Path Has Your Address Book Data. So what?

5 min read,
Published Feb 20, 2012

Path, the recently relaunched social network, recently had a little crisis; it was discovered that Path uploads your address book to their servers. Dave Morin, co-founder and CEO of Path explained how address book data has been used used for faster and better searching of your friends and nothing else.

However, he apologized, Path deleted every address book from their servers and they’ve released an updated version of the app in which you can opt-out of giving your address book information. Although Path successfuly avoided any bigger problems, this incident showed that Path isn’t the only app which takes your private information without your knowledge. Even Apple had to react when Congress sent them a letter asking for information on why Apple allows such apps to be in the AppStore.

Here’s what was happening about this privacy issue:

Path Uploads Your Entire iPhone Address Book

It all started with this blog post by Arun Thampi who described how he discovered the data:

It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly scheduled hackathon. Using the awesome mitmproxy tool which was featured on the front page of Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

We Are Sorry

Path’s Dave Morin explained a lot in the comments of the original post, but he also apologized and described how Path deleted everything from their servers:

We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.

So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers. Your trust matters to us and we want you to feel completely in control of your information on Path.

Congress Sends Letter to Apple Questioning the Path Debacle

The Next Web got the news that US Congress sent a message to Apple with several questions about this issue:

  • Please describe all iOS App Guidelines that concern criteria related to the privacy and security of data that will be accessed or transmitted by an app.
  • Please describe how you determine whether an app meets those criteria.
  • What data do you consider to be “data about a user” that is subject to the requirement that the app obtain the user’s consent before it is transmitted?
  • To the extent not addressed in the response to question 2, please describe how you determine whether an app will transmit “data about a user” and whether the consent requirement has been met.
  • How many iOS apps in the U.S. iTunes Store transmit “data about a user”?
  • Do you consider the contents of the address book to be “data about a user”?
  • Do you consider the contents of the address book to be data of the contact? If not, please explain why not. Please explain how you protect the privacy and security interests of that contact in his or her information.
  • How many iOS apps in the U.S. iTunes Store transmit information from the address book? How many of those ask for the user’s consent before transmitting their contacts’ information?
  • You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.

Read the full letter on The Next Web.

Path Isn’t Only App to Upload Your Address Book Data

Not long after Arun Thampi discovered how Path uploads your address book data, there were discoveries on how some other apps also use your address book without asking. Facebook, Twitter, Instagram, Foursquare, Foodspotting and Yelp are some of them, PCWorld reports.

Apps from Facebook, Twitter, Instagram, Foursquare, Foodspotting and Yelp upload names, e-mail addresses and/or phone numbers from users’ address books to their servers, sometimes without explicit permission, according to VentureBeat.

The apps mostly upload the information to match phone numbers or e-mail addresses in the companies’ database. The apps are trying to see whether your friends have accounts on their services, so that you can all connect and share every detail of your waking lives.

The Next Web reported how Instagram quietly updated its app, now asking you for your permission to access the address book data.

What do you think of this privacy issue? Is it a serious problem or a minor issue which gives you a better user experience with these applications?

Nikola Krajacic

Recommended

View Blog

Developers, This eBook on Personal Branding Is Your Game-Changer

Explore