your job seriously.

You never know with data leaks from dating apps. A homosexual user would have to clearly state their sexual preferences and this could be dangerous for them if their local community is homophobic. Unfortunately, it’s also not uncommon for victims of “sextortion” to be driven to suicide from the stress and anxiety of being blackmailed. See also, the fallout of the Ashley Madison data breach: https://en.wikipedia.org/wiki/Ashley_Madison_data_breach

This was beautifully constructed, and I wish you got a reply.

I appreciate the effort.

I would definitely accept more privacy rather than more innovation.

Thanks. I think it is very easy for people to focus on a lot of the negatives about the tech over the last 25 years and demand regulation, without recognising the huge amount of innovation that took place because people were allowed to try things.

Aerospace and Automotive engineering would be more examples, and then the obvious case of software and hardware engineering.

As you point out, the trend is for self certification and government review, like is done for medicine, aircraft.

I don't think these are special cases, but the norm for any field developed after the 60's or so.

>risk-taking is encouraged and unlicensed persons are able to unleash their half-developed

That's your hostile strawman, not mine.

I don't imagine some perfect unicorn organization myself.

I do imagine a technical organization that strives to do its best and would have sufficient scope to protect its members legally if need be, so members would be empowered to make the best decisions possible.

“Go fast, break things” was invented at places where the best developers worked on the world. Applying the mentality without great developers is not how great startups were made.

I'm not sure hypocritical is the right word as you have no idea who parent is, maybe it's Pope Bob for all you know