Discussion

Oversight, Or Underhand? Path Takes Users’ iPhone Contacts

Users of the social network Path will be alarmed to hear that their iPhone address books have been taken without their permission and uploaded to Path’s servers.

It could be argued that this was done with the best of intentions – when any of your phone contacts join Path, it would notify you and suggest you connects. Presumably the contacts in your phone are people who you know, and therefore it’s a logical step to suggest you might want to connect with them on Path. However, the manner in which it has been done is the real concern here.

Not only have Path scraped the data from your phone without asking you, but they haven’t even been that careful with it. The contacts taken from users’ phone were uploaded in unhashed, plain text form, so if we estimate that each of Path’s 2 million users had an average of 50 contacts, there’s a database of around 100 million contacts just sitting in the cloud unencrypted.

Paths’ founder Dave Morin has explained that they are working on an opt-in fix for this feature, and that they only used a user’s contacts to alert them of other people they knew who were using the app. However, the legality of the practice in terms of what Apple’s T&Cs state for the App Store’s guidelines doesn’t look to good. There is more discussion on the question of privacy and social networks on the DADapp blog.