clock menu more-arrow no yes

Filed under:

Path iOS app uploads your entire address book to its servers

New, 71 comments

Journal app Path has confirmed that it uploads entire user address books to its central servers, often without notifying users. The company says it only uses the information to help users connect to friends and family, and will put greater transparency in place in the coming weeks.

Path iPhone
Path iPhone

When developer Arun Thampi started looking for a way to port photo and journaling software Path to Mac OS X, he noticed some curious data being sent from the Path iPhone app to the company's servers. Looking closer, he realized that the app was actually collecting his entire address book — including full names, email addresses, and phone numbers — and uploading it to the central Path service. What's more, the app hadn't notified him that it would be collecting the information.

Path CEO Dave Morin responded quickly with an apology, saying that "we upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more." He also said that the lack of opt-in was an iOS-specific problem that would be fixed by the end of the week. Looking at the Android app, it does warn you that the app will pull contact information, although you still can't install without giving Path carte blanche to use the address book. Users can email in order to have information deleted from the servers, but since this issue has come up before with no apparent impact, we're not sure how much app-wide change we'll see.

Thampi doesn't think Path is doing anything untoward with the data, and many users don't have a problem with Path keeping some record of address book contacts. However, as one commenter pointed out, it would be possible for the app to create a hash of names or contact information, then upload it to the servers and use that information for matching purposes — the necessary data would still be there, but not in a form that's identifiable as names or addresses. We doubt there's any conspiracy or ill intention involved here, but we hope Path will make good on its promise for increased transparency and security in the future.