updated 06:00 pm EST, Tue February 7, 2012
No explanation given, opt-in change coming
The social networking app Path, which provides its own community along with the ability to share statuses and pictures to other popular public networks like Twitter and Facebook, has been discovered to be uploading users' entire address books to its own servers on first use. The undisclosed (and unauthorized) uploading was discovered by developer Arun Thampi and detailed in a blog post. The co-founder of Path responded by saying users would soon have an opt-in on the "feature," but did not explain why opt-in wasn't there from the beginning.
Once a user joins Path, the app sends user credentials and metadata back to Path's servers, then calls for and uploads the entire user address book -- including names, e-mail addresses and phone numbers -- to the servers. Path is not the only iOS app that leverages user contact information: Dragon Dictation is another app that uploads names from the address book to its servers, but in that case Dragon makes it clear what the information is going to be used for (recognition of contact's names in spoken dictation) and requests user authorization before it does so. Path does neither of these things.
The company has said that it already added an "opt-in" feature for the service to its Android version of the app a few weeks ago, and is updating its iOS app to do the same, but questions remain about why the company requires so much detailed information from its users, how secure the collected data is and how many Path users are completely unaware of the practice and its implications.
Other social networks like Google+ and Facebook rely on users to voluntarily fill in address information for themselves. Facebook uses information voluntarily entered, such as schools attended, to make connections (i.e., "People You May Know") and Google+ can also leverage and connect other users to a given user through the connections made with other Google services (for example GMail).
Dave Morin, the co-founder and CEO of Path, wrote a response to Thampi's inquiries as to why Path didn't initiate opt-in from day one and claims that the address information is used solely "to help the user find and connect to their friends and family on Path quickly and efficiently as well as notify them when friends and family join Path," but did not respond to the original question. He thanked Thampi for "pointing this out" and said it was "an important conversation and take this very seriously," but didn't explain why the "conversation" hadn't happened until a developer discovered the company secretly pilfering user data without the user's knowledge or consent.
Morin went on to claim that "this is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we've been proactively addressing this." Path debuted on the iPhone in November of 2010. Apple's guidelines are clear that user data is not to be accessed without authorization.
He goes on to say that the company are "proactively" rolling out an opt-in for v2.0.6 of the iOS client pending App Store approval. Though Morin specifically says that Path does nothing more with the data than use it for friend and family matching, he did not explicitly rule out the possibility that third parties (such as advertisers) may be able to access the data and use it for other purposes.
Users who are concerned about their privacy or wish to leave the service can send an e-mail to firstname.lastname@example.org to request that their address book data be erased and/or their accounts closed.