
Path texts my entire phonebook at 6 AM - kemayo
http://www.branded3.com/blogs/the-antisocial-network-path-texts-my-entire-phonebook-at-6am/
======
crazygringo
How about another detail -- the fact that the message said the user had photos
to share, when he didn't?

There's annoying spam, and then there's straight-out-lying spam -- the "x has
sent you a message, you need to create an account to view it" type.

Just curious, is there a way to sue/fine a company like this for false
advertising, essentially?

~~~
bitcartel
We need to nip this in the bud.

Maybe it's time to create a Hippocratic Oath for developers to publicly commit
to?

A future Path developer could then refuse to implement an unethical "feature"
by pointing out that the company had hired them with the full knowledge that
the oath had been undertaken.

I don't think the company would pink slip the developer, as they would
probably want to avoid any attention being drawn to the unethical "feature" in
a tribunal or other legal setting.

~~~
mjolk
>Maybe it's time to create a Hippocratic Oath for developers to publicly
commit to?

This is silly. Stop trying to add grandeur to writing some code at X,Y
startup/company.

People don't die or get harmed when some social-messaging application spams
someone. Code is a way to implement an idea. Most applications exist to make
money. If this a shock to you, read the user agreement before
installing/upgrading, uninstall the application, or realize that in social
networking, your personal data what the company uses to make a profit.

~~~
darxius
I disagree. As a computer engineer in Canada, I must swear by the Code of
Ethics because what I do (or potentially don't do) can cause harm.

Ethics in computer-science-related fields are important and I think we do need
a set of rules we can dogmatically follow like the Hippocratic Oath. Of
course, the HO is different in that failing to follow can cause physical harm.
However, the world is progressing quickly and more and more information is
hosted online -- personal information.

I think it's our jobs to make sure we don't promote poor practice and un-
ethical behaviour.

~~~
mjolk
>I think it's our jobs to make sure we don't promote poor practice and un-
ethical behaviour.

No, it's our responsibility as decent people. I don't need to sign some online
pledge to keep myself from pushing people in front of trains. If I was the
sort to harm others, why would I care about some meaningless online campaign?

~~~
freshhawk
"No, it's our responsibility as decent people"

Well, yes. But there is a reason that every profession that has tackled this
problem has used a system of oaths and certification. Engineers, Doctors and
Lawyers are the canonical examples.

You need something that is given and can be taken away for bad behaviour in
order to change behaviour at this level. Damn human brains.

~~~
pekk
Taken away by whom and on what basis? I would dispute that you need the
ability to take away other individuals' ability to lawfully write software.
That ability is bound to be abused for political reasons (which is also what
it looks like when people have reasonably different ethical systems and one
imposes his by force).

Anyway, the issue at hand is bad corporate behavior, not bad programmers. I
don't see why we need to start licking our chops about the prospect of forming
a blacklist against individual programmers.

~~~
freshhawk
This is just a bonding/licensing arrangement, it's in use by every other
profession that has this exact problem.

So go ahead and try and stop bad corporate behaviour, everyone else can use a
proven system so that programmers can easily say "no" when asked to do
something unethical and not be fired for it.

I'm often confused by how often programmers completely reinvent the wheel when
faced with social problems. The idea of looking to other similar industries
never comes up, even if the problem is _exactly_ the same.

------
maxcan
I'm sure this will be downvoted to hell and back, but still:
[http://jesuschristsiliconvalley.tumblr.com/post/46539276780/...](http://jesuschristsiliconvalley.tumblr.com/post/46539276780/a-cunt-
and-his-iphone)

~~~
rdl
Turning off the ringer on your phone is totally legit, though. I don't believe
in interrupt-driven communication, unless it's mediated through a machine or
some kind of filter. (I'll let a machine notify me if lots of stuff is down,
or if one of a very small number of people call me, but that's about it. IIRC,
pg's call went to voicemail a couple years ago.

~~~
untog
_Turning off the ringer on your phone is totally legit, though._

It is, but his stated reason for doing so is nothing if not totally insane.

~~~
mseebach
Especially in context, the phrasing is ridiculous, but semantically it no
different from "I refused to be bossed around by my phone".

~~~
untog
Refusing to be bossed around by an inanimate object still seems somewhat
ridiculous to me.

~~~
rdl
Being bossed around by an inanimate object seems even more ridiculous to me :)

------
jacquesm
Path must _really_ like thos FTC fines.

Here's to hoping the next fine will exceed their cash reserves and we can put
an end to this madness.

The post is proof positive that path _still_ uploads phonebooks from the app
to their servers right after installing it.

~~~
Me1000
This comment is a great example of how people are so quick to rush to
judgement with emotional reactions. Let's look at the facts:

1\. Path was fined, not for anything involving address books, but for allowing
12 year olds to sign up for the service.

2\. Yes... it is proof that Path uploads your phone book. Of course, they ask
you. The OS won't even give you access to the phone book without prompting the
user. So somewhere along the way, the user knowingly gave Path access to their
contacts.

It would be rather trivial for a real reporter to do some research here. Does
Path actually say "We're going to invite all your friends via SMS", even in
fine print? It might be sleazy, but it would certainly change a lot. But
instead, we're just going to sit here and speculate about things and
irrationally talk about a fine that didn't have anything to do with this.

~~~
sandaru1
Android doesn't ask for user's permission before accessing the address book,
is it?

~~~
gtaylor
Android shows the permissions each app is requesting before you install, and
even lets you know if they change their permissions between updates. While
what Path did is crappy, they didn't subvert the Android permissions system.

The thing that burnt the poster is that while a social app asking for access
to their contacts might not rise a brow, the user has no way to know what they
are going to do with that data without looking at the reviews or around the
internet for complaints/testimonials.

~~~
pjbrunet
"Android shows the permissions each app is requesting before you install"

Yes and no. Google often hides the most offensive permission requests under
that "see more" arrow. And the permission requests (and accompanying
explanations) are too vague and ambiguous. For example: Does "request access
to network" mean they're able to sniff all my incoming/outgoing data, granting
the app access to everything?

~~~
__chrismc
That, and the page is designed so most people will click the "Accept &
Download" button without even reading the top-level permission requests.

It's got the title and button at the top, taking up a large chunk of space
(1/3rd on my Nexus 4), and then a vague list of - to most users - technical-
sounding "stuff".

My guess is a large majority of users never look past the button.

------
greghinch
Path seems to do all the shady things with your data that we fear Google and
Facebook _could_ do. FB and G definitely push the boundaries of privacy/creepy
sometimes, but Path seems to have no qualms about blowing right past them. I
am staying away.

~~~
NoPiece
It reminds of one of Facebook's early growth tactics - as part of the contact
import process, they'd send out spam IMs to all your contacts saying you just
joined Facebook and ask if they wanted to join. It was very shady.

------
dredmorbius
And this is why I fundamentally don't trust my smartphone.

It's a fun device. But it's a spy, outside my control, in my pocket.

I've rooted it, but haven't yet modded it (and if anyone cares to point me at
a gentle introduction for CyanogenMod or another option that works on an HTC
Incredible, I'm all ears).

I've been reasonably conservative in what apps I place on my phone, and
several (Pandora specifically comes to mind) were removed when permissions
were extended to include contacts (Pandora, you listening?).

I'm waiting eagerly for the following capabilities:

 _To define at the phone level what information I'm willing to share._
Existing "privacy controls" make a mockery of any semblance of either
"privacy" or "control" by distributing vague and conflicting access among a
great many applications with no ability to centrally audit them.

 _To specifically grant to specific applications specific rights._ My location
is something I'll disclose very guardedly (I disable GPS functions on my
phone). Other rights generally shouldn't be shared.

 _To request and audit ALL information a given application has of me in a
convenient electronic format (such as a database dump accessibly by MySQL or
Postgresql)._ Such functionality is of course a three-edged sword, as what
information the vendor has and I wish to request a third party might also
request pretending to be me. Or having legal authority to make the request
(though that's already the case), via subpoena or warrant.

 _My contacts list is off limits._ Full stop. Specific contacts might be
contacted by way of an application if specifically designated by me, but no
other use may be made of their information. Hell, it's not even mine to give.

The existing state of smartphones is interesting, but it's also a little shop
of horrors. And if application authors, smartphone manufacturers, and telecom
providers don't get their act together on this Real Soon Now, we're going to
see some horror stories.

~~~
dnissley
What I really wish there was in android is a way to disable permissions after
installing an app. Obviously this probably won't make it into stock android,
but I would love to be able to install an app like Pandora and then revoke
specific privileges.

Then whenever the app attempted to use those revoked permissions, android
would do something logical for certain cases (like providing an empty contacts
list for the contacts permissions), or even just crash the app if it couldn't
do anything else. I would totally be willing to accept a certain amount of
instability for a feature like this.

~~~
lucb1e
> "What I really wish there was in android is a way to disable permissions
> after installing an app."

You can, you can! Only Google went ahead and disabled it for you. The commands
are "pm revoke x" and "pm grant y", but if you ever try it (even running as
root), you'll get this message:

 _Operation not allowed: java.lang.SecurityException: Neither user [your uid]
nor current process has android.permission.GRANT_REVOKE_PERMISSIONS_

> "Then whenever the app attempted to use those revoked permissions, android
> would do something logical for certain cases (like providing an empty
> contacts list for the contacts permissions), or even just crash the app if
> it couldn't do anything else. I would totally be willing to accept a certain
> amount of instability for a feature like this."

Exactly! Same for me. If this made it into stock android, developers would be
forced to put phone book access in a try{} block so that permission revoking
doesn't crash the entire app. Your solution with returning an empty phone book
sounds even better, but that's also more work so I don't know whether that'll
ever make it... Then again, it's a much nicer solution, so who knows.

------
onemorepassword
Why on earth are people still using Path after it has become so very obvious a
long time ago how unethical this company is?

This kind of behavior doesn't just go away after a bit of bad publicity or a
few fines. It's part of the DNA of a company. Such a lack of ethics permeates
everything from strategic decisions to technical choices to hiring.

Expect more of the same.

------
eksith
Remember when a while back they downloaded far too much information from each
phone (for the convenience of connecting you to people)? Everyone was
surprised (some outraged) and then they pushed an update to stop that
"feature" and when the CEO/Boss man posted a blog entry apologizing, everyone
forgave the company, people were holding hands singing Kumbaya.

Edit: Here's when they flubbed a year ago.

[http://news.cnet.com/8301-19882_3-57373474-250/path-ceo-
we-a...](http://news.cnet.com/8301-19882_3-57373474-250/path-ceo-we-are-sorry-
and-weve-deleted-your-address-book-data/)

Edit2: Er... apparently, I suffered a seizure of some sort (and an aneurism
and a stroke simultaneously). Reworded.

~~~
skytalon
I just noticed, in that apology letter, the line:

"... Your trust matters to us and we want you to feel completely in control of
your information on Path. ..."

So they want you to _feel_ in control.

~~~
c0ur7n3y
"We are deeply sorry if you were uncomfortable with how our application used
your phone contacts."

That non-apology is corporate communications at its most typical.

~~~
eropple
Path's customer service replied to this article's author on Twitter saying
they'd "love to engage."

If you aren't Captain Picard, you're not _engaging_ anything. Shut up and talk
human, folks.

------
kemayo
I think the HN traffic may have destroyed another WordPress install.

So, google cache:
[http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...](http://webcache.googleusercontent.com/search?q=cache%3Ahttp%3A%2F%2Fwww.branded3.com%2Fblogs%2Fthe-
antisocial-network-path-texts-my-entire-phonebook-
at-6am%2F&oq=cache%3Ahttp%3A%2F%2Fwww.branded3.com%2Fblogs%2Fthe-antisocial-
network-path-texts-my-entire-phonebook-
at-6am%2F&aqs=chrome.0.57j58.1101j0&sourceid=chrome&ie=UTF-8)

~~~
taylorbuley
For those with WordPress installs who want to survive an HN frontpage:

    
    
        1. if you don't have sudo, use the W3 Total Cache plugin http://wordpress.org/extend/plugins/w3-total-cache/
        2. if you have sudo:
            2a. the easy way: apt-get install memcached, add the pecl memcache extension, and use object-cache.php http://plugins.svn.wordpress.org/memcached/trunk/object-cache.php and batcache http://wordpress.org/extend/plugins/batcache/
            2b. the hard way: varnish https://www.varnish-cache.org/ https://github.com/pkhamre/wp-varnish

~~~
icelancer
Using CloudFlare or Google Page Speed Service is also a good idea to further
optimize!

