In what can only be considered the very definition of irony, it has been discovered that Path 2 for iPhone secretly uploads and stores your entire address book to its servers. In case you didn’t know, Path is a hot iOS app that offers an exclusive, confined social network experience with a limited number of people. Unlike Facebook, Path only lets you accept 150 friends, indicating the intimate, safe environment that the app creators want users to feel at home in.
Developer Arun Thampi has uncovered that Path’s current iPhone app sends all of your contacts to its servers without notifying you. Oops.
I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.
The co-founder of Path, Dave Morin, responded to Thampi’s discovery:
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Developer Matt Gemmell asked Morin if Path was violating Apple’s Terms and Conditions by not asking users to opt into uploading their address book. Morin said, “This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we’ve been proactively addressing this.” Path 2.0.6 will hit the App Store soon with the ability to remove this contact information off the app’s servers. Disgruntled users can contact firstname.lastname@example.org to have any other personal information purged from Path’s database as well.
The Android version of Path lets users opt into sharing their address books with the app’s servers already. Morin said, “We hope that the proactive steps we’ve been taking over the last couple of weeks on our Android client show we care deeply. We’re hoping to have iOS 2.0.6 into the App Store process by the end of the week.”