Path uploads your entire iPhone address book to its servers

I find it mind blowing that (in the comments of the blog post) someone asked the Path CEO:<p>&#62; Why wasn't this [sending all the contacts to your servers without users knowing] an opt-in situation to begin with? Isn't that against Apple's own T&#38;Cs?<p>and the Path CEO replied:<p>&#62; This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we've been proactively addressing this.<p>Really guys? REALLY? This is why developers need explicit guidelines, because as they just demonstrated if there are no guidelines companies default to the thing that exploits the end user! (incidentally, its unfair to pick on Path too much as almost all social networking applications do exactly this also.)<p>I actually cringed when I read this <i>"however, as mentioned, we believe users need further transparency on how this works" </i>... which is why it took someone <i>running a proxy and writing a blog post</i> for you to suddenly be transparent about it. Mind blowing. Why even say that?<p>Btw, times like this? You destroy any and all credibility when you say you are trying to build a company that is built to last or one that is going to follow in the footsteps of Apple.<p>Apple would never do this to their users.<p>(do not make this a discussion about the evil and good sides of Apple. Apple has repeatedly not bowed to companies desires for owning contact information and I expect they will fix this contact hole in the near future.)<p>It's sad because I respect Path and their love of design. But design isn't just about how it looks. It needs to resonate through the entire vision, company, product, and how you treat people.

Dave Morin, Path's CEO just responded in a comment: <a href="http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html#comment-432202082" rel="nofollow">http://mclov.in/2012/02/08/path-uploads-your-entire-address-...</a><p>&#62;<i>Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.</i><p>&#62;<i>We believe that this type of friend finding &#38; matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.</i><p>edit: Morin responds to a response <a href="http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html#comment-432242293" rel="nofollow">http://mclov.in/2012/02/08/path-uploads-your-entire-address-...</a><p>To the suggestion that they just hash the addressbook entries:<p>&#62; <i>1. This is a good alternative solution which we'll look into. Thanks for the idea.</i>

This is actually nothing new. A lot of apps have been doing this for a very long time. However, it <i>is</i> one of the best kept secrets in our space. I kind of have a feeling no one talks about it because they don't want word to get out. Can you imagine the scandal if this made it on the front page of CNN or Drudge?<p>Ever since I learned this was possible, I've been very careful about which apps I download, and actually have downloaded very few since, as a result. There are a lot of random iPhone developers that I really don't think need to have access to my entire contact list.

Honest question: Isn't this within the kind of behavior that AppStore reviews are supposed to prevent, at least if there isn't an app specific functional explanation for it? Does Apple have a list of what kind of behavior like this is tolerated or does word just get out about what they don't reject?

I begin to understand what Richard Stallman has been saying all those years. Although I don't like the guy on the personal level, this incident make him completely right - running closed source software can compromise your rights. (rights to privacy in this case).<p>I also want to thank the author of this post to discover this! I wanted to try Path some time ago, now I can safely avoid it without regret.

I think this is Apple's problem really. Path is just one of many apps that probably do this without asking you.<p>Ideally the OS should prompt you if an app wants access to your address book, just like it does for location.

You'd think people would learn. I mean, this is the <i>original</i> scandalous practice in mobile apps. See this from <i>2008</i>:<p><a href="http://gizmodo.com/5028459/aurora-feint-iphone-app-delisted-for-lousy-security-practices" rel="nofollow">http://gizmodo.com/5028459/aurora-feint-iphone-app-delisted-...</a>

I'm at a loss as to how this is surprising anyone. How did people think that these apps found other users you know? This is built to support: A) finding existing people on the service and B) so they can (theoretically) send you notifications if a friend joins. If you want those features (and it seems that users do), this is the only way to do it. Admittedly, most apps are more explicit about it with a "find friends from address book," but if you want to lower the friction as much as possible, this is the way to do it.

So does Facebook, as shown 107 days ago, and continuing today. <a href="http://news.ycombinator.com/item?id=3145857" rel="nofollow">http://news.ycombinator.com/item?id=3145857</a>

A few years ago, at a “Facebook developer garage” event, I personally asked Dave Morin (Path Founder and CEO) a very similar question to the one in today's news. At the time, he was in charge of the Facebook developer platform, having not yet left Facebook to start his own social network. I asked him about the amount and variety of information Facebook gave freely to applications using their platform (there were far fewer privacy controls at the time).<p>I also asked about whether and how Facebook intended to enforce their platform terms of service, which essentially said apps could use such information temporarily, but that they must discard it no later than 24 hours after a user's most recent use of an application.<p>I remember that in answering those questions, he essentially said that his preferred approach was not to try and make violations of those terms difficult or impossible through technical means. His inclination was to give apps the benefit of the doubt, and deal with troublemakers if and when issues arise. He also relayed a story about his college days, in which he said that his study of the workings of government was better preparation for his web career than anything directly related to technology.

