Path discovered phoning home with your address book

Upstart social network Path was discovered uploading users' complete address book to its servers. Completely inexcusable in today's privacy-sensitive society.
Written by Jason D. O'Grady, Contributor

It's a feature, not a bug!

That's basically the response from Path's management after the popular social networking service was discovered uploading users' complete address book to its servers.

Path, for the unfamiliar, is a relatively new social network, billed as a "smart journal that helps you share life with the ones you love." Think Foursquare meets Instagram meets (insert name here).

Developer Arun Thampi discovered the privacy issue and posted this to his blog:

It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly scheduled hackathon. Using the awesome mitmproxy tool which was featured on the front page of Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

Um, yeah. Your entire address book.

Now I don't know about you, but I'd certainly expect a feature like address book upload to be opt-in (and optional) -- not hidden with no way to opt-out. The other problem is the once Path already has your contact data, there's no way to delete it -- at least that I can find.

Path CEO Dave Morin quickly went into damage control mode and gave the classic It's-a-feature-not-a-bug response, saying that the app uploads your entire address book "in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path." Morin goes on to explain that Path 2.0.6 for iOS makes address book upload opt-in, noting that it's pending App Store approval.

Dan, it might be time to call in a few favors at Apple and get 2.0.6 escalated.

Not clearly disclosing a "feature" like complete address book upload and not giving users a simple way to opt-out is inexcusable. Many thanks to Arun (and the mitmproxy tool) for exposing this privacy breach.


Update: It's time for Apple to require that developers to disclose aspects of their apps that will impact user's privacy. This is one key area where the Android Market does things better than the App Store does. Here's a sample of the permission screen that you must acknowledge before installing the app My Tracks.

Update2Here's how Path can save itself, if it acts fast

Editorial standards