We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Mobile Social Network Caught Uploading Users' Address Books

Path, the smartphone-based social network, said the practice helps users find and connect to their friends and family

Users and critics are upset with Path, the smartphone-based social network, after a developer discovered that Path was uploading users’ entire address books to its servers without explicit consent.

Singapore-based iOS developer Arun Thampi made the discovery while attempting to create a Path desktop companion app during a hackathon sponsored by his employer. "I noticed that my entire address book (including full names, e-mails and phone numbers) was being sent as a plist [property list] to Path," Thampi said in a blog post. "Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result -- my address book was in Path’s hands."

Path cofounder and chief executive Dave Morin responded in the comments of Thampi's blog post, admitting that yes, Path does indeed upload your entire address book to its servers. "We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently," Morin said. "As well as to notify them when friends and family join Path. Nothing more."

But others soon took Morin to task for uploading a user's address book without that person’s consent. Scotland-based iOS developer Matt Gemmell asked Morin why the company didn't obscure the data by uploading it as hashed data, and why Path didn't require users to opt-in before grabbing their contacts. A hash would turn plain text information, such as an e-mail address, into a shorter unique identifier such as a number or a set of letters. Morin said Path would consider using hashes instead of complete contact information.

Morin also said that not requiring users to opt-in was currently the "best industry practice," but noted that the next version of Path's iOS app would notify users about the upload. Path version 2.0.6 is expected to hit the App Store in the next few days. Morin did not say how version 2.0.6 would handle notifying users about uploading contact data. The Android version of Path allows you to choose to scan your contacts for new connections; however, in my tests it was never made clear that your contacts were leaving your phone.

Path was launched in late 2010 as an alternative to massive social networks such as Facebook. Path limits the number of people you can connect to 150 and is designed to be private by default. "Path should be private by default. Forever," the service's About page says. "You should always be in control of your information and experience."

If you're a Path user and would like to have the service remove your data from its servers you can e-mail Path at [email protected]

Connect with Ian Paul (@ianpaul) on Twitter and Google+, and with Today@PCWorld on Twitter for the latest tech news and analysis.


IDG UK Sites

Samsung Galaxy S5 mini vs HTC One mini 2 comparison review: Design and price beats additional...

IDG UK Sites

Why local multiplayer gaming is rapidly vanishing: we look at the demise of split-screen and LAN...

IDG UK Sites

Colour-depth not resolution is what will make 4K a success or failure

IDG UK Sites

iPhone 6 vs iPhone 6 Plus: Which new iPhone 6 model should I buy?