~~~
peterwwillis
Or:

    
    
      # /var/spool/cron/crontabs/apache
      */2 * * * * ( cd /var/www/htdocs && [ ! -e .mlan.lock ] && touch .mlan.lock && wget -q -O tmp.html http://www.mywebsite.com/blogs/my-long-article-name/ && mv -f tmp.html my-long-article-name.html && rm -f .mlan.lock )
    

Post HN story <http://www.mywebsite.com/my-long-article-name.html> and it'll
get refreshed every 2 minutes. Pretty simple hack. (Edit: add lock file)

------
raverbashing
This is good information

I'll make sure to _never_ install Path

There are some abuses that can't be solved by an apology.

~~~
w1ntermute
Yeah, this just convinced me to never use Path too.

~~~
lucb1e
Great, we have a few more convinced not to use Path. One application will now
have perhaps a few hundred less users. What about the rest of the permission-
hungry apps? Whatsapp? Facebook? Any Google app? Any other big developer's
app? What if the founders of Path just start a new company?

Not installing Path is not a solution here. You gotta look critically at the
permissions an app uses and their terms of service (at least skip to the
privacy related issues, though they usually try to hide and obfuscate them).
If there is something you don't entirely trust, wonder why you really need
that app. Perhaps it's an improvement for your life, but can't you really live
without? You've gone without that app for the past how many years? Is it worth
giving up your phone book and all sdcard contents?

~~~
raverbashing
You're correct, and it gives me the shivers to see an application like 'photo
sharing' wanting several useless permissions

Here's what I would like: for Android to allow me to deny or ask for a
confirmation for each permission of these.

~~~
lucb1e
Or ask upon usage. "Do you want to grant XYZ to view your contact list? [Yes,
and don't ask again] [Just this time] [Never]"

------
AJ007
I don't know the exact details of this story, may be the blogger accidentally
pressed a button in the app and the messages were queued up for the following
day.

However, if the story is indeed cut and dry:

1) Path sent messages that qualify as spam both because they had no permission
to send them and they were false.

2) If this was intentional, this should be a red flag to investors not just of
the company but the kind of people that run it.

3) This is nothing new. Tagged did the same thing, with e-mail, which to some
degree falls afoul of less laws than using text messages or the telephone
(other commentators pointed out that land line carriers convert SMS to voice
calls, which is news to me.)

4) Using spammy methods to acquire users is a red flag for any web service.
While arguably Facebook used and uses extremely aggressive e-mail
notifications (sending out an e-mail for every minor thing, and whenever a new
feature is added opting in the user to receive notifications by default),
using spammy techniques means that your service will skew toward the bottom of
the market that actually "falls" for these techniques (poor and illiterate)
early on and actually scare away early adapters for multiple reasons.

5) In the short term, Path's metrics will look really good, but in the long
term it could result in serious problems, least of which will be another news
story with FTC settlement in it.

------
evan_
The weirdest part of this is that it apparently made voice calls to landlines?
Why would they do that, it makes no sense. Unless maybe that's what the phone
company does if you text a landline? Never tried it but I would be
surprised...

~~~
forgingahead
If you send a text to a landline, a lot of providers will convert it to a
phone call using some sort of text-to-speech API. I've done this by accident
on older cell phones when I'd add someone's landline to a text message instead
of their mobile number. This sounds like a nightmare scenario though for this
poor chap and his family (and his dentist).

~~~
evan_
Well that shows you how long it's been since I've had a landline- Thanks all.

(Do they charge you 15¢ for the privilege? Can you reply?)

------
nikolakirev
One of my clients wanted me to implement the same thing for his iOS app. I
told him, that I think it is illegal and if it is not, that it should be.
Anyway, I never wrote that code.

~~~
Matt_Mickiewicz
"Thank you" - From, The Internet.

------
ajanuary
From [http://www.theverge.com/2013/4/30/4286090/path-is-
spamming-a...](http://www.theverge.com/2013/4/30/4286090/path-is-spamming-
address-books-with-unwanted-texts-and-robocalls) it sounds like it's a result
of "finding your friends" actually texting invites to friends, and then text
messages being put in a queue so they're getting sent out even after the app
is deleted.

Obviously such an action should be more clearly labelled. If it was, could
they whitelist the times it sends out text messages to not do it at 6am? How
easy is it to lookup an approximate region for a mobile number?

~~~
mynameisvlad
You can do it based on country code, and, if you want, NANP for North American
numbers. That would get you a time zone (or range) and you can easily use that
to not spam people at 6am.

------
ysapir
This seems to be a direct violation of Google Play policy:

"Do not send SMS, email, or other messages on behalf of the user without
providing the user with the ability to confirm content and intended
recipient."

<https://play.google.com/about/developer-content-policy.html>

~~~
amirmc
Not quite. The messages aren't being sent _from the device_ , they're being
sent by Path from their own infrastructure once they've uploaded the address-
book.

~~~
ysapir
The policy does not make that distinction.

An app generally needs a backend and it is clear some of the policies are
directed towards not the app itself but how it interacts with the backend.
These same guidelines are meant to be used to stop apps such as malware games
that collect contacts and send them to the backend to be used as spam email
lists.

------
msantos
I share this guy's frustration. But with Whatsapp not Path - I heard not so
nice things about Path so didn't bother trying it. Anyway, after installing
Whatsapp on my Android the app didn't spam my contacts, but quickly uploaded
by entire contact list and hours later I started receiving spam from
recruiters that had my phone number. So far, not the app's fault. But then I
went on the delete the app, but first I wanted to delete any contact it had
previously uploaded so it wouldn't keep my data. How naive was I?! Whatsapp
wouldn't let me delete the contacts it had previously uploaded. Eventually I
just gave up and deleted the app without clearing the app's data.

------
DanI-S
FYI, you can deactivate your Path account by visiting their website
(<https://path.com/>), signing in and clicking 'Deactivate' on the 'Settings'
page.

~~~
taude
Notice that is says "Deactivating your account will remove your content from
Path. If you reactivate your account, your content will come back."

Not deleting your content, though. I hate that.

~~~
dbpatterson
It's also a bald-faced lie. If it removes the content, then there is no way
for it to come back.

~~~
Samuel_Michon
The wording is slippery and pretty deceptive, but it’s technically correct.

 _“Deactivating your account will remove your content from Path.”_

The ‘Path’ in the sentence refers to the social network, not the company’s
servers.

~~~
pbhjpbhj
<https://path.com/privacy>

This privacy policy is a joke. It basically says "we can do anything we like
with your data".

Under the "What Information Do We Share With Third Parties?" section there are
some classic deceptions. This one is great (as in evil genius):

> _with certain social networking services, if you allow such sharing through
> our services;_ //

Not consent, allow. As in if you don't actively prevent it we'll do it.

> _with service providers who are working with us in connection with the
> operation of our site or our services_ //

We'll sell you out to anyone who we can describe as "working with us".

>" _in connection with, or during negotiations of, any merger, sale of company
assets, financing or acquisition, or in any other situation where personal
information may be disclosed or transferred as one of our business assets._ "

So when doing business-y stuff, blah, blah oh yeah and any time we want to use
your info as a business asset. They're covering themselves, again, to sell all
data to anyone who'll buy it.

------
haraball
Path seems like a company which is doing everything wrong these days. My peeve
with them is that I signed up and used it happily for a long time because it
should be possible to get my data exported later. Now they have removed that
from the FAQ/Support and their support mails are just ignorant saying "not
possible but the team will look into it".

------
smickie
This might be off topic but I loved reading that post, it turned into comedy
gold. The time I was at the third... (I don’t have any photos to share with
them) I was giggling. And the list of people path called at the end killed me.

~~~
edgesrazor
As I read the post I wondered the whole time, "Does he have any photos to
share?"

------
pmarca
This is not a comment specifically on Path -- I don't know anything about what
they are doing or not doing.

But more generally: one of the most interesting parts of startups is the
tension between "Don't Be Evil" and "Don't Fail". It would be good to be able
to discuss this more openly -- "Don't Be Evil" by itself is too utopian. Many
of the most successful companies in the world did things in their early days
-- or later -- that new entrepreneurs would never even consider -- until of
course their own backs are up against the wall.

~~~
amirmc
There are many (perhaps dubious) things I've learned from friends about how to
grow/bootstrap users. If I decide to ever use any of those tactics then I'll
_know_ I'm doing something dodgy and work to mitigate any risks. I'd bet that
the successful companies you're referring to also knew that they were on shaky
ground and acted accordingly.

However, problems arise when startups begin to think that behaving this way is
'normal'. During the previous furore over Path grabbing address books, the CEO
claimed it was "industry best practice". Just because (nearly) everyone does
it, doesn't make it "best practice". It actually belongs on the 'list-of-
dodgy-things' and therefore should be treated with the appropriate caution.

This is one reason I have a gripe with the "Move fast and break things"
bandwagon. It's not really appropriate if you're stumbling around in a
minefield.

~~~
chii
yep - agreed that just because nearly everyone does the same thing doesn't
mean its a good thing to do: nearly everyone used to own slaves (except the
slaves).

------
sailfast
I have been a Path user since the app launched and have never had any text
messages sent to my address book. Path informed users that the address book
data hook was no longer there and that all data had been removed from their
services after the initial FTC inquiry. I took that at face value but after
this article I would be interested in hearing a response from the company
about how my information is handled.

~~~
lucahammer
This is a feature while signing up if you use Facebook. It shows your friends
with a phone number and if you don't uncheck them before tapping ‘next’, it
will invite them.

------
schabernakk
I was considering joining path with 4, 5 of my closest friends to have some
kind of 'private facebook'. I don't really like sharing stuff on
twitter/facebook so path seemed like a good alternative to share stuff with
people i definately know will be interested.

After reading this I don't think I will join anytime soon. I don't really get
the reasoning behind this. Path is marketed for the use case I had in mind.
Sharing stuff with only a handful of people you know well. Why on earth are
they trying to lure all of your contacts in. This would make sense for
facebook, not for path.

Anyone knows an alternative to path using my data more responsibly?

~~~
HNaTTY
Internet Relay Chat (I'm into simple solutions)

~~~
schabernakk
I really like using email for staying in touch, also works with groups.

But besides the fact that my friends aren't really into the whole tech thing
(lot of them are still using their old non-smartphone) Inlining videos, photos
and threading conversations is something I really like for such a software to
have.

~~~
HNaTTY
One other idea that comes to mind is that you could create a private subreddit
on reddit.com and make it closed/invite-only. Reddit doesn't ask for
personally identifying data.

------
gfodor
This sounds to me like there was a fuckup in one of the pieces of software
that sends these messages causing a lag. The guy probably hit "yes" somewhere
without realizing it and then 12 hours later shit hit the fan. Could have been
client, could have been Path server, could have been cell provider, whatever.

The thing is it doesn't matter.

When you're dancing on the line of ethical behavior, you are one bug, one
mistake, one oversight from crossing it. When you cross it, it might not be
"your fault", but generally it never is: your fault was to be so close that
such a thing could happen in the first place.

------
hiroprot
It doesn't seem to be a bug, it has to do with their post-signup invite
friends screen. By default, all contacts are selected, and if you just hit
next, it will invite them all.

You have to explicitly hit "unselect all" first :(

Obviously, this is really bad UX design (for the user), and it really
surprises me that Path would do this just to get a few more users, especially
considering that they used to market themselves as a social network for a
limited number of close friends.

------
droithomme
Perhaps the third time's a charm for Path.

[http://gawker.com/5883549/dont-forgive-path-the-creepy-
iphon...](http://gawker.com/5883549/dont-forgive-path-the-creepy-iphone-
company-that-misled-us-once-already)

------
coldcode
The just got fined $800,000. I guess it should have been $800,000,000.

~~~
amartya916
Totally agree with the sentiment. I believe that companies have DNA, and that
most companies do not change over time, they just get better at hiding the bad
stuff. I would probably trust a company that starts off of the right foot
(e.g. Google) even when it becomes larger, than trust one that's built off –
what I consider to be – shady growth strategies.

Path seems to be taking especially egregious steps. All the UI polish in the
world can't hide shady business practices.

------
celerity
Why do people use these horrible services? Is having an online social presence
so important? I understand if you do it for business, but if bad news like
this keeps coming out of a company, I simply stop using their products.

------
lucahammer
The article is wrong and a linkbait.

1\. Was the feature designed badly? Yes. Friends should be unchecked by
default.

2\. Did Path call anyone? No. That's a service from phone providers when a
text is sent to a landline.

3\. Did Path sent texts without permission of the user? No. But the feature
was designed in a way that many people just tapped yes and didn't uncheck
their contacts.

~~~
SEMW
> Did Path sent texts without permission of the user? No.

No?

The permissions screen is shown in the verge article. It's labelled: "Find
Your Friends: Path is more fun with friends. Find out who's already on Path."

I interpret that as asking permission to run my contacts against its database
and tell me who else is already on Path. _Not_ as asking permission to text
people who aren't.

Permission to do some X with a contacts list is not permission to do
_anything_ with a contacts list.

------
meerita
Glad i just deleted Path long time ago. I did it because many reasons, the
first one is transfer my entire life to a new place, then find out it can
close, sell to another company I don't like. So the fear of wasting resources
and time to setup my life in there made me deny this app. The second reason
was an old episode with contact data, so I thought they shall make many other
"mistakes" in the future. So after this one I feel better I didn't follow this
path. Facebook is also dead on my life, I just check it for family messages.
Google+ all the way.

------
cwb71
This is the last straw I am definitely not buying any more stickers from Path.

------
k-mcgrady
Probably best not to just jump to conclusions until there is a response from
Path or more evidence from users. I've been using Path since it launched with
nothing like this ever happening. This sounds to me like some sort of
unrelated scam. I didn't notice him say int he article but do the texts
include a URL? If so where does that go? This seems like something that would
be noticed by more than one or two guys if it was something Path was doing.

~~~
jen_h
There's a screenshot in The Verge's article
([http://www.theverge.com/2013/4/30/4286090/path-is-
spamming-a...](http://www.theverge.com/2013/4/30/4286090/path-is-spamming-
address-books-with-unwanted-texts-and-robocalls)), looks to go straight to an
invite with the guy's name (<https://path.com/i/BfOPb>).

------
creativityland
Another similar user report from 3 months ago on Reddit, very detailed report.

[http://www.reddit.com/r/Android/comments/16tavj/warning_be_c...](http://www.reddit.com/r/Android/comments/16tavj/warning_be_careful_with_the_path_app_featured_on/)

------
uptown
I'd held off uninstalling Path because it was well-designed and I always liked
checking out their new UI enhancements when they'd roll out an update. Though,
apparently they've already got my address book - the app is no longer on my
device. Enough.

~~~
pullo
I was thinking the same thing. Path's UI design is notable and i wanted to
keep tabs on it , as an engineer. Looks like the curiosity is not worth it.

------
polymathist
I just went to the path app on the Google Play store and marked every user
review that mentions the spamming as helpful. People should know about this
before they download, but most only read the first three reviews and don't
look closely at permissions.

[https://play.google.com/store/apps/details?id=com.path&f...](https://play.google.com/store/apps/details?id=com.path&feature=nav_result#?t=W251bGwsMSwxLDMsImNvbS5wYXRoIl0).

------
donretag
Am I the only one that found this sentence interesting/amusing/silly:

"I decided the best place to contact them would be Twitter"

Why would anyone contact someone on Twitter first? Their contact page
(usefulness unknown) is easy to find on their website.

~~~
manifold
You're publicising a problem with the company and so it has more of an
incentive to deal with it quickly.

------
austenallred
At times like these I feel the best I can do is pay with my downloads (or vise
versa).

I just deleted Path; I recommend others do the same.

~~~
rzt
I just deleted my account as well. I never really used the app due to a lack
of traction within my own circle of friends, but now I have an even better
reason to rid myself of the thing.

------
nashequilibrium
This is both funny and a serious invasion of privacy. Path keeps on stepping
into it because they are hell bent in using web 2.0 tactics to get customers.
The smartphone is a very personal and intimate device completely different
than a desktop or laptop and when you loose the trust of people who have
invited you into their homes, you will not get a second chance. Path has been
struggling for a while but for the last few months I have been noticing a lot
of PR articles talking about their growth, especially outside of the US. My
guess is that their VC probably said fuck it! We can ask for forgiveness
later!

When a company is this small and shows no regard for privacy we better hope
that it falls in the deadpool because if they get to scale, we are going to
get to hear a lot more of these invasive tactics. I really hoped for path to
put a dent into Facebook's growth but not anymore!

------
leephillips
I think the moral of this story is to do a little Googling about a company or
product before trusting them with all the contact information (at least) in
your phone. You know, to find out first if they're criminal scumbuckets. For
all you know their app keylogs your transactions with your bank.

~~~
nwh
Well we know they don't keylog, they can't act outside of their sandbox.
Curious if they'd try if they could though.

~~~
leephillips
Unless they've found an exploit. Even companies that are generally law-abiding
(Sony) have distributed applications specifically designed to circumvent OS-
level protections, to do things the user doesn't want. Given what we know
about these creeps, why wouldn't they? You have to have trust to install
closed-source software, and that trust should be based on something besides
"oooo, shiny".

~~~
rdl
Putting a keylogger exploit into an app that you, as named identifiable rich
people and a US company distribute through the app store, would be pretty
crazy risk profile for the developer. All it takes is one person finding it.

Exploits should be used on targeted individuals where you can serve a trojaned
app just to that individual, vs. something like the App Store where that would
require either Apple's permission or some crazy proxy. (A carrier could
probably do it with phones the carrier sells, though, particularly on Android,
but even on Apple by pre-jailbreaking phones sold in sketchy areas like rebel-
held Syria, if that were the goal)

------
Groxx
Looks like this might be related to the "find friends" button. There are a
handful of reviews in the Play store that mention it messaging everyone.

This is why I hate install-time permissions. It means you have to trust an app
until uninstall do you part, which generally happens _well_ after abuses.

~~~
SomeCallMeTim
>This is why I hate install-time permissions.

Android developer here: I would have to say a _mix_ of permission types would
be best. Sometimes a feature of an app is crucial to its design (or, to be
blunt, to its monetization).

A few things -- using the camera on the phone, accessing the address book,
sending text messages, maybe a few others -- would be great to request as
"optional permissions," or even better, "runtime-granted permissions," so that
an app that only 5% of the time needs that permission could ask for it LATER
instead of making everyone who installs the app agree to using a permission
that they may not want the app to have.

As it stands, you'd have to break your app up into several different downloads
in order to have optional features. Not impossible, but neither is it a good
user experience.

------
cemregr
MessageMe does this too. When I was installing it, it auto-checked 600 people
and the default "next" button was going to text those 600 people.

LinkedIn's signup flow is similar.

------
taylorbuley
Could this kind of "feature" be responsible for recent news about massive user
growth?

[http://blogs.wsj.com/digits/2013/04/25/path-a-social-
diary-a...](http://blogs.wsj.com/digits/2013/04/25/path-a-social-diary-app-is-
adding-1-million-new-users-a-week/)

 _Path, a more intimate social-networking app that’s like a personal journal,
is now growing by 1 million registered users a week after its most recent
launch.

The newest version of Path includes a way to message your friends — for which
Path limits to 150 — and send them stylized stickers like other top messaging
apps. Around half of Path’s registered users (now at 9 million) are regularly
using the app on a monthly basis, CEO Dave Morin said._

------
tzury
The very fact that a product/service/company does not have a clear and solid
revenue model. The fact that their success is measured by generated traffic
(downloads/page-views/subscribers etc) can cause some people to make very
strange choices.

This may not be _the reason_ but surely helps many in our industry to reach
those dark spots of ethics and faithfulness.

If your users are customers, that is, they pay you, then you will care about
their privacy, as you know that otherwise, you will loos them.

If they don't, and yet consume your bandwidth and CPU, you may find yourself
end up sniffing their address-books, claiming copyrights on their images or
selling their clicks and choices to campaigners.

------
vegashacker
On iOS, Apple made it so the app has to get permission to access the phone
book. (Interestingly, Google Image search turned up this for a query of "ios
address book permission": <http://i.stack.imgur.com/MHF0p.jpg>)

Did OP give this permission? I'm not defending Path (at all!), just trying to
get full details. I've in fact accidentally given address book permission to
apps by tapping too fast.

 _Update: OP is using Android, which is different._

~~~
clauretano
Apple added this feature after the previous privacy gaffe from Path. Still
though, there's a legitimate use case for asking for your contacts, and it is
to help connect you with people you may know who are also on path. You also
give them access to your photos to share things on Path, but there would be an
uproar if they started uploading all of your photos to their servers. I'm not
really seeing any good way to solve this at the OS level, it seems the only
solution is for apps to be less shady.

~~~
Samuel_Michon
_“Apple added this feature after the previous privacy gaffe from Path.”_

Yup, here’s an article about it, from February of last year:
[http://allthingsd.com/20120215/apple-app-access-to-
contact-d...](http://allthingsd.com/20120215/apple-app-access-to-contact-data-
will-require-explicit-user-permission/)

However, according to Apple, even before iOS6 came along (which asks
permission whenever an app requests access to Contacts) it had already been
against Apple’s dev guidelines to use Contacts info without users’ permission:

“You and Your Applications may not collect user or device data without prior
user consent, and then only to provide a service or function that is directly
relevant to the use of the Application, or to serve advertising. You may not
use analytics software in Your Application to collect and send device data to
a third party.”

------
Void_
This is the most ridiculously arrogant apology:

> We're sorry to hear of your issues.

Well I don't have issues, you have issues. And you should be sorry that you
screwed up, not to hear about anything.

------
pjbrunet
I blame Google and Android and its Play Store. So many apps ask for ridiculous
access to everything, they should really discourage this. There should be a
big red flag on any apps that ask for "superuser" access to my phone.

After getting a "smartphone" I've had 50x more spam calls. I never had this
problem pre-Android. Coincidentally, spam peaks when I'm using my phone, which
makes me wonder if these apps are telling spammers I'm near the phone.

~~~
smirksirlot
You're blaming the Play Store for something that the app developers decided to
do? Just because there's a hole doesn't mean it should be abused, particularly
since Path is supposed to be from a "legit" company.

~~~
pjbrunet
Yes I am. If there's a hole in IE allowing a virus to proliferate, don't we
blame IE and get a security patch or switch to another browser? How is this
any different? The root of the problem is Android and the Play Store.

------
trimbo
This is what desperation looks like, and why we need to be adamant about our
privacy.

------
zalzane
Why is it even possible for this to happen? Did someone really think it was a
bright idea to provide an API to access people's personal data, and if so, why
doesn't the phone tell them that before letting them install the app?

On top of all of that, why wouldn't the phone provide a setting to restrict
all personal/identifying information from being accessed by the app?

~~~
pkulak
Address book access is a permission just like anything else (internet access,
for example), so it can fly under the radar. Android has been trying to make
things like "send text messages" stand out a tad more than "write to local
storage", but they may need to go even further.

This is my personal favorite app permission that you can request:
[http://developer.android.com/reference/android/Manifest.perm...](http://developer.android.com/reference/android/Manifest.permission.html#BRICK)

~~~
ColinCochrane
Wow. I wonder what the use-case for that is?

~~~
ajanuary
An app that lets you brick your phone remotely if it gets stolen maybe?
Depends on how it works.

------
orangethirty
I actually got a text from them at around 1am not long ago. A friend opened up
an account and they spammed everyone on her contacts list. She is an iOS user.
I'm nost against tactics like these, but you have to do this correctly. Or
else you alienate your user base and their contacts. I, for one, now tell
people to steer clear from path.

------
white_devil
> _@stekenwright We’re sorry to hear of your issues and would love to engage.
> Please message us so we can help_

Translation: "Your blog post detailing our scuzzy spammery is getting seen by
lots of people. We're uncomfortable with that, and would like to get you to
say we're not so bad after all."

------
homosaur
This is pathetic. I'm glad I've never found a use for this pile of garbage but
this is like the fourth or fifth time I've read about something exactly like
this happening. This company has no respect for users or privacy.

CALLING A FREAKING LANDLINE?!? DIE PATH

------
fotoblur
One thing I've learned from this kind of news is this: Do wrong and get ahead.
Most people will forget next week, you'll get a ton of free press, and oh
yeah...more users.

I've been so dumb to not have tried this kind of bad publicity stunt yet.

------
WilliamSt
I signed up for path a couple of months ago, with facebook. When I realised
how much private photos (they didn't seem to care about the privacy settings
on facebook) they took from me, I deactivated my account and sent an email
asking them to remove all my information. Yesterday, I reactivated my account,
lo and behold, they had not taken away my information as I asked them to do,
and it seems the information had been there all along, even though I
deactivated my account, because some friend of mine hade gone in and "liked"
my pictures on path while my account was deactivated.

------
mattdeboard
"We're sorry to hear of _your issues_ and we would love to _engage_..."

If you can't send anything except this daft, goofy, unbelievably annoying
tweet, maybe you need to find a different way to "engage" with upset users.

------
SurfScore
Is this only a problem on Android phones? The screenshot he shows of the text
is clearly Android. I would wonder how this would be possible on a non-
jailbroken iOS device if Path wasn't left running all night.

~~~
rozap
I don't see any reports from iOS folks about this happening. It's definitely
against the Android Play store TOS, though.

The Play store definitely has a more laissez fair approach to apps, but
spamming like this is pretty a pretty blatant violation. Google might want to
consider suspending their app.

------
nekojima
How about a little bit of consistency for the Path url in the tweet. I know
its now common practice, but this obscuring of links is what I have repeated
told my family and many friends to avoid clicking on, so to avoid downloading
viruses or going to sites they don't intend to.

For "bit.ly/PathHelp" the underlying url is "t.co/B4lOWrDqyr" and it redirects
to "service.path.com/customer/portal/emails/new"

I'm sure there is a reason for it, but just having service.path.com or
help.path.com would be more beneficial for the company to both have as a url
and to tweet to (former) customers/users.

~~~
salman89
Has to do with URL character count - Twitter limit is 140.

------
nicholassmith
I wonder if Path will end up being used as a model of what _not_ to do for
start-ups, there's been that many missteps that it's hard to separate the
network from the issues.

Overreaching use of customer data, check ("But everyone else was doing it!"),
and then saying "it turned out the customers didn't understand this", spamming
contacts, a CEO who come across as somewhat of an arse at multiple
opportunities.

If I was a VC I'd be so nervy about investing money in a business that's
repeatedly getting caught out doing some seriously shady business practises.

------
laxcrosi
They're actually hiring a Director of Privacy and Legal right now:

"The Director of Privacy and Legal will be responsible for positioning Path as
a leader in the protection of user privacy."

------
general_failure
I like Path.

They are showing the world what could happen if your data lands in the wrong
hands. I hope people now become more aware of privacy and security issues
thanks to Path. Tell me which other company is directly working for this
cause? FB and Google keep telling that they won't use our date for bad
purposes. Path is showing what can be done with the data they already have.

So this is why I like Path. They are setting an example of what bad companies
can do.

------
crikli
I got one of these texts from a friend of mine. Path didn't ring a bell so I
figured he'd gotten hacked and ignored the text message.

------
kyberias
This is *ucked up but hilarious at the same time.

------
hmottestad
Let's sue them for hacking into everyones phones.

Which is essentially what they did. It's still a break in even if you leave
your door unlocked.

------
asperous
Strangely, this behavior will ultimately be reward with a huge influx in user
base due to awareness.

Might even cover that 800k fine easily.

------
jevin
I don't understand why people still use Path. Why do they have good ratings
and how come they are still on the Appstore?

------
benjlang
"Growth hacking"

------
saintx
Software developers are as responsible for this guy's address book getting
spammed as fork and spoon makers are for making people gain weight.

Someone built a tool. And someone else used that tool to do an unethical
thing. I doubt a software language exists that can control the choices of its
users.

------
gcv
Could this just have been a good old-fashioned programming bug, rather than
spamming or malicious intent?

~~~
claudius
How could this _possibly_ be a programming bug?

~~~
apike
Of course it was a bug. It seems clear to me they were experimenting with some
texting functionality where Path would notify users of things, it made it to
production with bugs, and some subset of users got this terrible behaviour.

Never ascribe to malice that which is adequately explained by incompetence.

~~~
andreigheorghe
What are the reasons that make you so sure, though? To me, it's not clear at
all just from the symptoms that it is a bug. It could just as well be a
feature they're only testing out on 0.1% of the user base to see how their
engagement or whatever improves.

~~~
apike
Maybe I'm naive, but it seems just so insanely bad that I assumed no product
manager or engineer would intentionally cause this behavior.

~~~
amartya916
I am sure you've already done so, but in case you haven't, read about Path's
previous snafus.

Recently fined by the FTC: [http://www.pcworld.com/article/2026985/ftc-fines-
maker-of-pa...](http://www.pcworld.com/article/2026985/ftc-fines-maker-of-
path-app-800-000-for-privacy-violations.html)

~~~
apike
Collecting and using my private info to, say, recommend friends in their UI is
something I could imagine a product manager doing on purpose. Creepy, but you
can see why they would think this is helpful. Spamming every number in my
phone book with texts about photos that don't exist at 6am is not something I
could imagine a product manager doing on purpose.

------
Mordor
I know this is totally off topic, but why does File Expert need to read my
contacts? Would be better if Android was able to install apps while
selectively denying certain permissions. Another option is to prompt, e.g.
"send path.com your address book [yes|no]?"

------
tnorthcutt
Google cache:
[http://webcache.googleusercontent.com/search?q=cache:www.bra...](http://webcache.googleusercontent.com/search?q=cache:www.branded3.com/blogs/the-
antisocial-network-path-texts-my-entire-phonebook-at-6am/)

------
hkdobrev
I haven't even finished the article when I checked if had uninstalled the Path
app!

~~~
jonny_eh
The problem was the guy's address book got spammed AFTER uninstalling, yikes!

------
ketralnis
Twist also likes to send me messages every time someone in my phone book uses
their app (and presumably it tells that person too). I don't remember telling
it that it could access my contacts but I suppose I must have.

------
joecurry
This is absurd- Deactivation Link:
[http://service.path.com/customer/portal/articles/257565-deac...](http://service.path.com/customer/portal/articles/257565-deactivate-
reactivate-your-account)

------
gcb0
that is great! really!

if another dozen of cases like this happen, maybe, just maybe, people will
wake up and stop installing apps with ridiculous permissions.

That's one of the reasons i use CyanogenMod. i can disable permissions from
apps. For example, i removed internet access from swype. It does crash
everytime i reboot my phone, because it's probably trying to check for
updates, and i know it will crash if it tries to connect while i'm typing. and
i rather that then be in the dark if my data is secure.

------
yebyen
So, did anyone tell you / did you find out that they signed up for Path as a
result of the SMS spam? Did it turn out that you really did have photos to
share, but forgot?

------
na85
Looks like the good old HN rush has tanked their server.

Anyone got a mirror?

~~~
stordoff
Google Cache:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://www.branded3.com/blogs/the-
antisocial-network-path-texts-my-entire-phonebook-at-6am/&strip=1)

------
questionhn
is there a way to sandbox an application?

say i install an app, but i want that app to see exactly 0 contacts when i
actually have more contacts than that.

~~~
pekk
Of course not, that would make the App Store less valuable to its customers
(namely, app vendors).

------
hatestheword
Always be on offense - never answer your phone :-)

------
jordhy
That's what I call a genuine "oh-sh&t" moment.

------
mckoss
Thanks for the reminder - just uninstalled Path.

------
wwwong
Usually, this is what happens when someone get's so caught up with 'Growth
Hacking' they forget about UX.

------
soneca
Growth hackers also wear black hats.

------
cloudwalking
Let's not jump to conclusions too quickly. This was _probably_ (hopefully) a
bug.

~~~
bentcorner
The whole _feature_ seems like a bug. Even under the best of conditions who
would want to text their entire address book that they had photos to share?
It's (IMO) socially obnoxious behavior and should be made difficult to do.

Maybe I'm not in the target demographic, but I'm guessing that most people
have a mix of contacts in their contact list that conform to different social
situations. Not all of them would care to know I had photos to share.

------
tlear
Happy I deleted my account a while ago, loved the design back when v2 came out
but..

------
existentialmutt
<http://www.wuphf.com/>

------
perchance
A terms needs to be coined for this behavior- perhaps "PATHology"?

------
mikescoffield
Taking a page from FB's playbook.

------
MWil
I feel like you won't hear back from them. Know any lawyers who would be
willing to pen a snail mail letter for you?

------
qompiler
That's why its free.

------
magoon
didn't Tagged get sued for this?

------
OGinparadise
Wow, they just paid $800K to FTC for being shady.

They are betting that they become so big that these shenanigans don't matter
later on.

~~~
smacktoward
They're doing it exactly backwards. The Right Way is to hold off on the
massive user privacy violations _until_ you become huge. At that point
enforcing the laws against you becomes too difficult and expensive, so the
government won't bother; and if some random AG tries to do it anyway you can
afford to buy whatever changes to the laws you need to get him off your back.
Problem solved.

~~~
minimaxir
But nowadays, due to all the competition for emerging startups, you _can't_
become huge until you start invoking privacy violations.

It's a Catch-22 of ethical misconduct!

------
vtempest
The problems with Path are because its CEO Dave Morin is not geek enough. Dave
is Christian, majored in economics, focuses on skiiing, worked in a marketing
and management position at Facebook and Apple. he doesn't go hard, he is just
opportunistically trying to seize a financial position by hiring geeks and be
public speaker in the news. He acts like Steve Jobs while leaving out the
crucial prerequisite of actually having smart people like his product.

------
smegel
Sounds like a job for Anonymous

------
_pmf_
> I decided the best place to contact them would be Twitter

No, you didn't. You decided that you could score some quick internet drama
points using Twitter.

------
shadesandcolour
This certainly sounds like a bug in their Android app and not a malicious
thing that they did. Path is headed up by some smart people. I have a hard
time believing that they would willing blast out texts to everyone in an
address book considering what they just paid the FTC. Then again, it's
possible that it was a user error while trying to uninstall the app. There
certainly is an option to invite people to path right there in the sidebar.

