That’s the buzz in the face of the revelation that a mobile social network called Path was copying address book information from users’ iPhones without notifying them. Path’s voluble CEO David Morin dismissed this as a problem until, as Nick Bilton put it on the New York TimesBits blog, he “became uncharacteristically quiet as the Internet disagreed and erupted in outrage.”


After Morin belatedly apologized and promised to destroy the wrongly gotten data, some of Silicon Valley’s heavyweights closed ranks around him. This raises the question whether “the management philosophy of ‘ask for forgiveness, not permission’ is becoming the ‘industry best practice’ ” in Silicon Valley.


Since the first big privacy firestorm (which I put in 1999, with DoubleClick/​Abacus), cultural differences have been at the core of these controversies. The people inside the offending companies are utterly focused on the amazing things they plan to do with consumer data. In relation to their astoundingly (ahem) path-breaking plans, they can’t see how anyone could object. They’re wrong, of course, and when they meet sufficient resistance, they and their peers have to adjust to the reality that people don’t see the value they believe they’ll provide nor do people consent to the uses of data they’re making.


This conversation—the push and pull between innovative-excessive companies and a more reticent public made up of engineers, advocates, and ordinary people—is where the privacy policies of the future are being set. When we see legislation proposed in Congress and enforcement action from the FTC, these things are whitecaps on much more substantial waves of societal development.


An interesting contrast is the (ahem) innovative lawsuit that the Electronic Privacy Information Center filed against the Federal Trade Commission last week. EPIC is asking the court to compel the FTC to act against Google, which recently changed and streamlined its privacy policies. EPIC is unlikely to prevail—the court will be loathe to deprive the agency of discretion this way—but EPIC is working very hard to make Washington, D.C. the center of society when it comes to privacy and related values.


Washington, D.C. has no capacity to tune the balances between privacy and other values. And Silicon Valley is not a sentient being. (Heck, it’s not even a valley!) If a certain disregard for privacy and data security has developed among innovators over-excited about their plans for the digital world, that’s wrong. If a company misusing data has harmed consumers, it should pay to make those consumers whole. Path is, of course, paying various reputation costs for getting it crosswise to consumer sentiment.


And that’s the right thing. The company should answer to the community (and no other authority). This conversation is the corrective.