The guys behind social networking app Path have found themselves in a little bother this week. Controversy surrounding the app first stemmed from a blog post published by Arun Thampi, in which Thampi discovered the alarming fact that Path had been uploading the entire address books of every user who had since registered with the service, to its own servers …
… and without user’s permission.
Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.
Sure enough, Thampi was right. Upon creating an account at Path a call was previously made to: api.path.com/1/users.plist, which Thampi noted contained data such as “your first name, last name, gender and [account] password.”
If that wasn’t alarming enough, Thampi went on to explain the third call made to Path’s own servers during the account creation process, a call to: api.path.com/3/contacts/add. This, Thampi says, “is the actual offending call which [uploaded] my entire address book to Path.”
Unsurprisingly, the world reacted to the finding, and Path CEO, Dave Morin, was quick to the mark tonight to apologize for the firm’s actions. Calling the collection of user data without permission a “mistake,” Morin noted that it is Path’s mission to build “the world’s first personal network,” one which is considered a “trusted place”.
“We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts,” Morin said
“As our mission is to build the world’s first personal network, a trusted place for you to journal and share life with close friends and family, we take the storage and transmission of your personal information very, very seriously.“
Following what many are now calling a PR nightmare, the CEO noted tonight that Path has since deleted the entire archive of information it had collected without users’ permission, also adding that an update to the app had been issued which intends to solve this privacy issue by offering users the ability to opt out of this data collection process.
Here’s the thing. If Path collects your data and you let them do it via not opting out, and you later decide you no longer want Path to hold this information – according to 9to5Mac – you’ll have to e-mail Path to request that the information be removed from the firm’s servers – suggesting there will be no automated way to request that this happen in-app, once you’ve given Path permission to take your data.
We believe you should have control when it comes to sharing your personal information. We also believe that actions speak louder than words. So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers. Your trust matters to us and we want you to feel completely in control of your information on Path.
In Path 2.0.6, released to the App Store today, you are prompted to opt in or out of sharing your phone’s contacts with our servers in order to find your friends and family on Path. If you accept and later decide you would like to revoke this access, please send an email to firstname.lastname@example.org and we will promptly see to it that your contact information is removed.
Those still looking to use Path can download the new “opt-out” update – (below).