iPhone App Path Uploads User Contact Lists to Servers [Update]

[Update: Path cofounder and CEO Dave Morin has issued an apology to customers for the way his company handled personal information and said that its entire collection of such data has been deleted.

We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts. […]So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers.

The company also noted that Path 2.0.6  (see below for more information) has been cleared and is on the App Store now. The new version asks permission before accessing your Address Book.

Path, a unique social networking app for iOS and Android that allows users to share many aspects of their daily lives with others, has recently been revealed to be sharing even more: the user’s contacts list with Path’s servers.

Artist's Rendition of Path Snaking Your Address Book

Artist’s Rendition of Path Snaking Your Address Book

First discovered by Arun Thampi, a Ruby and iOS developer based in Singapore, it appears that the current version of the Path app, 2.0.5, installed on an iOS device will take the contents of a user’s address book, including full names, emails, and phone numbers, place that information in a plist file, and upload it to Path’s servers.

Since Mr. Thampi’s discovery, word has traveled fast around the web, prompting Path Co-Founder and CEO Dave Morin to issue a direct response:

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently [sic] as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval. 

While both Mr. Thampi and Mr. Morin note that there was no nefarious intent, the situation has raised concerns about Apple’s app submission policies and whether this type of uninformed data gathering will be allowed to continue. For now, removing path from your iOS device is the only way to prevent your contact list from being uploaded to Path, at least until version 2.0.6 hits the App Store.

As noted in the update above, the new version is available now.