What started as a bit of aimless tinkering for developer Arun Thampi ultimately unearthed something very surprising about personal life-sharing service Path. As a fan of the app, Thampi took it upon himself to look at the API calls that the app made to Path’s service and found that his “entire address book (including full names, emails and phone numbers) was being sent as a plist to Path.”
Puzzled, Thampi created an entirely new Path and tried again, only to be faced with the same results. Feel free to try it for yourself if you’re curious, as Thampi has written up the test procedures on his blog.
According to a comment left by Path co-founder and CEO Dave Morin, uploading the user’s address book is meant simply to connect users with each other. As VentureBeat points out, this isn’t exactly a secret — the practice is pointed out in the company’s Wikipedia entry. Still, it’s not exactly the easiest information to come across unless you’re actively looking for it, especially when no mention of it is made during the initial sign-up process.
When asked why Path didn’t give users the choice to opt-in right from the start, Morin responded with the following:
This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we’ve been proactively addressing this.
Much as I like Path, there’s something a little odd about Morin’s response. He calls goes on to call it an “important conversation” to have, but if that’s true, then why are we having it under these circumstances? I trust Morin and the Path team not to do anything inappropriate with my (admittedly lame) data beyond letting me know if my aunt has recently taken the plunge, but the thought of all that personal data outside of its owner’s control can be understandably chilling.
The issue doesn’t seem to exist in the most recent version of the Android app, nor will it exist for much longer in the iOS app — Morin notes that the updated iOS app has already been submitted for App Store approval. For now though, the truly concerned can fire off an email to firstname.lastname@example.org to request that their address book data be erased.
I’ve reached out to Morin for comment, and I’ll keep you posted on any developments.