The iOS developer, based in Singapore, was poking around Path’s API for a hackathon when he stumbled on request which sent his entire contact list, including names, emails, and phone numbers, to Path.
“Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new ‘Path’ and repeated the experiment and I got the same result — my address book was in Path’s hands,” he wrote on his blog.
Thampi was careful to say that he didn’t believe this was a nefarious grab by Path to access sensitive personal data. He just noted that it was striking and a bit creepy how much information he was giving away without explicitly being asked for permission.
Apps, like the Aurora Feint game, have been de-listed from the App Store by Apple in the past over similar behavior. On Android users are prompted for their approval when an app asks for this kind of access to their contacts.
In a lot of ways this should have been obvious. Path’s goal is to connect its users with a more intimate social network than Facebook. There is nothing more intimate than the names and numbers on a person’s phone. And Path has kept this practice in plain sight, for example on the Wikipedia page about the company.
This is the sort of gut, OMG, reaction that occasionally flares up when someone bothers to look under the hood of the apps that millions of folks download and share their data with every day.
Path CEO Dave Morin responded in a comment on Thampi’s post:
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently, as well as to notify them when friends and family join Path. Nothing more. We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we pro-actively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
After Morin’s response, the tempest in a teapot continues to rage. Path users are asking for their data to be deleted and threatening legal action. Others are saying that this violates Apple’s terms of service and are asking for Path to be pulled from the App Store. Path recently relaunched its app to critical acclaim and saw its membership double to 2 million.