Shared publicly  - 
 
Wow. I hope this isn't true!
+Dave Morin
Path uploads your entire iPhone address book to its servers. 8 Feb 2012 – Singapore. It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly sched...
238
289
Yashwant K Piduru's profile photoHashim Warren's profile photoJennifer Cox's profile photoAyahnda Syed Faizal Al-kadri's profile photo
106 comments
 
That would be pretty serious if it turns out to be true.
 
It is true.. The CEO already commented on it.
 
Yes, it's true. Check Dave Morin's Comments on the post!
 
Anybody interested in this story should read the comments of the article where Dave Morin (CEO of Path) addresses the concerns laid out in the article proper. They're definitely aware of this (whether they take the right steps to resolve it or not is a separate issue).
 
Well i think that they are young enouth to say that that was a mistake but they need to fix this if it is true
 
He says right in the comments that it is indeed true.
 
It's true (see his comments on the post).
 
Oh it's true and they are not hiding it one bit.
 
if true, would it be considered iOS malware?
 
This is a little known fact, but every single iOS app you have ever installed has full read and write access to your entire address book. Names, email addresses, phone numbers, birthdays, the whole lot.

The user is not required to give an application permission to access to this information. It is accessible for all apps, the same way accessing the internet is. So that means every app you've ever installed is capable of uploading your entire address book to a server without your knowledge or consent.

Apple should display a "Do you give permission for Path to access your contacts" alert dialog the same way they do when an application requests a user's GPS location, but they don't.

Path did the wrong thing here by not making this opt-in, but they are taking steps to fix that. But Apple should also fix this alarming privacy issue at an OS level.
 
+Chris Lacy That doesn't make it right. At the very least the app should warn you and the fact the Path does it in plain text is a real problem.
 
plaintext ftw :) android app at least states it needs access to that information.
 
+Robert Avona Did you read my full comment? I most certainly never said Path were doing the right thing here. I was illustrating that I personally find it more concerning that all iOS apps have access to your contacts in the first place rather than the behaviour of a single app.
 
Eeek, while I don't really care who has my info, there are those in my address book who do and gave me they're number in confidence that I would not be sharing it. In the comments, Dave Morin failed to answer an early question of why do they need all of the address book info if they are only using email for matching.
 
Perhaps users should be able to view access transaction logs to judge each application for themselves?
 
Just like WhatsApp for Android (and presumably also iOS) does?
 
I had a look at Path (on Android). It seems pretty pointless and feature-light, ditto Pinterest. Too many social apps, not enough actual use for them all.
 
+Christopher Orr on android, whatsapp/path request and state the permission for reading/writing contact data... that's a different story.
 
At least Android shows you the permissions for each app.
 
I'm happy this can't happen to me on Android, since I don't install apps that want access to my address book if there's no point to it. Android > iOS
 
Facebook do this since 2 years + with the mobile app. But here, "omg it's Path" !
Like everybody just accepted the fact that facebook own your contacts infos, and don't give a sh*t anymore. That's pretty funny (and scary).
 
According to the comments it seems true enough ... it's also being defended as acceptable (on the basis that it's not explicitly prohibited).

There are many ways to do things with contact information while keeping it all anonymous and not uploading it verbatim to servers (uploading hashes, fuzzing and anonymizing data etc...). The trouble is that these days it's easy to just say 'we need access to you contacts' and assume that people will just click through.

Is there even an API that permits some degree of anonymous access to your contacts? Probably not, after all that's way harder to define then just letting devs ask for verbatim permission.

For me this is a huge issue with Android apps (I don't use iOS but I'm sure they have the same problem). I will_not install an app that needs suspicious permissions (network + contact access is almost a guaranteed no-no for me for a 3rd party app). This means I miss out on a bunch of apps that are probably harmless.

How about offering developers the chance to specify both optional and required permissions? Ie, this application needs access to the network but would additionally like access to your contacts.

If you give access to your contacts, so be it, but if you deny contact access then the app can query that and react accordingly (disable some features). If it tries to access the contact list, rather than crash/fail it would just see a dummy empty contact list.

You could have dummy services that drop in to replace the real ones when permission isn't there (contacts, gps, camera etc...). Then existing apps wouldn't even need to change, they would just stop seeing the real data if I didn't give permission (you might start by withholding permissions to try out the app and give permissions later if you decide that the feature you want it worth the 'risk' of letting the developers have access to your data).
 
+Goran Petrović Yes, these permissions are stated upfront. But the issue is that the entire address book is being uploaded without consent. That goes against expectations.

These very common (or pre-installed) apps all have both the READ_CONTACTS and INTERNET permissions:
• Google Docs
• Google Mail
• Google Maps
• Google Plus
• Google Voice Search
• Barcode Reader
• Facebook
• Twitter

I do not expect any of these to upload my entire address book, just like folk don't expect Path or WhatsApp to do so. But they could, at any time.
Boycotting anything with those two permissions just isn't a particularly feasible solution if you want your phone to be useful. So overall Android isn't much better off than iOS in this situation.
 
The comments under the article Vic posted are a great read. Not going well for Path.
 
+David Beaumont True, but I bet you have at least one of the apps installed that I mention above.

There are some bugs in the Android issue tracker for either revoking permissions or developers marking permissions as optional / providing explanatory text, but these have been unfortunately closed or ignored.
 
+Vic Gundotra trying to shed a bit of bad light on Path Vic?? It's an amazing app and I'm sure 'although they are wrong for taking personal info' Path will clear all this up and amend. I wish Google+ was more like path. 
 
Arrrgh! I am getting really tired of hearing "Oops, we are proactively addressing it " in reference to events already in the past. You can only proactively address the coming PR crap storm.
 
Derek you are out of your mind brother...Vic is not shedding bad light on anything-just spreading the truth...there has never been a need to keep the light of truth to be shed on anything good-only on things that may not be...here ends the lesson my friend...peace to you..//
 
Big money in selling user data at any level, and storing it too. Ask me why and you won't like the answer :)
 
+mel gerben I know he's not in a devious way. Pinch of salt.
But I do bet google would love to own that app. 
 
Yes Derek, Google would love to own that app amongst others lol. Oops, my inner monolog program just shut down, rebooting comment.
 
+Christopher Orr I have the Google ones installed, because as a long time Google user I trust them with my data. As for Twitter and Facebook, no. Remember it's not just whether you trust the devs with your data, it's whether you trust them to be competent with you data and not be hacked etc... And of course if a startup is bought out by someone big who you don't trust, what then of your data?
 
Apple needs to step up and warn about apps that need contact access like Android does.
 
It's good that they're being 'proactive' about resolving it, but really, they knew exactly what they were doing and are just trying to do some damage control now that they've been called out on it. I don't understand how any developer working with social apps can be unaware of the internet privacy concerns that we hear about every single day.
 
Sadly it is ...though for Android users it is an opt-in
 
+Derek J Robinson You're not completely right...in fact +Vic Gundotra doesn't want to shed a bad light on Path but on the iPhone... :)
And I'm sure he does want that Path issue to be true...
But it's completely fair, he works for Google...isn't it?! ;)
Translate
 
I don't get it. Path is another variation of a social network.
If you're not comfortable with it/them accessing your social information i.e. contacts, why install it in the first place??
Bunch of drama queens if you ask me.
The same lot of you post pictures of your kids, your workplace, your nights out on the town, etc. Not to mention posting status updates of where you are at any given time. How does Path having access to you or your friends' email addresses put you or them at any greater risk?
They already have an opt out choice, it's called never installing it in the first place!
Move along now. I think M.I.A. just flipped the bird again.
 
+Mark Garrett Personally, I'd like to live in a world where installing a social app != having all of my phone contacts stored in a company's db without my permission, but maybe I'm being a little optimistic. Maybe privacy is just a lost cause.
 
Wow, thank for posting this. Yes, there are some good comments over there. If you are an app developer, take notes.
Kosso
 
They say forgiveness is easier to ask for than permission. Not in this case.
 
This is just about upfront disclosure (#FAIL). The CEO posts they are aware of this problem and tries to say it's ok in the App Store terms? Really? "We're aware you might be unhappy that our app is stealing your info, but Apple said its ok." This is just like Curebit stealing from 37signals and trying to say "its ok, nothing to see here." +Christina Kelly not sure how you rationalize this.
 
+Jonathan Dagle Kind of like Apple's attitude toward it's use of Chinese factories. "Well they said we could treat them like that"
 
+Kosso K At least on Android they had to ask for permission. Which is why they decided they'd better come clean about it and ask for an opt-in.
xxx yyy
+
2
3
2
 
Says the guy working for Google the company who runs gmail and has access to way more email addresses and private emails than anyone should ... #potmeetkettle
 
Vic, tomorrow i will represent the ethics of big G and defend my home market from misconception....by the way wasn't that campaign from the farms boys in dumas amazing..:)...take care brother
 
hope it's not true...
 
Don't most smart phones upload that data to dome server? Question is, what they do with it?
 
Almost as bad as Hi5 and other social networks a few years back that auto invited/spammed your whole address book without asking for permission. I'm a bit giving on the email addressed for them to know which one of my contacts joined Path, but why the phone numbers, full name, etc.
 
I am android through & through (never had an iphone) although tbh I must admit (as well as quite a few people I know) I have similar concerns with amdroid. Everytime I download an app I seem to have to agree that they can read my phones details. Stuff that they really shouldn't need like. downloading your contact list and numbers, canlender events, and many more! Does anybody within google check what new android apps are allowed/should be able to access?
 
Simon, I assume Path does it on Android phones too. I have Path on my Samsung Nexus, so I'm a bit concerned/annoyed. The data suck is probably worse since the Android address book is synced with my Gmail, which is far bigger than my address book when I had an iPhone.
 
Trustable Product Designers needed or the door opens to European Criminal Court of Justice privacy legislation
 
Hah! You think that's bad?! Try facebook! They own all your contacts. But me, nah! not a user of both ...
 
Its a great app. I wish the G+ interface was as smooth and beautiful as the PATH's. +Vic Gundotra you guys could learn something off these boys, just like they learnt mining data off you guys. #potmeetkettle
 
And I was thinking every iOS app runs in its own sandbox and can't access the system services. This app should be a malware then though I liked it so much.
 
+Chris Lacy When I started using Android I thought about that because it showed the permissions in the market before you downloaded an app.

Idc what anyone says... this is a catastrophe and Apple never cared... It's one thing after another.
 
I don't think so, as there's also an iphone app for google plus, further in these days some sort of agreements between google and apple are popping out... You fanboy.
 
+Vic Gundotra its true for sure!! FB does it for iphone and android both. If you create a new FB account, and access it from iphone/android. You'll get to see friend suggestions directly picked up from your contacts.
 
Facebook for Android did the same without asking when enabling contact sync. Not sure if they've made that more clear now.
 
its good news but for buying something good news its very expensive about the price thank for this news Vic Gundotra nice to knew u ok
 
And they always claim that "Apple is more secure"... The fanboys are going to deny this no matter what happens. :\ Sadly I wish they'd stop fucking each others asses and realize that they wasted so much money when buy their shiny iDevices... as I type this out on a $300 laptop that has lasted me for 2 years of heavy use.
 
<tongue-in-cheek>Matching friends based on hashed emails is probably patented. I am sure they did not have a choice!</tongue-in-cheek>
 
What does Vtok do with our Gmail contacts? What about Whatsapp? How can users even tell? :-(
 
+Chris Lacy Any documents online to support your talk of iOS apps having full access to address book?
 
If you are all so worried, stop using smart phones. If you don't understand it, don't use it or atleast don't complain. Every app tells you what permissions it needs and/or has a privacy statement. Do you read it or just click through so you can hurry up and use the app?
 
@Cris This is the point! In the Apple iOS App Store you don't need to tell the installer you are accessing the address book and Path didn't. So the user was never told. This isn't about storing your info online it's about not knowing the information was being taken without consent.
 
I don't install android apps if they ask for permissions that I do not want to grant.
 
Thanks for posting this info +Vic Gundotra I read it here first then saw the story on several major news sites later. +1 for G+!
 
By the way the intelligent use of entitlements seems the right solution for this problem.
 
Well Android is much better, it all address books are already on google's servers, no need to bother uploading it :)
 
That's why I never put any important info pertaining to me in real life on the internet.
 
+Vic Gundotra Bad news for all "Path" users, indeed. Don´t get me wrong. Hopefully, Google as a company that has a huge a variety of applications which are linked among each other, keeps track on all these developments. I don´t want wake up in a few months realizing that not everyone at Google is a "good" guy or some databases "accidentally" leak. ;)
 
Amateurs...no sense of what could be "wrong" or maybe just ignoring it to make a few bucks...
 
+Mark Garrett If I share a photo of my kids with my friends, that's my choice. If my dad's address, phone number, employer, and birthday are taken from my address book without his knowledge or consent that is a violation of his privacy and trust. He's not on any social network site. And what if he were? Just because he has a relationship with me does not mean he should expect information he did not share to become public. Identifying someone as a contact does not give permission to anyone to use all the data I have about that person. You assume that all my contacts are on equal footing, that they are all active on social networks, that they all know everything about each other, and that they all share everything with each other. None of these things is true.
 
+M Sinclair Stevens You're just making silly assumptions that simply aren't true.
No one's information is being made public. Accessing your contacts to make it easier for you to connect with them through the app's interface is standard practice and has been done to you many times already. It only becomes a problem if that information is used for purposes other than stated. Is there a better way for them to do it? Apparently so, as a few posters have suggested, and guess what, the powers-that-be at Path have responded positively and promptly to those ideas and are making changes to improve their product and their trust. I don't know what more can be expected. This has been completely blown out of proportion and my point was that if you're soooo worried about you or your dad's privacy you probably shouldn't be using social networks in the first place.
 
Oh, and by the way, I'm a complete Google sycophant, however, for Vic Gundotra to cry foul for Path accessing members' contact information is absolutely hilarious! Pot, meet kettle.
 
lol Vic... I love you, but this kind of post is not made for you :)
 
+Mark Garrett There is a difference between accessing my Address book (with my permission) and uploading its contents to your server. (And, yes, I'm aware and satisfied with Path's response that they deleted the information.)

As for privacy, you are missing the point completely. It's incredible that your response is that I shouldn't use social networks. The issue is that the people in my address book who do not use social networks are the ones being harmed. They can't control whether or not I use a social network and unwittingly exposed them.

You may be a quitter but I'm not going to sulk and go home if something is wrong. I'm going to work to improve it.
 
Anyone who thinks there are no Android apps who do that without your consent are deluding themselves !
Add a comment...