Mobile Social Network Caught Uploading Users’ Address Books

Users and critics are upset with Path, the smartphone-based social network, after a developer discovered that Path was uploading users’ entire address books to its servers without explicit consent.

Singapore-based iOS developer Arun Thampi made the discovery while attempting to create a Path desktop companion app during a hackathon sponsored by his employer. “I noticed that my entire address book (including full names, e-mails and phone numbers) was being sent as a plist [property list] to Path,” Thampi said in a blog post. “Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result — my address book was in Path’s hands.”

Path cofounder and chief executive Dave Morin responded in the comments of Thampi’s blog post, admitting that yes, Path does indeed upload your entire address book to its servers. “We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently,” Morin said. “As well as to notify them when friends and family join Path. Nothing more.”

But others soon took Morin to task for uploading a user’s address book without that person’s consent. Scotland-based iOS developer Matt Gemmell asked Morin why the company didn’t obscure the data by uploading it as hashed data, and why Path didn’t require users to opt-in before grabbing their contacts. A hash would turn plain text information, such as an e-mail address, into a shorter unique identifier such as a number or a set of letters. Morin said Path would consider using hashes instead of complete contact information.

Morin also said that not requiring users to opt-in was currently the “best industry practice,” but noted that the next version of Path’s iOS app would notify users about the upload. Path version 2.0.6 is expected to hit the App Store in the next few days. Morin did not say how version 2.0.6 would handle notifying users about uploading contact data. The Android version of Path allows you to choose to scan your contacts for new connections; however, in my tests it was never made clear that your contacts were leaving your phone.

Path was launched in late 2010 as an alternative to massive social networks such as Facebook. Path limits the number of people you can connect to 150 and is designed to be private by default. “Path should be private by default. Forever,” the service’s About page says. “You should always be in control of your information and experience.”

If you’re a Path user and would like to have the service remove your data from its servers you can e-mail Path at service@path.com.

Connect with Ian Paul (@ianpaul) on Twitter and Google+, and with Today@PCWorld on Twitter for the latest tech news and analysis.