
Path uploads your entire iPhone address book to its servers - iamclovin
http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html
======
pclark
I find it mind blowing that (in the comments of the blog post) someone asked
the Path CEO:

> Why wasn't this [sending all the contacts to your servers without users
> knowing] an opt-in situation to begin with? Isn't that against Apple's own
> T&Cs?

and the Path CEO replied:

> This is currently the industry best practice and the App Store guidelines do
> not specifically discuss contact information. However, as mentioned, we
> believe users need further transparency on how this works, so we've been
> proactively addressing this.

Really guys? REALLY? This is why developers need explicit guidelines, because
as they just demonstrated if there are no guidelines companies default to the
thing that exploits the end user! (incidentally, its unfair to pick on Path
too much as almost all social networking applications do exactly this also.)

I actually cringed when I read this _"however, as mentioned, we believe users
need further transparency on how this works"_... which is why it took someone
_running a proxy and writing a blog post_ for you to suddenly be transparent
about it. Mind blowing. Why even say that?

Btw, times like this? You destroy any and all credibility when you say you are
trying to build a company that is built to last or one that is going to follow
in the footsteps of Apple.

Apple would never do this to their users.

(do not make this a discussion about the evil and good sides of Apple. Apple
has repeatedly not bowed to companies desires for owning contact information
and I expect they will fix this contact hole in the near future.)

It's sad because I respect Path and their love of design. But design isn't
just about how it looks. It needs to resonate through the entire vision,
company, product, and how you treat people.

~~~
steve8918
Wait: What about MY INFORMATION if I've never installed Path? If someone I
know with my contact information installs Path, does that mean that my
information is stored on their servers?

How can I remove my information if I've never installed Path before? It
doesn't seem right that my contact information, which I have kept private,
because someone I know has uploaded that information. Do I not have a right to
keep that information private?

This would make Path and other companies that upload the entire contacts
database the prime candidate for hackers and government agencies that want
non-Facebook information about people, given a name, phone number of email
address.

~~~
polemic
Clearly there are a lot of WTFs going on at Path, but this isn't one of them.

> Do I not have a right to keep that information private?

But you didn't. You gave it to someone else. It's not your information any
more.

Information _about_ you is not information you _own_.

Privacy and anti-spam laws in various jurisdictions cover what an organisation
can do with information they collect about private individuals, but that has
nothing to do with ownership.

~~~
hessenwolf
In the EU, the third party would be using personal data for other than the
reason it was collected, so it is illegal.

------
danso
Dave Morin, Path's CEO just responded in a comment:
[http://mclov.in/2012/02/08/path-uploads-your-entire-
address-...](http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-
to-their-servers.html#comment-432202082)

> _Arun, thanks for pointing this out. We actually think this is an important
> conversation and take this very seriously. We upload the address book to our
> servers in order to help the user find and connect to their friends and
> family on Path quickly and effeciently as well as to notify them when
> friends and family join Path. Nothing more._

> _We believe that this type of friend finding & matching is important to the
> industry and that it is important that users clearly understand it, so we
> proactively rolled out an opt-in for this on our Android client a few weeks
> ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client,
> pending App Store approval._

edit: Morin responds to a response [http://mclov.in/2012/02/08/path-uploads-
your-entire-address-...](http://mclov.in/2012/02/08/path-uploads-your-entire-
address-book-to-their-servers.html#comment-432242293)

To the suggestion that they just hash the addressbook entries:

> _1\. This is a good alternative solution which we'll look into. Thanks for
> the idea._

~~~
feralchimp
>we proactively rolled out an opt-in for this on our Android client a few
weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client,
pending App Store approval.

"Proactively?" How do you get into the Social Networking business and not see
this issue coming before the first line of code is written?

[re: hashing] >This is a good alternative solution which we'll look into.
Thanks for the idea.

Again, no. That no competent system design talent/time was dedicated to this
process is a damning critique of your organization's ability to be trusted to
safeguard user data.

~~~
rhizome
I think the simplest explanation is that he's playing dumb.

~~~
rmc
He almost certainly is either playing dumb or is dumb. If you're not dumb, you
have to play dumb, because otherwise you'll be crucified.

~~~
eob
Playing dumb. Hashing the information is such an obvious choice, there's
really no plausible explanation for the developers to have not to consider it.
They probably just figured "everyone else is doing this so what's the harm?"

