Today developer Arun Thampi discovered his entire address book including full names, emails and phone numbers was being collected by the new social app, Path.
In trying to make things easy for users, Path uploads your address book to their servers so you can easily connect to your friends and family on its network.
The problem is Path doesn't tell you it's going to do it.
Path is a 16 month old social network that acts as a personal journal and allows you to share photo, video, music, people, places, and text to a select network of 150 people. Since version 2 was released, Path has surged to just over 2 million users.
In the last few hours since Thampi posted his discovery online, Path users have been up in arms. They were never asked permission for Path to access their address book. The bigger worry? Though with most apps collected data is encrypted, it appears Path is storing the actual information so all of your contacts are now online.
Dave Morin, Co-Founder and CEO of Path, was quick to respond in the comments of Thampi's post.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
When asked why an opt-in for them to collect your data wasn't included from the very beginning, Morin responded that it was industry best practice.
The App Store guidelines do not specifically discuss contact information. However we believe users need further transparency on how this works, so we've been proactively addressing this...We fundamentally believe that you as a user should always have control over your information and data and you can always email our service team and we will remove anything you'd like from our servers.
It is good to see such openness in response but it's a naive one. Apple's app store guidelines states "Apps cannot transmit data about a user without obtaining the user's prior permission." To further believe that this will all be solved in the reply section of a blog means thousands of people's details may continue to be collected before the new app roles out. The only cravat is you can email Path on firstname.lastname@example.org and have your data (as well as your entire account) deleted.
Path may have always been a bit tricky when it comes to 'contacts.' The last version's UX made Facebook friends look like they were on Path so you would share. If this latest finding is any indication, they weren't and ghost profiles may have been created when you signed up.
Users have already been requesting their accounts to be deleted and data purged with proof but have yet to have a reply.
Ilicco Elia, Head of Mobile at LBi, doesn't think this is good enough.
I think they should delete all the data immediately but they will try to play it down. I shouldn't have to email to ask them to delete data they took without my knowledge.
I can understand companies innocently trying to make things easy for users, but what would happen if they were hacked and someone got access to my complete address book. People store personal notes in there.
I read "they are planning to hash the data" i.e. encrypt it which leads me to believe it is currently unencrypted on their server. And that to me is unacceptable. On my phone my information is protected behind a pin. On their server it is not.
Google’s use of private data has been under scrutiny in the US for years and Facebook, with their "run fast and break things" model, has equally played fast and loose with users data. But both have been brought to task in the past and the US and Europe is already looking to tighten laws around tracking users online. With such big players being called out over privacy issues, why did Path not protect itself and its users from this?
With the rise of mobile and m-commerce, what are the lessons for marketers and developers when considering future projects?
"Just because you know that you wouldn't 'do anything bad' with the data doesn't mean you are free to use it," continued Elia. "And if you must store my data on your server it had better be securely stored & encrypted because no matter how slowly you drive your car, there are always other people on the road who are reckless drivers i.e. you could get hacked and lose my info, through no fault of my own."
What do you think Path should do? Will they lose their growing user base due to this gaff so early in the game?
We have emailed Path with further questions but are still waiting for a reply or an official press release. Perhaps they are too busy deleting accounts.
UPDATE: Dave Morin has released an official apology and Path have deleted all the stored data they held. The updated apps are rolling out so you can opt-in (or out) of sharing your details.
*This image is entirely from the imagination of Kosso K