One can fuel a lot of user engagement by scraping the address book and notifying users every time one of their contacts signs up.<p>The "Beluga" app did this, without user permission or warning, and it boomed ahead of competition that did not. "Kik" did something similar. "Industry best practice" indeed.<p>Sadly, it's a winning strategy, and will continue to be until someone fixes the rules of the game.

Just a quick note to also point out, regarding this from the CEO: "if you'd like your account deleted, including all data, we're happy to do this as well."<p>I emailed to have my Path account deleted a few weeks ago and was told it had been 'deactivated'. After querying this, it was confirmed that they did not yet have the functionality to delete your data, only hide it. Worrying that he said they can.

This sounds like a wonderful Cydia / iOS Jailbreak app opportunity. MobileSubstrate allows easily hooking system methods. An app which replaces the Address Book API with something returning empty data for all non-system apps seems pretty easy and quite urgent.<p>Morin and company need to provide an "opt-out and wipe all of my contact data now" option if they don't want legal action and backlash, as well. Simply making the app require opt-in to share this data in the future isn't nearly enough (and, especially in the EU, isn't legal).<p>Update: I'm working on a MobileSubstrate tweak to neuter AB* functions in non-Apple apps, and it's now possible to get your information wiped from Path... by emailing service@path.com.

From the Wikipedia entry [<a href="http://en.wikipedia.org/wiki/Path_%28social_network%29" rel="nofollow">http://en.wikipedia.org/wiki/Path_%28social_network%29</a>]:<p><i>"Contacts are suggested from among persons in a user's electronic address book, as well as people with whom the user is communicating by email."</i><p>It's been there for over a year. <a href="http://en.wikipedia.org/w/index.php?title=Path_%28social_network%29&#38;action=historysubmit&#38;diff=475202633&#38;oldid=404280654" rel="nofollow">http://en.wikipedia.org/w/index.php?title=Path_%28social_net...</a>

Why am i not surprised, this is from a Facebook alumn after all. Uninstalled Path, kind of a dealbreaker since its whole angle is privacy and the CEO can't even get this one basic thing right.

I e-mailed Path and they replied. The only thing I am worried about is how to verify my information is actually wiped out. And what about all my other friends who have me in their address books? How do I get rid of that?<p>Zack S. FEB 08, 2012 | 05:19PM PST Hi Jeff,<p>Thanks for getting in touch with us! I have erased your contacts and their information from our servers.<p>On behalf of the team, I’d like to apologize for any privacy concerns that you may have had. Our current release of Path for Android requests permission to access your address book. In the next iOS release, we will have this same permission request added.<p>Until the update is released for iOS, selecting “Add Friends” will display the names of contacts that you have stored on your phone. But now that you’ve opted out of contact uploading, we will never re-store this data on our servers.<p>Please let me know if there is anything else I can do to help you. I’m more than happy to address any further questions or concerns that you may have.<p>Best, Zack

So I have read the responses and it seems that there are a few schools of thought here and I just want to make sure that I understand the possible solutions.<p>Per user Steko is this the ultimate solution to the problem -<p>(0) we get your permission (is this in the ULA, the in app screen? The privacy page of the app?)<p>(1) we check for your contacts in our database (hashing your contacts). The method of hashing yet to be determined or what info to hash and match if anything other than the email address or maybe the phone number.<p>(2) we let you know if any matches are found.<p>(3) we throw away all your data afterwords.<p>My question is - do you go through steps 1,2,3 each time that you boot up the application or click the add connections button. Compare the hash, report on the matches and dump the rest? Rinse and repeat?<p>Is the issue more the keeping the address book for later matching, or the passing it in the clear part?<p>If you were going to have an opt-in or disclosure what would you want it to say?

Combine this with the fact that some times syncing your iPhone in a corporate server brings the whole company address book to the phone. They must have a lot of contacts stored.

It would be nice to go a single week without seeing how utterly complete the notion of privacy has been destroyed.

Can someone explain to me exactly how I could be harmed by this? My contact list is just a list of names and phone numbers of people I contact. Even if I had an escort service in there or something, I don't think anyone on Path's end is individually looking through the data.

The fact that address-book upload should be opt-in is obvious, and was stated so many times here it was boring. But, there's also the other side: me, and quite a few of people I know, have good reasons to have an opt-out from being discoverable this way. If someone knows my email address, let them send me an email with an invitation code. They shouldn't even know I'm signed up until I accept.<p>Though I also don't really think it's something private companies should solve. Now, I can of course avoid services that let me be too easily findable, but the proper solution is to make said opt-out required by law. Otherwise it's just not beneficial for the company to provide it.

I don't have a problem with this as long as they ask permission up front before doing so. I don't recall having been presented with that question myself though.<p>Disappointed in Path, especially since their focus was on a more private, tightly knit social network.

So I download an IM app that automatically finds your friends based on your phone directory. I launch it and scrolling through my friend's list I see my mom. Some contacts later, I see the real name of the hooker. Both my mom and the real hooker are on this IM platform...just a click away from chatting with me <i>under the same identity</i>. This can be more than creepy, fortunately this is a made up example ;)<p>I thought about this with whatsapp. This is scary because while we are used to having multiple emails for different parts of our lives, juggling multiple phone numbers is still a chore despite services like google voice.

I don't know if any you remember, but this is why Guido van Rossum quit using Twitter. The official twitter client for Android uploads your entire contact book without showing more than a notification stating 'find your friends' or similar; you click this notification and by that time it's already too late. More on that here:<p><a href="https://plus.google.com/115212051037621986145/posts/YguETTsM4K5" rel="nofollow">https://plus.google.com/115212051037621986145/posts/YguETTsM...</a>

I wrote a MobileSubstrate (jailbreak only, sorry!) tweak to block the use of ABAddressBookCopyArrayOfAllPeople, the most common method of stealing contacts in this manner.<p>It's rough around the edges, but check it out: <a href="http://news.ycombinator.com/item?id=3564968" rel="nofollow">http://news.ycombinator.com/item?id=3564968</a><p>It should be available in the BigBoss repository as "Address Book Privacy" sometime tomorrow.

Even if Path buried this disclosure deep in a TOS page, would anyone read it? I just posted a startup idea I have to generate easy-to-read summaries from website TOS pages: <a href="http://clearsignal.posterous.com/do-we-value-our-laundry-more-than-our-privacy" rel="nofollow">http://clearsignal.posterous.com/do-we-value-our-laundry-mor...</a>

Call me crazy, but I prefer it when companies do this. If I'm interested in using their service, then I'd be happy to be alerted when my friends sign up for it.<p>That being said, I wholeheartedly agree it should be opt-in (or at least have an opt-out) for people who are concerned about their personal data.

Has anyone looked at Path's privacy policy?<p>Do they explicitly state that what personal information they download to their servers, what they use it for, and how long they retain it?<p>If not then they're breaking the law in many countries, regardless of what Apple's current developer guidelines happen to be.

Dave Morin's (Path CEO) response:<p>Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.<p>We believe that this type of friend finding &#38; matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.<p>Dave Morin Co-Founder and CEO of Path

This is an accident waiting to happen. Whoever does this is doing it wrong. The case was well-made here by Colin Percival (the tarsnap guy) in his blog: "Playing chicken with cat.jpg" <a href="http://www.daemonology.net/blog/2012-01-19-playing-chicken-with-cat-jpg.html" rel="nofollow">http://www.daemonology.net/blog/2012-01-19-playing-chicken-w...</a><p>&#62;&#62; "The answer isn't for (any company) to prove that they can be trusted; the answer is to ensure that their customers don't need to trust them ... The best way to avoid privacy breaches is not to formulate a detailed privacy policy; it's to reduce your capabilities so that you're unable to violate anyone's privacy"

In our Q platform, we specifically upload only the hashes of the address book. There is absolutely no need to have the actual email or phone number of people in order to find "who is on the service". However, when you INVITE people, we specifically download the full email address because we send them an invitation ourselves.<p>This is just one out of 100 things that our platform does while solving the usual stuff of apps: user signups, importing address books, invites, etc. However, we applied for a patent on some of the stuff we do. Even though I personally don't like patents, it's the thing to do in the current environment. Going to write a blog post about it soon.

So my entire address book is on Path's servers right now?<p>Well shit. How do I get it off their servers?

One-way hashing the phone numbers and emails would at least be a good solution to alleviate the privacy concerns, while still allowing you connect with your friends on Path.

Does this mean that the standard HTTPS stack on the iPhone is insecure? Shouldn't certificate verification fail when it attempts to send data via the mitmproxy?

I feel like this is [unfortunately] a regular practice of app makers nowadays. I'd love to abide by "let the industry govern itself" but I don't think that's realistic. I've seen so many apps that have abusive and opaque permissions.<p>Is there any regulation to protect consumers here? If not, are any legislators drafting any? Would the FTC step in or does this only happen when a giant like MSFT/GOOG/FB makes a mis-step?

&#62; industry best practice<p>Did he say that with a straight face? Heard a lot of corporate BS in my time but this takes the cake.<p>This is Apple's fault for allowing all apps access to the address book. But there is a deeper issue here, trust. Just because I leave my office unlocked doesn't mean my colleagues can steal from it.<p>I love this app and had great hopes for it but trust is a limited commodity and Path just lost mine.

Albeit too late, after reading this I uninstalled Path from my Android. I did not buy into this.

1. I just changed my phone # 2. I notified all of my contacts to change their phone #s 3. I contacted both Apple and my State senator.<p>I am outraged by this scandal, and I still can't bring myself to believe that Path has been collecting this sensitive personal information. My 6-month old's pediatrician's # is in my phone. If this were EVER exposed or shared with a 3rd party, I can only image what kind of damage could occur. Path should suffer for this. I forgive Apple for secretly tracking my iPhone's location for a year, but I DO NOT FORGIVE PATH. Not this time. This went to far. Dave Morin should know better. I bet an engineer voiced that he felt morally wrong doing this, and Path just fired him. This is just wrong. A defining moment in our industry. We need to stand united on this issue, and just try to move forward.

I always wondered what the purpose of Path really was, given that it offered little over and above Facebook itself (apart from an arguably nicer UI.) It would seem the purpose is to data-mine users' handsets.

It's worth noting that the AddressBook API dates back to mid 2008:<p>"The Address Book framework provides access to a centralized contacts database, called the Address Book database, that stores a user’s contacts."<p>It has been there since iOS 2.0

I didn't know HTTPS requests can be traced so easily from a proxy. I was planning to start coding an authentication endpoint with SSL but obviously it is tracable that quickly. Is there no way to avoid that?

Quora best handles this situation. There can be a lot of benefit for the user to have the contact lust on the server, but it needs to be (1) transparent, (2) obvious, and (3) come with a delete button.

Moral of story: don't target techies as your end users. They'll just look under your hood to make sure you're not doing anything embarassing like this, and passing back clear-text password in JSON.

Anyone know if they have an Android app? Does that share this feature?

So my choice is easy, but for the life of me I can't figure out how to delete my Path account. Both online and mobile interfaces appear to be missing this function. Help?

I was thinking of using Path as a personal diary. But not anymore. Just deleted Path app. I would suggest everyone to do the same. A lesson for Path and others.

You know... I think Google uploaded my entire contacts list to its servers, and I don't recall being informed very clearly about that either.

I'm pretty sure that Instagram is doing this too as I get push notifications whenever a friend signs up. Can anyone confirm?

With social apps, trust is everything. Without it, you've got nothing. I wonder if this increases vanity user base numbers.

I wonder if this use of address book information explains the sudden spike in Path's growth since their recent relaunch?

Such a blatant and fundamental failure to be transparent in regards to user privacy should make everyone doubt Path's ability to function as a private social network. Whether this incident is a reflection of their technical incompetence or a lack of actually caring about their user's privacy (as their Values would otherwise have you believe) the expectation that their product can live up to its purported goal is misplaced.<p>This is pretty basic stuff.

I'm happy this is brought up again. So many apps do this unknowingly. One reason I prefer web over apps.

from a company that claims they "don't currently have the internal tools to delete an account" I'm sadly not surprised.<p>The above was their official response to me when I asked to delete my account... and I had to ask by email since there is no link on their website to close your account...

This is clearly of lost opportunity to position Path as the "trusted network" against Facebook.

I sure hope they have implemented proper ACL for the REST api.

Uninstalled Path. Incredible violation of privacy.

So does whatsapp

I believe Bump does the same thing and I am willing to guess other do as well.

Brought to you by: <a href="https://path.com/team" rel="nofollow">https://path.com/team</a><p>Their collective decision making has proven to be a huge liability. Would you hire them for your next venture?<p>A 14 year old girl could tell you that her address book is private, private, private!

This is NOT controversial. You give them permission to do this. If you don't want Path to import your address book, then don't ask Path to import your address book.