Hacker News new | past | comments | ask | show | jobs | submit login

I find it mind blowing that (in the comments of the blog post) someone asked the Path CEO:

> Why wasn't this [sending all the contacts to your servers without users knowing] an opt-in situation to begin with? Isn't that against Apple's own T&Cs?

and the Path CEO replied:

> This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we've been proactively addressing this.

Really guys? REALLY? This is why developers need explicit guidelines, because as they just demonstrated if there are no guidelines companies default to the thing that exploits the end user! (incidentally, its unfair to pick on Path too much as almost all social networking applications do exactly this also.)

I actually cringed when I read this "however, as mentioned, we believe users need further transparency on how this works" ... which is why it took someone running a proxy and writing a blog post for you to suddenly be transparent about it. Mind blowing. Why even say that?

Btw, times like this? You destroy any and all credibility when you say you are trying to build a company that is built to last or one that is going to follow in the footsteps of Apple.

Apple would never do this to their users.

(do not make this a discussion about the evil and good sides of Apple. Apple has repeatedly not bowed to companies desires for owning contact information and I expect they will fix this contact hole in the near future.)

It's sad because I respect Path and their love of design. But design isn't just about how it looks. It needs to resonate through the entire vision, company, product, and how you treat people.

Mind-blowing level of arrogance. Path just ensured that I will never use their product and that I will actively discourage all my friends, colleagues, co-workers, and users that I support (who number 100 or so) from ever using Path, too.

"This is currently the industry best practice"? That's the biggest bullshit line I have ever heard. No, it's most certainly NOT a "best practice", and even if it were, it shouldn't be, and as a CEO, you're supposed to be bright enough to know this. And if you don't know this, you're supposed to be bright enough to make up a better excuse when you get caught. Hint: This ain't it.

  >> No, it's most certainly NOT a "best practice"
Apparently they meant to say 'industry lowest common denominator'.

Wait: What about MY INFORMATION if I've never installed Path? If someone I know with my contact information installs Path, does that mean that my information is stored on their servers?

How can I remove my information if I've never installed Path before? It doesn't seem right that my contact information, which I have kept private, because someone I know has uploaded that information. Do I not have a right to keep that information private?

This would make Path and other companies that upload the entire contacts database the prime candidate for hackers and government agencies that want non-Facebook information about people, given a name, phone number of email address.

Clearly there are a lot of WTFs going on at Path, but this isn't one of them.

> Do I not have a right to keep that information private?

But you didn't. You gave it to someone else. It's not your information any more.

Information about you is not information you own.

Privacy and anti-spam laws in various jurisdictions cover what an organisation can do with information they collect about private individuals, but that has nothing to do with ownership.

In the EU, the third party would be using personal data for other than the reason it was collected, so it is illegal.

"Do I not have a right to keep that information private?"

Generally no. I mean anyone can put their in law's information on their blog. It's a dick move but not illegal generally (if you're putting the person in danger like an battered spouse or witness protection there may be problems, IANAL).

I get the outrage that they didn't hash everything but the righteous indignation that a social network is trying their best to let people know when their friends sign up seems overblown.

Moral of the story: don't be shocked when social networks don't follow best practices for privacy. Also foxes like chickens.

If they're smart they'll revamp their system to work like this:

edit: (0) we get your permission /edit

(1) we check for your contacts in our database (hashing your contacts).

(2) we let you know if any matches are found.

(3) we throw away all your data afterwords.

They'll generate a few fewer matches this way but since they're going for stronger ties it shouldn't really be an issue.

This is an important point, but it's an issue that would arise even if Path allowed voluntary opt-in for contact scraping.

> This is why developers need explicit guidelines,

No, this is a matter of security. Apps should not be able to access user data without explicit permission. It's not something you can rely on guidelines for.

> Apple would never do this to their users.

You're being way too generous to Apple here. They are the ones who provide the API. I've used other phones and their APIs never freely provided my data to apps. Honestly, if I knew the iPhone worked like that I wouldn't have bought it.

I think you're assuming too much about the API, all it does is provide access to the address book so you can do things like create a "invite a friend" dialog, it's not meant to be used for bulk uploading to remote servers.

Yeah, I only came to the comments to express my utter disgust and anger at the claim anything about this is "currently the industry best practice". What a load.

Wait, on second thought. Maybe he is right. Hopefully he will post a comprehensive list of all other companies he is aware of that engage in this practice in order to show his good will in stating it is an industry best practice according to his personal knowledge, and not that he is merely a compulsive liar. I look forward to Mr. Morin's follow up with the list.

While I still support Path, the best PR move they could do right now is to pro-actively wipe all non-members' contact info from their servers, and then fast-track approval of the new "opt-in" version to the App Store, so that users can re-upload.

Played right, this episode could actually give them free publicity. Companies like Facebook and Zynga have been embroiled in far worse controversies, and they've all blown over.

That's not a PR move, that's what you do while crossing your fingers that state attorney generals and the FTC doesn't come after you.

I've just:

  1) saved their Privacy Policy and Terms of Use
  2) requested a complete deletion of our family's account
  3) requested deletion of any/all stored information
  4) considering contacting our lawyer
As I emailed to Path's support, our 3-4 year old children's schools, bus companies, physicians, pharmacies and our family lawyer were in that contact list - that's an insane, willful, and quite unexpected violation of our privacy.

Worse, it could have easily been solved by adding an entry to their Privacy Policy (under the "What Personal Information Do We Collect?" section) and/or a simple dialog prompt.


As I emailed to Path's support, our 3-4 year old children's schools, bus companies, physicians, pharmacies and our family lawyer were in that contact list

Ok, I'm going to pick on you for a second.

Hold the downvotes everyone! Let me explain.

This seems like a bit of a knee-jerk reaction akin to "think of the children!" or the whole child porn scare-mongering that politicians engage in that we on HN are always criticizing. I recognize that Path screwed up, big-time, but I'm unclear on why them having the information you cited, along with dozens or hundreds of other contacts from your address book, for millions of users, constitutes some kind of terrible threat to your children. I mean, their schools, their bus companies? How is that even remotely useful information to anyone?

I think there's plenty to criticize here from just the high-level perspective of "they used my contacts without my permission", without use the children scare-mongering tactic. But maybe there's a specific threat in mind that I'm not thinking of?

Anyway, just thought your response was a little over the top, and more informed by emotion than reason.

Ok, now everyone can downvote :)

Having all that information (school, doctor, lawyer, pest control company, health insurer, employer, credit card company, ...) about one person or a family, together in one place, is a social-engineering / identity-theft cornucopia. Imagine if Path had a data breach resulting in this contacts database floating around the internet.

Now most people's response to that kind of threat is to think "I'm just nobody important, no one would ever go to the trouble of using this information to impersonate me or otherwise make my life difficult." Probably you are underestimating one or more of: (a) your importance, meaning how much money someone stands to gain by impersonating you, (b) the gullibility/apathy of customer service reps at the companies you interact with, or possibly (c) the amount of free time and/or perversity of someone who will fuck with you just for the lulz.


One of my kids has special needs. This means he rides a certain bus and goes to a certain school. It would be trivial to uniquely identify him for the rest of his LIFE with only the information contained in my contacts list.

So now, without consent, this "private" "friends and family"-based app I installed on my phone, plus it's company, plus any other company they choose to do business with, or any entity that acquires them in perpetuity, or any data mining, social profiling, credit bureau, can start building far-reaching and long-lasting profiles of a four year old little boy that needs a extra help.

What part of that confuses you?

p.s. this could have been avoided with a dozen lines of code via a dialog box.

Actually there is a simple solution for your problem. Don't use social apps. Especially not if they are free!

Do you also buy snake oil if it comes with a document using lots of difficult sounding words but ends saying it cures everything?

> I'm unclear on why them having the information you cited

First of all, my wife and I actually read and attempted to analyze Path's Terms and Privacy Policy before joining. They did not in ANY WAY have our permission, either implicitly or explicitly to collect private information about our children, who are, 3 and 4 years old.

> along with dozens or hundreds of other contacts from your address book

From path.com/about

  Path should be private by default. Forever. You should 
  always be in control of your information and experience.
I was never once asked, agreed to, or gave consent to allow anyone to collect sensitive information about where are children are schooled at, what buses they ride, where they receive medical treatment at, or OTHER PLACES I LEFT OUT OF THE ORIGINAL LIST BECAUSE THEY ARE PRIVATE TO MY FAMILY. :)

> for millions of users

"kill one, it's murder - kill 1,000,000 it's a statistic" - this isn't about your children - it's about mine. ;)

> constitutes some kind of terrible threat to your children

Where did I say this was a "terrible threat" to my children? Maybe it is, maybe it isn't - bottom line is we did not consent to it. And perhaps we just want to protect our underage children from having behaviorial profiles or credit risk assessments built up on them before they reach kindergarten.

Interestingly enough, according to Path it is VERY reasonable that I should protect my children's information:

  We take reasonable measures to protect your personal information 
  in an effort to prevent loss, misuse and unauthorized access, disclosure, 
  alteration and destruction. Please be aware, however, that despite our efforts, 
  no security measures are perfect or impenetrable and no method of data 
  transmission can be guaranteed against any interception or other type of misuse.
Combined with:

  (You)...accept all risks of unauthorized access to the Registration Data and any other information you provide to us.
My risk, right?

> But maybe there's a specific threat in mind that I'm not thinking of?

Yes, there is. And I acknowledge that you might live in a world where you have no problem allowing anyone in the world to know any detail they can illicitly sneak out of your phone about you, your family, and your friends - but most of the rest of us don't.

For fuck's sake a UIKit dialog box and handler code is less than a dozen lines of code and then NONE OF THIS WOULD BE AN ISSUE.

> Anyway, just thought your response was a little over the top, and more informed by emotion than reason.

I'm curious, do you have a spouse or children?

> They did not in ANY WAY have our permission, either implicitly or explicitly to collect private information about our children, who are, 3 and 4 years old.

What are you talking about? Do you expect them to perform complex data analysis to figure out that certain contacts are young children, and then explicitly ask permission to share those? Or do you expect them to preemptively ask for any potential sensitive contact information? "Can we use your children's information?" "Can we use your in-laws' information?" "Can we use the address of the President's safehouse?" Etc.

> What are you talking about? Do you expect them to perform complex data analysis to figure out that certain contacts are young children, and then explicitly ask permission to share those? Or do you expect them to preemptively ask for any potential sensitive contact information? "Can we use your children's information?" "Can we use your in-laws' information?" "Can we use the address of the President's safehouse?" Etc.

Just a "Can we upload your entire address book?" would have worked. Or perhaps listing "Your entire address book" in the "What personal information do we collect?" section of their Privacy Policy.

That still wouldn't be specific permission to share children's information specifically, which is what it seemed like your were requesting.

No, but giving him the information would have informed him sufficiently so that he could have decide whether he wanted to (a) not use the app (b) delete sensitive contacts before using).

I think you're spot on here mash but I have a disconcerting question. How do you intend to handle this situation with every other app you, and presumably your wife, have ever downloaded? Specifically those that may not be as 'transparent' as Path?

I ask because we would be foolish to think the developers of some less then typical quality apps have, or will, certainly exploit this for their own monetary gain.

> How do you intend to handle this situation with every other app you, and presumably your wife, have ever downloaded?

Not sure yet. Path is actually the first (and will certainly be the last) social network I've ever joined - and it was precisely because it was supposed to be private and they had a pretty reasonable privacy policy. I remember something of this nature after the App Store was first released but had honestly thought it was a fixed issue.

On our lap/desktops we use prompting firewalls and on occasion will even watch suspicious apps or behaviors, if you will, where on iOS this is much harder.

I have an idle FreeBSD box and may start mitm'ing like OP did, but seriously pouring through the kind of output a home network produces doesn't sound like fun at all and I already know that going back to a dumb phone would probably be just as easy.

I was worried that would be the response. Not that I think it's a bad idea, its just such substantial shift from what I'm used to.

I would be curious for someone to do this with other apps. Even those that aren't social networks. I have a strong inkling that most of the top free apps are doing this without any of us knowing.

> I'm curious, do you have a spouse or children?

What for an argument is this. So if he doesn't have a spouse or children he can't be right. What kind of populist are you?

Seems to be an ad misericordiam argument. It's bad they share private information of people in your contact list without your or their permission. But adding children in the mix is just used to add effect to your argument.

Don't really like this kind of argumentation.

considering contacting our lawyer

What do you expect to achieve with this step?

To get his money back, of course.

To get perspective, actually. Most lawyers are wicked smart and it sucks you aren't in a position to have such a valuable resource available in your own life. HTH.

Lawyer? God, get a fucking grip. No wonder companies treat their users like morons.

Because asking for advice from those wiser than oneself clearly makes one a moron.

Yes, good point. And regarding state attorney generals, how is this not data theft? It seems to go far beyond privacy issues, the program is in every way that matters a trojan that steals personal data. I can't see how it could not be considered so given the details of what was discovered.

If I were an evil-state-attorney-general, I'd be calling up Path and saying "Here's a list of names (unsaid - of suspected drug dealers), please forward all of their details and contacts, and the details and contacts of anyone who lists them as a contact. Thanks"

Yeah - or I hire a private eye to spy on my wife and he pays off a path DBA. Don't people always complain on HN that they don't get enough kaching?

If I were involved in this (and I'm not, I just think transparency - not privacy - matters) I would want the CEO and CTO of Path to create a video that is displayed to all relevant users in their mobile app. The first thing they do is apologise, they explain in plain words what people are up in arms about, the CTO reiterates that a) this was dumb and a poor choice but we are all human, b) what this means (eg: we did this not for our value but to deliver the best experience by matching you to your friends effortlessly) and c) why this matters on a macro scale for the industry.

I would respect a company that did this because they are not only addressing users that are aware of it but also users that are not aware (but are affected.)

Wiping data is fine but it feels like it doesn't solve the crux of this problem -- communication and transparency. Companies make mistakes and they can fix them, sure, but communicating about them? that's much cooler. (I suspect this is overkill unless mainstream news catches on this - which seems unlikely)

I wouldn't be surprised if there is an engineer there who voiced concerns, but whether they still work there or not would be an open question. Wherever they are, they should be found and put in charge of development.

Ethical engineer: "I've got a problem with doing this, we're storing personal info without permission. Shouldn't we at least have something that lets our users know?"

Ambivalent boss: "I don't think it's a problem, who's going to notice anyway?"

Not that the ethical engineer will get anything more than personal vindication for actually giving a shit.

I would want the CEO to:

1) Immediately delete all of the non-user data

2) Send an apology e-mail to each Path user explaining the situation

3) Write, by hand, a corresponding apology letter for each Path user

4) Hold a townhall-style meeting in which members of the public can ask him questions

5) Pay, out of pocket, the travel expenses of anyone who attends the townhall meeting

6) Wear an indicator of shame (large necklace or a sign) for as long as he is CEO of the company

Seppuku basically

7) Commit seppuku

If “Apple would never do this to their users”, then how is it that Apple provided the API which Path used to do this to their users, without requiring the users to give the app permission (as they do with, say, allowing an app access to a user's location)?

Because it requires 2 API's both of which have legitimate uses:

1.) Get the user's address book and 2.) upload it to a server.

Installing an application implies a higher level of trust than a web application. You can't prompt the user for every API that might have a nefarious use. Location data is also much more sensitive so it makes sense to prompt the user for that.

From the traction this story is getting, it sure looks like address book information is considered sensitive by a lot of people. Possibly on par with location data.

It's sensitive depending on what you're going to do with it. If you're a native app and you want to access it so that you can show me my address book in some unique way, then I don't want to be bothered giving permission. If you're a native app that's just a front end to some social network and you're going to shuttle it off to some big database in the sky, then maybe not.

The problem is that this isn't easily enforceable at the API level without the user having to make decisions. The right level of enforcement is at the app review stage.

> The problem is that this isn't easily enforceable at the API level without the user having to make decisions.

It's not enforceable even WITH the user having to make decisions. The user can not allow the app to upload one kind of data and disallow another (address book). You can only allow ANY upload or no upload at all.

That's certainly Apple's intentional business decision, though. It's simple to provide a way for global abook perms as well as for individual apps.

I guess it's more like

1) Get the user's address book 2) upload _something_ to a server.

A user could give permission to both.

Yeah, but then using apps would quickly descend into a horrible mess of deny/accept, confusing and scaring the user. The pop-up hell of windows would pale in comparison.

You'd have solved the problem, but created a horrible user experience instead.

Maybe I wasn't clear enough. I wanted to say that it's not possible to solve the problem by asking the user's permission because API does not allow you to ask for a permission to upload specific data (address book). So there is no way to prevent an app to upload your address book without totally preventing it to upload anything.

Your message was not lost on me. The mind blowing part (to me) is that it takes years before some average Joe (not necessarily security "expert" by profession) decides to take a look at the logs to see what is REALLY going on behind the curtains - revealing something huge like this. Like you write, unless explicitly stated, companies will default to whatever is in their best interests, which is why Facebook going public should be a worrying thing for those users. As someone wrote, "if you are getting something for free you are not the customer, you are the product."

I've noticed a pervasive attitude throughout the SF social app community that your app is at a disadvantage if it doesn't use all of the (potentially dirty) tricks that other apps use -- especially in a crowded space. If your app is the only one that doesn't do automatic friend discovery, or post to the Facebook news feed, your growth coefficient is going to suffer. Of course if you're the first to be found out doing these tricks, the backlash can hurt more than it helps. It's a gamble, and although the HN community is (rightly) in uproar, Joe average user likely won't care that his address book was uploaded unless he's explicitly told to be upset about it, or unless someone compromises Path's servers and he's personally hurt by it.

> we believe users need further transparency on how this works, so we've been proactively addressing this

I feel like shooting someone every time I see them (or for that matter, anyone else) doing things 'proactively' (at least three times in the comments of original blog post). My BS meter goes all red on that. What does 'proactively addressing issue of transparency' mean? Even the sentence itself is not transparent.

I seriously wonder why so many companies communicate using language like that. Is it because of law? If instead, he'd say "well, we really screwed that one up and we want to apologize; right now we're trying to figure out how to fix those issues, please be patient" - could that get them sued, or what?

The funny thing is that proactively means exactly the opposite: by their own initiative, instead of waiting for someone to find out using a proxy.

Well, maybe I'm missing something here, but I really think it's mind blowing HN-readers are only now realizing this is happening with these kind of apps.

And yeah, if you don't do this (everybody else does AFAIK) you're left with a disadvantage in hooking you up to your friends who also use the service.

I actually think the CEO's response is not that bad.

> so we've been proactively addressing this.

"Proactively" doesn't mean acting after you've been caught.

Actually, it means exactly the opposite.

The problem is any site that decides to grab this data gets an advantage over any site that does not, and the regular users simply don't care enough.

About four years ago, a new trend just started emerging. Sites would ask user's for their Gmail passwords and scrape all the users' contacts to invite them for their service. I remember this because I was at a company where I refused to implement a service that requested a user to enter their Gmail password. They got someone else to do it. The issue was that we had competitors using this tactic and they were gaining a lot of users. Unless you have a way to level the playing field, you'll end up just punishing the ethical companies.

The CEO's comment is some grade A bullshit. Obviously they realized this was an issue before they got caught, but if they really thought that it was "important that users clearly understand it" the opt-in would have been in version 1.0, not 2.0.6.

Apple would never do this to their users.

Apple makes apps prompt me every time they want to know my location or send me push notifications, but they don't require it for the contacts info.

How is managing push notifications more important than leaking private contact info?

I don't want to rag on you, but the answer to this is really, really obvious--Path certainly screwed up, but that's no reason to lose your head and start making silly claims.

iOS doesn't know what's being uploaded by an app. It can't know. They could ask every time an application wants to access your contacts (which, I think, would really suck for UX, and it'd be a context-free question without indication of what the data would be used for), but after that? There is no practical way to know that that data is being sent over the wire to somebody.

Ok, how about asking the first time?

So...what, exactly? "This thing wants to use your contacts." It's a social network. It can be expected to want to use your contacts. It has no bearing on how Apple is supposed to avoid letting Path package up your contacts and send them to Path's servers.

Apple would never do this to their users.

Perhaps not, but remember that Apple are supposed to have approved all Apps on the AppStore. It's supposed to be for user benefit, to prevent malware, viruses and bad applications. However this app was approved by Apple. What, exactly, is the point of the AppStore approval/walled garden approach if this is acceptable?

But Apple did do this to their users. They are just as culpable as Path, if not more so. If you are going to provide a platform for app distribution, it is your, and only your responsibility to ensure that private information is not abused if you create the illusion that user information is safe.

Not sure why people are down-voting this, but how about offering a counterargument if you disagree instead of just clicking an arrow like a Rhesus Monkey?

Facts are stubborn things.

This data was never sent to Apple servers.

This is false, they do not send a recorded record of your movements to apple, however they do send GPS+WLAN BBSID correlation data back to apple,[1] they claim the processed is anonymized, but there are very powerful deanonymization techniques that can be applied to large data sets. [2][3][4]

I live in almost the middle of nowhere, i guarantee nothing like google maps, etc has ever passed this way to map my WIFI point's BSSID onto a physical location, yet the week a member of my family got an iphone, plugging the BSSID into a location api gives the exact location of my house...





That's circumstantial evidence at best.

Here's more useless analytical evidence to suggest that most people don't know everything: when Samy Kamkar[0] first demonstrated geolocation via BSSIDs, I tried out every wireless router in my house, including one that had not been plugged into a wall in over 4 years and never at my current residence, long before Google started wardriving for street maps and well before the first iPhone came out. He was able to accurately map it to my old residence. That means that sometime before December of 2006, someone or something was able to snatch my BSSID from someplace, accurately note it's physical location in the world, and store that away in some database that was used almost 4 years later. I can guarantee you it was not Apple, and I'd be damned surprised if it was Google at that time.

[0] http://samy.pl/mapxss/

Not surprising. There's at least one collection project that had already been running several years at that time: http://wigle.net/

its hardly dismiss-able as circumstantial evidence when apple themselves have said they do it.

The data was stored on the phone, not sent to Apple, and certainly not to advertisers.

The data was used for GPS assistance -- it was a cache that triangulated your location from cell phone towers to help get a faster GPS lock (and to find your location without GPS if you’re getting bad GPS signal).

If you're concerned about the police finding out your moves, they have access to such information from the tellcos themselves with your cell number, whereas to use those stored GPS logs they would need physical access to your iPhone.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact