There’s a reason why today’s news that Path was uploading its users’ entire address book to its database was stunning — all this time Path has been positioning itself as one of the good guys! … Sort of an alternative to Facebook … a kinder, gentler social network that only wanted to keep things between you and fifty of your closest friends, and then 150. And then …
It’s sort of jarring when a social network bills itself as private, and then quietly sucks up as much data as its leading — and notoriously data grabby — competitor. Still, even Facebook notifies you (via iOS notifications) that it’s grabbing your address book data.
The worst case scenario ramifications of Path’s rushed and poorly implemented contact alert system lie somewhere in murky waters between identity theft and overly aggressive marketing tactics in case of an acquisition.
Path has 2 million users and let’s say they each have a low estimate of about 50 contacts in their iPhone, all in all that’s 100 million addresses in the Path database — a database which we know very little about the security of. It’s even more jarring when you realize that this data is being uploaded in plain text and not hashed when hashing — which isn’t a complete fix — actually doesn’t take much more effort.
Sure Path isn’t the only culprit (soon afterwards it was revealed that photo sharing Hipster also does this) and probably hundreds of apps are getting away with this in the iOS store at this second, which begs for a solution from Apple itself — i.e. it should lock down the address book API and notify users when apps want to get their grubby fingers on it.
In the meantime Path founder Dave Morin (who, in my experience, has been totally legit — as in honest) is apparently working on an opt-in fix, but still this whole debacle reminds us that user privacy is a lot more than skin deep.
Update: Path investor Michael Arrington puts out an impassioned call for the company to delete its user data.
Image: Niklas Hellerstedt