Update: Path’s CEO has apologized and promised to delete any collected data. See this entry.
It’s the top story on Techmeme at this moment: the socially-networked “lifestreaming” iPhone app known as Path uploads your entire address book to its servers.
This fact was discovered by Denso developer Arun Thampi when he decided that he’d build a Mac OS X client for Path at his company’s hackathon. To do this, he decided to observe the API calls that Path made to its servers only to discover that the data for his Contacts app – names, email addresses, phone numbers – was getting HTTP POSTed to https://api.path.com/contacts/add. To see the the full story, be sure to read Arun’s blog entry on the matter.
Path CEO Dave Morin sent a reply to Arun, explaining that the data is used only to help users connect to their friends and family and nothing more. He also said that they “proactively rolled out an opt-in for this” on their Android client a few weeks ago and will include the same opt-in feature on the next version of the iOS client. For anyone who has the current version on their iPhone, that feature came a little too late. This is bad, and the fact that Path has recently been working on “proactive” fixes suggests that they know it.
I have Path on my phone because it’s a gorgeous app and a number of my friends and coworkers were on the network and encouraging me to take it for a spin. That means that my contact info resides on Path’s servers. A good chunk of my life is public by my own choice, so I can live with Path having my own address and phone number, but nobody else on my contacts list signed up for that. Furthermore, inclusion in my contacts list doesn’t necessarily imply that they’re someone I want in my social network graph. But Path can’t discern between my friends and family and others like my ex-wife, my local cab company or that client in Australia who just had a couple of questions. You’d think that Path would’ve learned the lessons of “Fuck You Google”, in which a woman wrote about how Gmail overshared her info with her abusive ex-husband.
It’s an even bigger problem in the case of celebrities, who presumably have other celebs’ numbers in their on-phone Rolodexes. Take a look at this tweet from Alyssa Milano:
— Alyssa Milano (@Alyssa_Milano) February 8, 2012
The response, by the way:
@Alyssa_Milano shoot me a note at dave at path dot com.
— Dave Morin (@davemorin) February 8, 2012
And did it also upload my notes about people? (Yes, I’m one of those people who actually uses the “Notes” field in Contacts. For business contacts, it’s all part of the schmooze; for friends and family, it’s so I remember things like their likes, dislikes, birthdays, anniversaries and other little things.)
In the comments to Arun’s article, iOS developer Matt Gemmell suggests the following to Dave Morin:
Why are you uploading the actual address book data, rather than (say) generating hashes of the user’s email addresses locally, then uploading just those hashes? You’d be able to do friend-finding that way, and similarly if you uploaded hashes of all email addresses in the user’s address book, you’d be able to do your notifications of when a friend joins. At no point would your servers ever need to see the actual email addresses or phone numbers from our contacts.
He also points out that sending the entire Contacts database to their servers may be a violation of the App Store’s terms and conditions. In fact, section 17.1 of that T&C states:
17.1: Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.
Dave Morin’s been firefighting ever since the news about Path got out. He’s stayed on message with the “we’re not trying to be evil here” line, but with the faith in Google’s “Don’t be evil” mantra pretty much gone, it’s not very reassuring. On the bright side, he has made it clear that if you want your address book and even your Path account deleted from their servers, you have but to send an email to email@example.com.
Update (February 8, 2012): Mike Arrington has put online what I’d been thinking (but didn’t think Path would ever do without a lot of pressure): they should simply delete all the address book data they pulled. It would be an excellent goodwill gesture; let’s see if they take up his suggestion.
(Little hint, Dave: if you keep overusing “proactive” and “proactively” the way you have in your responses and tweets, it becomes a filler word, like “um” and “uh”. Especially when such “proactivity” seems limited to stating that you’re not doing anything wrong.)
There’s been some freaking out over Path in the comments for Arun’s blog entry as well as in other venues online, but it’s time to let cooler heads prevail. Let’s see what Path does in the next 48 hours – as Arun himself puts it, “I hope we can keep calm and continue to discuss this sensibly”.
If you’re developing software that makes use of people’s personal info, let this be a lesson!