Developer Arun Thumpi was building a Mac app for the social network Path when he discovered something startling. The Path app for iOS was phoning home with the contents of his address book. This was done without his knowledge or consent.
He parsed the API calls Path made to its servers and discovered a POST request to https://api.path.com/3/contacts/add. This not-so-benign call added not just one or two contacts, but his entire address book to Path’s servers. He details how he discovered this background comunication using the metmproxy tool in his blog post.
It didn’t take long for this post to catch the attention of Path co-founder and CEO Dave Morin who responded,
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Dave Morin
Co-Founder and CEO of Path
From Morin’s statement, it’s obvious this was not done maliciously and was likely an oversight by the up and coming social network. Nonetheless, it still brings up the sticky issue of who has the right to access your personal data. By installing the Path app, which is used for sharing information, do you give up the rights to your address book? Or does Path have an obligation to include an opt-in feature and ask you before it starts to siphon off your information? Sound off in the comments with your reactions.
[Via Arun Thumpi]