IDG News Service >
 

Mobile Social Network Caught Uploading Users' Address Books

o Ian Paul
08.02.2012 kl 14:46 | PC World (US)

Users and critics are upset with Path, the smartphone-based social network, after a developer discovered that Path was uploading users’ entire address books to its servers without explicit consent.

 

Users and critics are upset with Path, the smartphone-based social network, after a developer discovered that Path was uploading users’ entire address books to its servers without explicit consent.

Singapore-based iOS developer Arun Thampi made the discovery while attempting to create a Path desktop companion app during a hackathon sponsored by his employer. "I noticed that my entire address book (including full names, e-mails and phone numbers) was being sent as a plist [property list] to Path," Thampi said in a blog post. "Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result -- my address book was in Path’s hands."

Path cofounder and chief executive Dave Morin responded in the comments of Thampi's blog post, admitting that yes, Path does indeed upload your entire address book to its servers. "We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently," Morin said. "As well as to notify them when friends and family join Path. Nothing more."

But others soon took Morin to task for uploading a user's address book without that person’s consent. Scotland-based iOS developer Matt Gemmell asked Morin why the company didn't obscure the data by uploading it as hashed data, and why Path didn't require users to opt-in before grabbing their contacts. A hash would turn plain text information, such as an e-mail address, into a shorter unique identifier such as a number or a set of letters. Morin said Path would consider using hashes instead of complete contact information.

Morin also said that not requiring users to opt-in was currently the "best industry practice," but noted that the next version of Path's iOS app would notify users about the upload. Path version 2.0.6 is expected to hit the App Store in the next few days. Morin did not say how version 2.0.6 would handle notifying users about uploading contact data. The Android version of Path allows you to choose to scan your contacts for new connections; however, in my tests it was never made clear that your contacts were leaving your phone.

Path was launched in late 2010 as an alternative to massive social networks such as Facebook. Path limits the number of people you can connect to 150 and is designed to be private by default. "Path should be private by default. Forever," the service's About page says. "You should always be in control of your information and experience."

If you're a Path user and would like to have the service remove your data from its servers you can e-mail Path at service@path.com.

Connect with Ian Paul (@ianpaul) on Twitter and Google+, and with Today@PCWorld on Twitter for the latest tech news and analysis.

Keywords: Telecommunication  Internet  Consumer Electronics  
Latest news from IDG News Service

Copyright 2009 IDG Magazines Norge AS. All rights reserved

Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000

Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen