Path uploads iPhone users' contacts

The popular photo-sharing service Path is taking flak today after a blogger revealed that the app automatically uploads iPhone users' entire address books to its servers.

The popular photo-sharing service Path is taking flak today after a blogger revealed that the app automatically uploads iPhone users' entire address books to its servers.

Path founder Dave Morin
(Credit: James Martin/CNET)

In a blog post, a developer named Arun Thampi said that he discovered that his "entire address book (including full names, emails and phone numbers) was being sent ... to Path". And while he also wrote that he isn't accusing Path of doing anything "nefarious", he noted that the service had never asked for his permission to upload something as sensitive as his contacts.

In what appears to be a response from Path founder and CEO Dave Morin to Thampi's post, Morin said, "We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and [efficiently], as well as to notify them when friends and family join Path."

But Morin also said that while Path has specifically been asking Android users for permission to upload the address book for "a few weeks", the company has not yet made the feature opt-in on iPhones. Path is "rolling out the opt-in for this in 2.0.6 of our iOS client, pending [Apple's] App Store approval."

Path launched the 2.0 version of its app in November.

Some, of course, are wondering why Path didn't make the address book uploading opt-in to begin with on iOS devices. Morin also addressed this in the comments section of Thampi's blog post, reiterating that Path is rolling out opt-in functionality in its next update, and explaining how users can have their data deleted from the company's servers. "We fundamentally believe that you as a user should always have control over your information and data, and you can always email our service team, and we will remove anything you'd like from our servers."

This is an interesting situation, given that Apple has learned the hard way that it needs to be strict about how iOS apps use, share and distribute users' private data. In the most recent version of its App Store guidelines, Apple writes specifically under the subheading of privacy that "Apps cannot transmit data about a user without obtaining the user's prior permission, and providing the user with access to information about how and where the data will be used."

One question then is how Path's address book-uploading functionality made it past Apple's famously strict vetting process. Neither Apple nor Path immediately responded to requests for comment.

Via CNET