~~~
rhizome
It's been a long time since Plaxo.

------
corywatilo
This is actually nothing new. A lot of apps have been doing this for a very
long time. However, it _is_ one of the best kept secrets in our space. I kind
of have a feeling no one talks about it because they don't want word to get
out. Can you imagine the scandal if this made it on the front page of CNN or
Drudge?

Ever since I learned this was possible, I've been very careful about which
apps I download, and actually have downloaded very few since, as a result.
There are a lot of random iPhone developers that I really don't think need to
have access to my entire contact list.

~~~
dsplittgerber
Which apps do that? Do you have a list? Can anything be done about the data
after-the-fact?

~~~
frederickcook
Facebook, Foursquare, Twitter, basically any app that allows you to "search my
address book for friends" will do this.

All these services require either a email or phone number to sign up, so to
search for friends who have also signed up for the service, you need to
compare two data sets: emails or phone numbers of users you already have, and
those in the person's address book.

You obviously wouldn't download your entire database of users contact
information to the phone to compare the data sets, so you send the data set up
to the server.

~~~
masonlee
The addresses from the user's address book should be hashed before sending to
the server and compared to hashed addresses on the server. Then only positive
matches are registered, and the server doesn't see more private information
than it needs.

~~~
azov
Hashing data from address book doesn't work because people write the same
addresses and even phone numbers in many different ways. Normalizing it on the
client is not really an option either because it requires a lot of data to do
decent normalization - not practical to send it all to each client.

~~~
masonlee
Phone numbers are easy to canonicalize: convert to international form.

Email addresses can be effectively canonicalized by lower casing. Not many
mail servers are case sensitive these days. Additionally, for the local part,
you can generally strip off anything after a "+", and with gmail, you can drop
any period in the local part. (Granted, it's not perfect-- so make sure that's
not a security concern.)

These techniques have been working fine so far in my app for my "Find My
Friends" feature.

------
trotsky
Honest question: Isn't this within the kind of behavior that AppStore reviews
are supposed to prevent, at least if there isn't an app specific functional
explanation for it? Does Apple have a list of what kind of behavior like this
is tolerated or does word just get out about what they don't reject?

~~~
0x0
Well, since you only ever only submit the compiled application binary to
Apple, it'd be pretty darn hard for them to detect behaviour like this.
Especially if the code to do so is obfuscated, and/or the data is smuggled out
via SSL (or worse, steganography-style piggy-backed on to other data).

Sometimes it's tempting to speculate whether the real purpose of the app store
review team is just to ensure developers aren't trying to access Private
Frameworks (i.e. non-public APIs) or try to upsell the customer while
bypassing the 30% Apple tax?

~~~
jasongullickson
Pulling contact data requires API calls that can be detected in the compiled
binary (this is one way that Apple detects calls to unpublished API's).

That said, it's humorous how a blatant abuse of trust such as this gets
through unscathed but god help you if you try to access the iPod library the
wrong way!

~~~
0x0
Well, the app could have legitimate reasons for linking to the required API
(such as pretending to only use it after obtaining user confirmation), but
then you could add additional obfuscated calls to the same API without
prompting the user. So that wouldn't really help.

~~~
jasongullickson
Perhaps, however when calls like this are noted additional scrutiny of the
application could be applied to ensure they are not abused (such as using a
proxy in the way described by the parent).

There are other actions allowed by the SDK that seem to have little non-
nefarious use, such as the ability to hide the fact that an application is
transmitting and receiving data (the network "spinner" can be disabled by the
application); as others have mentioned it's interesting which API calls
require authorization from the user while others do not.

------
greyman
I begin to understand what Richard Stallman has been saying all those years.
Although I don't like the guy on the personal level, this incident make him
completely right - running closed source software can compromise your rights.
(rights to privacy in this case).

I also want to thank the author of this post to discover this! I wanted to try
Path some time ago, now I can safely avoid it without regret.

~~~
munin
open source software can collect exactly the same information on you.

there was a furor recently where it was revealed that OS X and Windows collect
data on what access points you have associated with. what was omitted was that
linux does exactly the same thing: the wireless subsystem has a debug print
(at a debug info level turned on in all major distributions) that will log the
MAC address of the AP you just associated with.

it's still there, afaik.

~~~
nl
I think I'm missing something.

You think people should be upset because a Linux computer knows the MAC
address of the AP you are associated with? If that is a problem, then imagine
what people will think when they realize that the computer knows what keys you
press on the keyboard (!!??)

There is only a problem if the operating system _shares_ information with 3rd
parties without authorization.

~~~
munin
the furor (at least, that I saw) was that the devices _stored_ this
information and would potentially let others look at it later.

it shouldn't be upsetting that your computer knows what keys you're pressing
or what network you are affiliating with. recording that information
permanently could be bad.

if you have an ubuntu laptop with wireless handy, run the following command:

sudo grep AssocResp /var/log/syslog _

------
nc
I think this is Apple's problem really. Path is just one of many apps that
probably do this without asking you.

Ideally the OS should prompt you if an app wants access to your address book,
just like it does for location.

~~~
ajross
Android apps must explicitly request a READ_CONTACTS permission. But even
there, no one actually reads those permissions lists, and apps routinely ask
for far more than they need. User authorization is a very weak security
mechanism in the consumer space.

~~~
Terretta
Like FB apps, even legit Android apps ask for the moon, with no option to dole
out granular permissions.

"The Weather Channel" is a default icon suggesting a free download on the
Kindle Fire.

It asks for:

    
    
        Set the wallpaper
        Send SMS messages
        Write to external storage
        Access info about Wi-Fi networks
        Access coarse location
        Initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed
        Write (but not read) calendar data
        Read calendar data
        Required to be able to access the camera device
        Open network sockets
        Access fine GPS location
        Access vibration feature
        Access info about networks
        Record audio
    

I haven't installed it, so I have no idea why it should be able to silently
dial out without my permission or send SMS messages.

If legit apps are demanding all this, then a Chinese weather app dialing those
toll numbers in the Caribbean could do the same.

~~~
mike-cardwell
FWIW, if you have a rooted Android phone, you can install an app called "LBE
Privacy Guard". It lets you install apps which require permission to send SMS,
make calls, read contacts, access the network and a bunch of other things, but
then prompts you when an app tries to do any of these things and lets you
block/allow it temporarily/permanently.

------
danilocampos
You'd think people would learn. I mean, this is the _original_ scandalous
practice in mobile apps. See this from _2008_ :

[http://gizmodo.com/5028459/aurora-feint-iphone-app-
delisted-...](http://gizmodo.com/5028459/aurora-feint-iphone-app-delisted-for-
lousy-security-practices)

------
pashields
I'm at a loss as to how this is surprising anyone. How did people think that
these apps found other users you know? This is built to support: A) finding
existing people on the service and B) so they can (theoretically) send you
notifications if a friend joins. If you want those features (and it seems that
users do), this is the only way to do it. Admittedly, most apps are more
explicit about it with a "find friends from address book," but if you want to
lower the friction as much as possible, this is the way to do it.

------
AlexMuir
So does Facebook, as shown 107 days ago, and continuing today.
<http://news.ycombinator.com/item?id=3145857>

~~~
eapen
Yeah, I've noticed that too. After my first sync with Yahoo! Address book
years ago, I ended up getting Facebook suggestions to people I didn't really
know but who were in my Yahoo! address book.

------
grappler
A few years ago, at a “Facebook developer garage” event, I personally asked
Dave Morin (Path Founder and CEO) a very similar question to the one in
today's news. At the time, he was in charge of the Facebook developer
platform, having not yet left Facebook to start his own social network. I
asked him about the amount and variety of information Facebook gave freely to
applications using their platform (there were far fewer privacy controls at
the time).

I also asked about whether and how Facebook intended to enforce their platform
terms of service, which essentially said apps could use such information
temporarily, but that they must discard it no later than 24 hours after a
user's most recent use of an application.

I remember that in answering those questions, he essentially said that his
preferred approach was not to try and make violations of those terms difficult
or impossible through technical means. His inclination was to give apps the
benefit of the doubt, and deal with troublemakers if and when issues arise. He
also relayed a story about his college days, in which he said that his study
of the workings of government was better preparation for his web career than
anything directly related to technology.

------
masonlee
One can fuel a lot of user engagement by scraping the address book and
notifying users every time one of their contacts signs up.

The "Beluga" app did this, without user permission or warning, and it boomed
ahead of competition that did not. "Kik" did something similar. "Industry best
practice" indeed.

Sadly, it's a winning strategy, and will continue to be until someone fixes
the rules of the game.

------
willdamas
Just a quick note to also point out, regarding this from the CEO: "if you'd
like your account deleted, including all data, we're happy to do this as
well."

I emailed to have my Path account deleted a few weeks ago and was told it had
been 'deactivated'. After querying this, it was confirmed that they did not
yet have the functionality to delete your data, only hide it. Worrying that he
said they can.

------
bri3d
This sounds like a wonderful Cydia / iOS Jailbreak app opportunity.
MobileSubstrate allows easily hooking system methods. An app which replaces
the Address Book API with something returning empty data for all non-system
apps seems pretty easy and quite urgent.

Morin and company need to provide an "opt-out and wipe all of my contact data
now" option if they don't want legal action and backlash, as well. Simply
making the app require opt-in to share this data in the future isn't nearly
enough (and, especially in the EU, isn't legal).

Update: I'm working on a MobileSubstrate tweak to neuter AB* functions in non-
Apple apps, and it's now possible to get your information wiped from Path...
by emailing service@path.com.

------
brudgers
From the Wikipedia entry
[<http://en.wikipedia.org/wiki/Path_%28social_network%29>]:

 _"Contacts are suggested from among persons in a user's electronic address
book, as well as people with whom the user is communicating by email."_

It's been there for over a year.
[http://en.wikipedia.org/w/index.php?title=Path_%28social_net...](http://en.wikipedia.org/w/index.php?title=Path_%28social_network%29&action=historysubmit&diff=475202633&oldid=404280654)

~~~
epaga
Though it's quite a difference whether the contacts are checked client-side or
all sent over to THEIR server including all (unnecessary) info.

~~~
phuff
How do you propose to check them client side? :) You still have to send each
contact over to the server...

~~~
epaga
As Matt Gemmell proposed: send over the hash codes of the email addresses or
whatever else needs to be compared.

~~~
phuff
Yeah, but you still have to store the hashes server side in the case where you
want to notify people when their friends join (which is how Path was using the
data).

------
fufulabs
Why am i not surprised, this is from a Facebook alumn after all. Uninstalled
Path, kind of a dealbreaker since its whole angle is privacy and the CEO can't
even get this one basic thing right.

------
jtchang
I e-mailed Path and they replied. The only thing I am worried about is how to
verify my information is actually wiped out. And what about all my other
friends who have me in their address books? How do I get rid of that?

Zack S. FEB 08, 2012 | 05:19PM PST Hi Jeff,

Thanks for getting in touch with us! I have erased your contacts and their
information from our servers.

On behalf of the team, I’d like to apologize for any privacy concerns that you
may have had. Our current release of Path for Android requests permission to
access your address book. In the next iOS release, we will have this same
permission request added.

Until the update is released for iOS, selecting “Add Friends” will display the
names of contacts that you have stored on your phone. But now that you’ve
opted out of contact uploading, we will never re-store this data on our
servers.

Please let me know if there is anything else I can do to help you. I’m more
than happy to address any further questions or concerns that you may have.

Best, Zack

------
bks
So I have read the responses and it seems that there are a few schools of
thought here and I just want to make sure that I understand the possible
solutions.

Per user Steko is this the ultimate solution to the problem -

(0) we get your permission (is this in the ULA, the in app screen? The privacy
page of the app?)

(1) we check for your contacts in our database (hashing your contacts). The
method of hashing yet to be determined or what info to hash and match if
anything other than the email address or maybe the phone number.

(2) we let you know if any matches are found.

(3) we throw away all your data afterwords.

My question is - do you go through steps 1,2,3 each time that you boot up the
application or click the add connections button. Compare the hash, report on
the matches and dump the rest? Rinse and repeat?

Is the issue more the keeping the address book for later matching, or the
passing it in the clear part?

If you were going to have an opt-in or disclosure what would you want it to
say?

------
checoivan
Combine this with the fact that some times syncing your iPhone in a corporate
server brings the whole company address book to the phone. They must have a
lot of contacts stored.

------
mishmash
It would be nice to go a single week without seeing how utterly complete the
notion of privacy has been destroyed.

~~~
unreal37
Here's a question: was there a concept of privacy 100 years ago? Or 500?
Whenever someone had a baby, or bought a cow, or had an affair on their
spouse, didn't everyone in town know about it? Did they ask people's
permission when the first telephone book was published?

Or was the first response, "hey, that's an invasion of my privacy!" I doubt
anyone said that before the 1950's.

I think privacy is an invention of the late 20th century. I am truly curious
if any real notion of "invasion of privacy" existed for most of man's history.

~~~
aniro
This is a patently absurd notion.

I haven't heard an assertion so patently foolish and I'll considered since the
Path CEO claimed that uploading every users "little black book" onto the Path
servers without permission or notification was an "industry standard best
practice."

What a bunch of hogwash.

------
shalmanese
Can someone explain to me exactly how I could be harmed by this? My contact
list is just a list of names and phone numbers of people I contact. Even if I
had an escort service in there or something, I don't think anyone on Path's
end is individually looking through the data.

~~~
cstejerean
An employee at Path might very well decide to start looking through that data.
There have been other cases where employees gave in to temptation to access
someone's data. Imagine for example if a celebrity is involved and someone
decides to leak their address book.

Now one would hope that employees wouldn't have unrestricted data to this
access, but one would also hope Path wouldn't do this in the first place. The
fact that they collect all this information in the first place, unnecessarily
and without consent does not inspire much confidence in their internal
safeguards for access to this data.

Also, if anything were to happen to the company, it's hard to know what hands
all that data will end up in.

~~~
shalmanese
I don't know any of the Path employees personally, why would they decide to go
after me? The possibility seems rather remote.

~~~
revdinosaur
Maybe not you personally, but think of the NOW scandal going on right now.
Information about people's mobile contact info is valuable to a number of
organizations in ways not immediately apparent.

------
LaGrange
The fact that address-book upload should be opt-in is obvious, and was stated
so many times here it was boring. But, there's also the other side: me, and
quite a few of people I know, have good reasons to have an opt-out from being
discoverable this way. If someone knows my email address, let them send me an
email with an invitation code. They shouldn't even know I'm signed up until I
accept.

Though I also don't really think it's something private companies should
solve. Now, I can of course avoid services that let me be too easily findable,
but the proper solution is to make said opt-out required by law. Otherwise
it's just not beneficial for the company to provide it.

------
harold
I don't have a problem with this as long as they ask permission up front
before doing so. I don't recall having been presented with that question
myself though.

Disappointed in Path, especially since their focus was on a more private,
tightly knit social network.

------
badclient
So I download an IM app that automatically finds your friends based on your
phone directory. I launch it and scrolling through my friend's list I see my
mom. Some contacts later, I see the real name of the hooker. Both my mom and
the real hooker are on this IM platform...just a click away from chatting with
me _under the same identity_. This can be more than creepy, fortunately this
is a made up example ;)

I thought about this with whatsapp. This is scary because while we are used to
having multiple emails for different parts of our lives, juggling multiple
phone numbers is still a chore despite services like google voice.

~~~
glhaynes
I feel like we're missing part of this story. :)

------
sk3tch
I don't know if any you remember, but this is why Guido van Rossum quit using
Twitter. The official twitter client for Android uploads your entire contact
book without showing more than a notification stating 'find your friends' or
similar; you click this notification and by that time it's already too late.
More on that here:

[https://plus.google.com/115212051037621986145/posts/YguETTsM...](https://plus.google.com/115212051037621986145/posts/YguETTsM4K5)

------
bri3d
I wrote a MobileSubstrate (jailbreak only, sorry!) tweak to block the use of
ABAddressBookCopyArrayOfAllPeople, the most common method of stealing contacts
in this manner.

It's rough around the edges, but check it out:
<http://news.ycombinator.com/item?id=3564968>

It should be available in the BigBoss repository as "Address Book Privacy"
sometime tomorrow.

------
atldev
Even if Path buried this disclosure deep in a TOS page, would anyone read it?
I just posted a startup idea I have to generate easy-to-read summaries from
website TOS pages: [http://clearsignal.posterous.com/do-we-value-our-laundry-
mor...](http://clearsignal.posterous.com/do-we-value-our-laundry-more-than-
our-privacy)

------
ricefield
Call me crazy, but I prefer it when companies do this. If I'm interested in
using their service, then I'd be happy to be alerted when my friends sign up
for it.

That being said, I wholeheartedly agree it should be opt-in (or at least have
an opt-out) for people who are concerned about their personal data.

~~~
motoford
Well that's the whole problem isn't it?

If they had asked up front for permission this article would not have been
written.

------
thought_alarm
Has anyone looked at Path's privacy policy?

Do they explicitly state that what personal information they download to their
servers, what they use it for, and how long they retain it?

If not then they're breaking the law in many countries, regardless of what
Apple's current developer guidelines happen to be.

------
vm
Dave Morin's (Path CEO) response:

Arun, thanks for pointing this out. We actually think this is an important
conversation and take this very seriously. We upload the address book to our
servers in order to help the user find and connect to their friends and family
on Path quickly and effeciently as well as to notify them when friends and
family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the
industry and that it is important that users clearly understand it, so we
proactively rolled out an opt-in for this on our Android client a few weeks
ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client,
pending App Store approval.

Dave Morin Co-Founder and CEO of Path

------
SideburnsOfDoom
This is an accident waiting to happen. Whoever does this is doing it wrong.
The case was well-made here by Colin Percival (the tarsnap guy) in his blog:
"Playing chicken with cat.jpg"
[http://www.daemonology.net/blog/2012-01-19-playing-
chicken-w...](http://www.daemonology.net/blog/2012-01-19-playing-chicken-with-
cat-jpg.html)

>> "The answer isn't for (any company) to prove that they can be trusted; the
answer is to ensure that their customers don't need to trust them ... The best
way to avoid privacy breaches is not to formulate a detailed privacy policy;
it's to reduce your capabilities so that you're unable to violate anyone's
privacy"

------
EGreg
In our Q platform, we specifically upload only the hashes of the address book.
There is absolutely no need to have the actual email or phone number of people
in order to find "who is on the service". However, when you INVITE people, we
specifically download the full email address because we send them an
invitation ourselves.

This is just one out of 100 things that our platform does while solving the
usual stuff of apps: user signups, importing address books, invites, etc.
However, we applied for a patent on some of the stuff we do. Even though I
personally don't like patents, it's the thing to do in the current
environment. Going to write a blog post about it soon.

------
jtchang
So my entire address book is on Path's servers right now?

Well shit. How do I get it off their servers?

------
United857
One-way hashing the phone numbers and emails would at least be a good solution
to alleviate the privacy concerns, while still allowing you connect with your
friends on Path.

~~~
Someone
One-way hashing phone numbers cannot really be one way, unless you are using
an inherently really slow hash function.

Without it, generating the table of say 10^10 hashes is within range of almost
everyone (especially on a GPU). At say 1ms per input, it would take 10M
seconds, or about 4 months.

------
jluxenberg
Does this mean that the standard HTTPS stack on the iPhone is insecure?
Shouldn't certificate verification fail when it attempts to send data via the
mitmproxy?

~~~
sp332
Actually I think you can manually add SSL certs to the iPhone, so just add
your own cert and the iPhone will trust your MITM.

------
slykat
I feel like this is [unfortunately] a regular practice of app makers nowadays.
I'd love to abide by "let the industry govern itself" but I don't think that's
realistic. I've seen so many apps that have abusive and opaque permissions.

Is there any regulation to protect consumers here? If not, are any legislators
drafting any? Would the FTC step in or does this only happen when a giant like
MSFT/GOOG/FB makes a mis-step?

------
renegadedev
> industry best practice

Did he say that with a straight face? Heard a lot of corporate BS in my time
but this takes the cake.

This is Apple's fault for allowing all apps access to the address book. But
there is a deeper issue here, trust. Just because I leave my office unlocked
doesn't mean my colleagues can steal from it.

I love this app and had great hopes for it but trust is a limited commodity
and Path just lost mine.

~~~
droithomme
There's a dozen or so people right in this discussion that are repeating it
with a straight face, that this behavior is normal and acceptable.

I know for a fact it is illegal in Europe, know for a fact it is a violation
of their contract with Apple, and I am almost positive it is criminal in the
US as well.

Therefore the names and affiliations of the engineers here who are claiming
data theft of private information is normal are very interesting to me, and I
am noting them carefully, as should we all.

------
antr
Albeit too late, after reading this I uninstalled Path from my Android. I did
not buy into this.

------
ghalin
1\. I just changed my phone # 2\. I notified all of my contacts to change
their phone #s 3\. I contacted both Apple and my State senator.

I am outraged by this scandal, and I still can't bring myself to believe that
Path has been collecting this sensitive personal information. My 6-month old's
pediatrician's # is in my phone. If this were EVER exposed or shared with a
3rd party, I can only image what kind of damage could occur. Path should
suffer for this. I forgive Apple for secretly tracking my iPhone's location
for a year, but I DO NOT FORGIVE PATH. Not this time. This went to far. Dave
Morin should know better. I bet an engineer voiced that he felt morally wrong
doing this, and Path just fired him. This is just wrong. A defining moment in
our industry. We need to stand united on this issue, and just try to move
forward.

~~~
res0nat0r
Your child's pediatricians phone number will somehow cause inconceivable
damage if this number gets out? I bet calling up all of the pediatricians in
your town phishing for this info would be much more productive than worrying
about it being stolen off of a database from Path.

------
benaston
I always wondered what the purpose of Path really was, given that it offered
little over and above Facebook itself (apart from an arguably nicer UI.) It
would seem the purpose is to data-mine users' handsets.

------
ethank
It's worth noting that the AddressBook API dates back to mid 2008:

"The Address Book framework provides access to a centralized contacts
database, called the Address Book database, that stores a user’s contacts."

It has been there since iOS 2.0

------
alpb
I didn't know HTTPS requests can be traced so easily from a proxy. I was
planning to start coding an authentication endpoint with SSL but obviously it
is tracable that quickly. Is there no way to avoid that?

------
malandrew
Quora best handles this situation. There can be a lot of benefit for the user
to have the contact lust on the server, but it needs to be (1) transparent,
(2) obvious, and (3) come with a delete button.

~~~
SimHacker
I'd like to keep my contact lust private, thank you.

------
AznHisoka
Moral of story: don't target techies as your end users. They'll just look
under your hood to make sure you're not doing anything embarassing like this,
and passing back clear-text password in JSON.

~~~
pxlpshr
That's not the moral of the story; techies are great early-adopters and end
users for that reason.

The moral is to treat customers privacy with utmost respect.

------
brador
Anyone know if they have an Android app? Does that share this feature?

~~~
corywatilo
Android asks for your permission on what information you want to give the app.
iOS just simply gives it whatever it asks for, without asking you first.

~~~
brador
Interesting. What else can an iOS app get access to without permission?
location? browser history? other installed apps list? emails? notes? pics?
vids? music list? podcast list? itunes username?

~~~
reidmain
Location: Permission is asked for

Browser History: There is no way to communicate directly with what Mobile
Safari stores.

Other installed apps list: Apps are sandboxed so it is impossible to know what
else is installed. If you've developed one of the other apps you can share the
same App ID which gives you access to the same storage space so you could
create a flag to indicate one of your apps has been installed. Some apps
respond to certain protocols so you can ask iOS if a given protocol will be
handled and if it returns yes then you know the app is installed. Again
because they are sandboxed you really can't do anything harmful and responding
to the protocol only allows the other app to receive information, not expose
it.

Emails: No, the only way you can do anything with email is prompt the user to
compose an email.

Notes: Same as Mobile Safari.

Pics: You can display a popup to the user that asks them to select an image
from their camera roll/iPhoto and if they select a photo you then get a
reference to an object that represents the photo. You can't just search their
camera roll.

EDIT: rbritton points out that with the AssetLibrary framework you can
actually search through all pics/videos and for some reason it gives a
location access prompt when you do.
<http://news.ycombinator.com/item?id=3563336>

Vids: Same as pics.

Music List: You can get a list of every song in the users library without
asking for permission:

Podcast list: Same as music list.

iTunes Username: To my knowledge there is no way to access this but I've never
been asked to so I really haven't spent time looking. In theory because you
can access the Address Book you could make a best guess at which contact is
the user and then assume one of their emails is their iTunes username.

~~~
rbritton
You can access the Picture/Video library since iOS 4. It does prompt at least
once for location access (apparently since they can contain GPS metadata), but
it does not mention anything about _why_ it's asking for that location access.

[https://developer.apple.com/library/ios/#documentation/Asset...](https://developer.apple.com/library/ios/#documentation/AssetsLibrary/Reference/ALAssetsLibrary_Class/Reference/Reference.html)

~~~
reidmain
Really? It asks for location access to get access to your asset library? That
is pretty stupid.

Thanks for the heads up. I was unaware of the AssetLibrary framework.

~~~
spullara
This is because the photos contain GPS data about where they were taken.

~~~
reidmain
Ah that would make sense. So that would mean that if you turn off location
services any app could access your asset library without any prompt then. Good
to know.

------
saddino
So my choice is easy, but for the life of me I can't figure out how to delete
my Path account. Both online and mobile interfaces appear to be missing this
function. Help?

------
csmt
I was thinking of using Path as a personal diary. But not anymore. Just
deleted Path app. I would suggest everyone to do the same. A lesson for Path
and others.

------
orblivion
You know... I think Google uploaded my entire contacts list to its servers,
and I don't recall being informed very clearly about that either.

------
dam0
I'm pretty sure that Instagram is doing this too as I get push notifications
whenever a friend signs up. Can anyone confirm?

~~~
fiatpandas
I briefly looked into it. Logging in and registering with Instagram apparently
won't work behind an http proxy (mitmproxy)

------
ukemma
With social apps, trust is everything. Without it, you've got nothing. I
wonder if this increases vanity user base numbers.

------
grappler
I wonder if this use of address book information explains the sudden spike in
Path's growth since their recent relaunch?

------
xorbyte
Such a blatant and fundamental failure to be transparent in regards to user
privacy should make everyone doubt Path's ability to function as a private
social network. Whether this incident is a reflection of their technical
incompetence or a lack of actually caring about their user's privacy (as their
Values would otherwise have you believe) the expectation that their product
can live up to its purported goal is misplaced.

This is pretty basic stuff.

------
angryasian
I'm happy this is brought up again. So many apps do this unknowingly. One
reason I prefer web over apps.

------
ABS
from a company that claims they "don't currently have the internal tools to
delete an account" I'm sadly not surprised.

The above was their official response to me when I asked to delete my
account... and I had to ask by email since there is no link on their website
to close your account...

------
gabaix
This is clearly of lost opportunity to position Path as the "trusted network"
against Facebook.

------
0x0
I sure hope they have implemented proper ACL for the REST api.

------
benaston
Uninstalled Path. Incredible violation of privacy.

------
piyushranjan123
So does whatsapp

------
evanlong
I believe Bump does the same thing and I am willing to guess other do as well.

------
robomartin
Brought to you by: <https://path.com/team>

Their collective decision making has proven to be a huge liability. Would you
hire them for your next venture?

A 14 year old girl could tell you that her address book is private, private,
private!

~~~
ryanwaggoner
Umm, hell yes I'd hire them. And so would any major software engineering
company in the world.

You seriously think that this is out of the ordinary or unusual? How many huge
privacy fiascos has Facebook had? And yet, they're about to IPO for $100
billion.

The only group who _really_ cares about this is on HN. In a week, most of us
will have moved on to the next big drama. In a year, no one will remember this
at all.

The memory of the voting population is short, but the memory of the Internet
is so infinitesimal as to almost not exist at all. And truthfully, I'm not
sure if that's a good thing or a bad thing.

~~~
robomartin
That doesn't make it right. Privacy is privacy. What happens when their
servers get hacked and all of that info is out in the open? This ranks way up
there with storing passwords in plain text. OK, sure, the entire team isn't at
fault, but one or a few people are. I would not want those people making
decisions that could take down my business. No way.

Downvotes me all you want. The fact remains that, if you asked a teenage girl
if it would be OK to grab her address book without consent it is very clear
what kind of an answer you'd get. Why is it that a bunch of smart adults think
that they can get away with it then? The apology is bullshit. They knew what
they were doing and got caught.

As far as only HN caring, I'll bet that users of this app would disagree with
you on that point. How many people do you know that are OK with a company of
strangers secretly downloading their private data onto their servers?

This, in my opinion, is a very serious transgression.

------
rjurney
This is NOT controversial. You give them permission to do this. If you don't
want Path to import your address book, then don't ask Path to import your
address book.

