Your users' data is not yours
The sad truth is that most evil is done by people who never make up their minds to be good or evil.
I'm not trying to identify the developer or the app. What bothered me more was that no one said anything when it happened. (I've tried pointing things out with good intentions before. It didn't go well. So I'm writing this instead, with some distance.)
I saw a developer post a database screenshot on social media — some kind of celebration post. User-entered text and personal notes, all in plaintext. It caught me off guard, and likes kept coming in. I watched to see if anyone would call it out, but hours later, still nothing.
Their privacy policy did mention collecting user content. So legally, they disclosed it. But disclosing that you collect data, personally browsing individual users' notes, and posting them publicly are three entirely different things.
The app had a feature that let users write personal memos. Personal notes are the kind of data that should never sit in plaintext on someone else's server. If it's a native app, there's iCloud and Google Drive — sync reliability aside, at least the developer can't read it. If it's a web app, encrypt it so even you can't read it. Server-side search is a different problem, but that's still no reason to store things in plaintext.
At my last job, running a single query on production required approval and left an audit trail. That kind of infrastructure isn't realistic for a solo developer. So don't collect personal data in the first place. If you don't need it, don't store it.
Anyone can build a product now, and that's a good thing. But being able to write code doesn't make the responsibility of handling data any lighter. No one's watching, so ask yourself: what if I were a user of my own product? That's all it takes. Calling it ethics sounds too grand — it's just the baseline.
It wasn't just confusion when I first saw that post — I was angry. It wasn't about the notes themselves, but the casualness of it. My first job was in blockchain. After three years in a place where one mistake could wipe out someone's assets, the casualness hit different.
When I posted an early draft on r/webdev, there were some great comments. Here are a few.
"This is why I obsess over credential handling in anything I build. (…) Don't store what you don't need, and encrypt what you must keep so even you can't read it at rest. (…) The hardest part is being honest about what you actually can and can't guarantee. Accountability beats promises."
"I generally approach all software as 'we're your data steward'. We own the architecture and systems, but we don't own the data — we protect it. (…) It's also companies that don't make accessing client data easy for the client out of fear of leaving with it. Do better with your product then. Have a reason they want to stay."
"A privacy policy saying 'we collect notes' does not make it ok to browse or post individual entries. That is still exposure of personal data, and it can be a breach depending on what was shown and who saw it."