Path uploads iOS address books to servers

Privacy blunder erodes trust in fledgling social network

Social network Path has come under fire for sharing entire iPhone address books to its servers. Arun Thampi revealed the problem in an article, reporting on findings while implementing a Path app for OS X. Dave Morin, Path CEO, candidly responded in the article's comments, and said the address books were uploaded only to "help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path", and added that the next update would make this opt-in.

While Morin's candid response was welcomed by some, concerns remained. Path's position as a more trustworthy take on the likes of Facebook was obliterated, and developers questioned Morin's comment that Path's actions were "currently the industry best practice" and that "the App Store guidelines do not specifically discuss contact information".

The last straw

User research and design expert Leisa Reichelt told us the incident was the "last straw" for her and Path, and added that "I'm starting to think that Path is a lot like Facebook, but red instead of blue". She said that the two companies appeared to "share a philosophy of caring more about extending my social graph – for their benefit, no doubt – than helping me control and curate my own network". This, suggested Reichelt, was contrary to what she thought Path's value proposition was, and she argued the recent actions were "placing the company's goals above those of its users".

Reichelt had already been irked by Path from a UI and UX standpoint, considering it hard to fit into the ecosystem of the other networks she used, finding it difficult to unfollow someone, and then realising there's nowhere within the app to delete an account. Now, she's giving up on the network entirely: "Path was supposed to be a safer place [than Facebook] with a smaller group of people who we really cared about. That requires trust, and that trust is now gone."

Developer concerns

Developer Matt Gemmell also spoke to us about the incident. He thought there wasn't "any reason to assume that anything was done with malicious intent," and so, unlike Reichelt, retains his positive outlook for the company. However, he nonetheless called Morin's comments on best practice "disingenuous", was less confident about Path's grasp of privacy issues, and figured the media and community attention will act as a severe wake-up call. "I think all apps that want access to your contacts should request it explicitly. I'd be pleased if Apple would enforce this at OS-level, but until then it's up to the app developers themselves," he continued. "We live in an age of increasing distrust of businesses, and this simple measure would go a long way towards reassuring users."

Gemmell also recommended any developers should think carefully whether they require access to such details at all, especially when it's held remotely: "In Path's case, it would be a simple matter to instead use hashes of the user's email address – and even of the email addresses of other contacts – which would provide more security and privacy, never sending the actual raw contact info outside the device itself. I was concerned that the Path CEO responded to me that he'd never thought of this before, since a formal Computing Science education would practically always include material on hashing, cryptography and related subjects. But of course many developers hold degrees in other fields, or even no degrees at all. Perhaps this should serve as a reminder that, when dealing with personal information, it's important that developers and management be educated on privacy issues and in techniques for addressing them."

Path and Morin did not directly return .net's requests for comment, but pointed to an online apology that adds the company "deleted the entire collection of user uploaded contact information from our servers" and confirms the process will now be opt-in. Elsewhere, Marco Arment wrote an article explaining that many apps are working similarly to how Path was, and likened the situation to a security hole that developers are exploiting.