Yesterday, a pretty big fiasco happened with a neat app (that I use) called Path. It was discovered by Arun Thampi:

I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

Arun made sure to point out that he was sure Path did not have nefarious intentions, and in fact, Path’s founder followed up in the comments to Arun’s post to ensure the data is only used to help users find personal friends who are also using the service.

The problem with all this is (1) Path never asks for permission to access your contacts, (2) it doesn’t even use a hash to obscure the data before transmission (though Path says it is sent through a secure channel), and (3) it’s taking your entire address book — names, phone numbers, birthdays, anniversaries, home addresses, and email addresses — not just the email addresses it would need to make the match.

And all that data, while sent through an encrypted channel, sits on a Path server, which could be (not saying it is being) accessed for data mining. It’s an extremely poor practice. It would be much less discomforting if the app one-way hashed the information, then transmitted it, and then those hashes should remain unreadable by people. They could still be matched, but the actual information wouldn’t be reversed for data mining.

And above all, the user should have a say in the matter.

Well, Path responded today on their blog. The pertinent parts, with commentary:

We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.

As our mission is to build the world’s first personal network, a trusted place for you to journal and share life with close friends and family, we take the storage and transmission of your personal information very, very seriously.

Through the feedback we’ve received from all of you, we now understand that the way we had designed our ‘Add Friends’ feature was wrong. We are deeply sorry if you were uncomfortable with how our application used your phone contacts.

I believe this is a heartfelt apology. Path knows they screwed the pooch.

In the interest of complete transparency we want to clarify that the use of this information is limited to improving the quality of friend suggestions when you use the ‘Add Friends’ feature and to notify you when one of your contacts joins Path––nothing else. We always transmit this and any other information you share on Path to our servers over an encrypted connection. It is also stored securely on our servers using industry standard firewall technology.

Transparency is good. Path should have been transparent about this from the get-go. I still think they should only take pertinent data after the user gives their blessing, instead of all the data. And that data should be obscured before, during, and after transmission.

We believe you should have control when it comes to sharing your personal information. We also believe that actions speak louder than words. So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers. Your trust matters to us and we want you to feel completely in control of your information on Path.

That’s a good move.

In Path 2.0.6, released to the App Store today, you are prompted to opt in or out of sharing your phone’s contacts with our servers in order to find your friends and family on Path. If you accept and later decide you would like to revoke this access, please send an email to service@path.com and we will promptly see to it that your contact information is removed.

Also good news.

This is all a good start to fixing the problem, but this shouldn’t have been a problem in the first place. Path should have had better practices to begin with.

I’m glad to see they responded quickly.