Path Uploads Your Entire Address Book to Its Servers Without Your Explicit Permission

While searching for a way to create an OS X app for Path's social network, hacker Arun Thampi stumbled on to something that could raise privacy issues with the app.

Arun was looking into the Path APIs when he noticed that his entire address book was being uploaded to Path's servers without his permission. When you create a new Path account, the app begins sending information, known as "calls" to Path's servers. The first two calls are information you share with the service. The third call uploads your entire address book to Path's servers. Currently, the iOS version of the app doesn't ask permission to do this.

Path's Co-Founder and CEO, Dave Morin was quick to comment on Arun's findings in the comments:

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

Dave Morin
Co-Founder and CEO of Path

Social networks and privacy issues are nothing new, and now we're again revisiting the issue of how much information we really want to share on a social network. Yes, we want to be social, but not too social. At least it's good see that Path is actively working to resolve the issue. [mclov.in]