AAPL Stock: 117.81 ( -0.22 )

Printed from

Social app Path uploads users' address books, to get fix

updated 06:00 pm EST, Tue February 7, 2012

No explanation given, opt-in change coming

The social networking app Path, which provides its own community along with the ability to share statuses and pictures to other popular public networks like Twitter and Facebook, has been discovered to be uploading users' entire address books to its own servers on first use. The undisclosed (and unauthorized) uploading was discovered by developer Arun Thampi and detailed in a blog post. The co-founder of Path responded by saying users would soon have an opt-in on the "feature," but did not explain why opt-in wasn't there from the beginning.

Once a user joins Path, the app sends user credentials and metadata back to Path's servers, then calls for and uploads the entire user address book -- including names, e-mail addresses and phone numbers -- to the servers. Path is not the only iOS app that leverages user contact information: Dragon Dictation is another app that uploads names from the address book to its servers, but in that case Dragon makes it clear what the information is going to be used for (recognition of contact's names in spoken dictation) and requests user authorization before it does so. Path does neither of these things.

The company has said that it already added an "opt-in" feature for the service to its Android version of the app a few weeks ago, and is updating its iOS app to do the same, but questions remain about why the company requires so much detailed information from its users, how secure the collected data is and how many Path users are completely unaware of the practice and its implications.

Other social networks like Google+ and Facebook rely on users to voluntarily fill in address information for themselves. Facebook uses information voluntarily entered, such as schools attended, to make connections (i.e., "People You May Know") and Google+ can also leverage and connect other users to a given user through the connections made with other Google services (for example GMail).

Dave Morin, the co-founder and CEO of Path, wrote a response to Thampi's inquiries as to why Path didn't initiate opt-in from day one and claims that the address information is used solely "to help the user find and connect to their friends and family on Path quickly and efficiently as well as notify them when friends and family join Path," but did not respond to the original question. He thanked Thampi for "pointing this out" and said it was "an important conversation and take this very seriously," but didn't explain why the "conversation" hadn't happened until a developer discovered the company secretly pilfering user data without the user's knowledge or consent.

Morin went on to claim that "this is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we've been proactively addressing this." Path debuted on the iPhone in November of 2010. Apple's guidelines are clear that user data is not to be accessed without authorization.

He goes on to say that the company are "proactively" rolling out an opt-in for v2.0.6 of the iOS client pending App Store approval. Though Morin specifically says that Path does nothing more with the data than use it for friend and family matching, he did not explicitly rule out the possibility that third parties (such as advertisers) may be able to access the data and use it for other purposes.

Users who are concerned about their privacy or wish to leave the service can send an e-mail to to request that their address book data be erased and/or their accounts closed.

by MacNN Staff



  1. MyRightEye

    Joined: Dec 1969


    I found a fix already

    I call it "deleting the app". You ought to try it.

  1. chas_m



    Um ...

    ... deleting the app won't actually change anything. Path will still have your address book already uploaded, genius.

  1. testudo

    Joined: Dec 1969



    A game app was caught doing this within the first three months of the app store being opened. And yet Apple never closed the door on this privacy hole?

    And more amazing is how Apple gets a free ride on this type of thing. Yeah, it's not a security hole in the iOS that allows an app to get your entire address book and shoot it out over the internet. it's a 'feature' that was misused.

    If an Android app was caught doing this, I'm sure we'd be hearing how that OS is just filled with holes and malware and trojans and thank god we don't have those issues with iOS!

  1. testudo

    Joined: Dec 1969


    oh, I see...

    Apple's guidelines are clear that user data is not to be accessed without authorization.

    I missed that part. Accessing user data is a feature, and these people just misused it. I knew it wasn't apple's fault!

  1. testudo

    Joined: Dec 1969



    Now one has to wonder what other apps out there has sent out all your contact information? And who has it? How's it being used?

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented