App gone wild: Path uploading address data without permission

More trouble for users and their data privacy as news came in today that Path , an iPhone app that works as a smart journal, has accessed the address books of users and uploaded them to their servers without permission. According to TheNextWeb , this was discovered by developer Arun Thampi  who wrote about it on his website. Thampi clarified as well:

 I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service… I wonder how many other iOS apps actually do the same…

Path allows users to share thoughts, the music one is listening to, photos, videos, etc, with their friends. Thampi’s last point is actually quite valid for all smartphone users irrespective of whether you have Apple phone or Android device. Too many times, when downloading an app, we see that it wants access to our messages, address book, etc; so clearly, users are not entirely unaware of what information apps have access to. In fact, the Path app on Android clearly states that the app will have access to phone calls and all personal contact information. The trouble with this is that friends of a user who are not using Path will also have their information accessed by Path. [caption id=“attachment_207290” align=“alignleft” width=“380” caption=" Path’s Android reviews already has comments from angry users who are outraged by this privacy violation. Getty Images"] [/caption] According to  TechCrunch , Path has 2 million users and let’s say they each have a low estimate of about 50 contacts in their iPhone. All in all, that’s 100 million addresses in the Path database — a database which we know very little about, in terms of security. TheNextWeb has an insightful post on the whole Path debacle arguing that what it  actually reveals is how carelessly users and Facebook have been treating privacy.

While Path isn’t without fault here, it certainly doesn’t seem malicious. Apple isn’t innocent in all of this either. A bigger part of the problem is how we as users see our privacy …

Meanwhile Dave Morin the CEO of Path has responded to these concerns with the following comments:

 We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more… we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

For now the bigger issue that remains is that apps want access to a bunch of information most of which is at times not linked to why one is downloading the app. For instance users of the Facebook app should know that the app can send messages from their phone. Sharing via Facebook, Twitter or email is a great feature that nearly every  app comes with but it comes with its own cost to user privacy. And yes, while everyone wants to share that ‘cool photo’ on Facebook ‘asap’, one also inadvertently links personal information to the app when using it to share. This is not to say that users are entirely unaware of and very often choose to overlook this crucial fact, but it is unlikely that the magnitude of this open door policy has sunk in. This doesn’t just apply to apps but also websites. The fact that one uses Twitter/Facebook to access virtually any web experience is fraught with data privacy complications. Ideally, the entire opt-in process as it were, must become more thoughtful for users, and more informative from the point of view of app-makers. Currently while downloading apps, one is forced to grant the apps rights that users would not normally be comfortable giving up. Clearly app developers, Google, Apple and Facebook, all need to wake up and treat data privacy and rights with a lot more respect. PS: Path’s Android reviews already has comments from angry users who are outraged by this privacy violation.