Path Should Use Hashes To Keep Your Contacts Secret [Opinion]


By hashing your contact details, Path could have avoided a scandal

Last week, the web exploded with the news that social iOS app Path was uploading your entire address book to its servers, and then keeping it there. Worse, it was sending and storing them in plain text (although the connection was at least SSL-encrypted). Clearly, having Path notify you when your friends join the service is handy, but is there a way to do this without compromising your privacy? According to Edinburgh iOS supremo Matt Gemmell, there is.

Gemmell explains the procedure in great (and interesting) depth. In short, it’s all done with hashes. No, not the tasty breakfast dish, but the mathematical kind which you may be familiar with from downloading open-source software. Hashes are numbers generated from the attributes of a file or, say, e-mail address. They are pretty much unique, while remaining anonymous. Hashing a file or e-mail address always gives the same result, but cannot (without a lot of work) be reversed.

Thus, Path could hash all of the emails in your address book, upload them and have an anonymous list of your contacts. When a new person joins, their e-mail is hashed, and if the string matches one of yours, congratulations! You have a new friend.

Hashes work like this: Multiply 6×7 and you get 42. The answer is the same whoever does the math. But if I give you the number 42 and ask you what numbers I used to get it, you have many options. Add in algorithms instead of straight multiplication, and much bigger numbers than six and seven, and you get the idea. Yes, you can hack your phone to protect you, but that can have annoying consequences.

There’s more to it in practice (and tasty-sounding salted hashes play a part), but it looks like a great compromise. After all, I like it when Instagram tells me a new friend joined the service. I just don’t like it having all the addresses, phone numbers and possibly even notes from my contacts. Path has, as we reported already, made the upload optional, but if you hit yes, then it should be hashing your precious info.

[via @mattgemmel]

  • ddevito

    I thought iOS and it’s walled garden was so secure?

    Guess not.

  • ??nD ??os??A

    A decent idea, but too late for Path, they already lost the trust of consumers.  Maybe the next Facebook challenger will do this.  Even with the hashing, you still have info leakage.  For example, many women I know keep my data in their contacts just so they can easily avoid my calls. In this scheme, I would be notified when one of them joined the social network. It’s a corner case, but still an example of information leakage. 

  • marmaduke25


  • Kye Alan Russell

    Sure, the IDEA sounds good, it’s perfect in fact.  You didn’t pay enough attention to hash collisions as you should’ve.  Overly self-righteous privacy-conscious folk are the worst to deal with, and we all know it’d take just ONE hash collision incident causing somebody else’s information to show up on somebody’s Path and then they’d start whining like never before

    Can’t you see it now.  “Online Service Leaks your Info to Strangers, and They Knew It Was Possible!”.  It’s always the best choice to resolve these issues in their favor, because the whining is too much to deal with for companies.