Path app under fire for unauthorized address book upload

Posted:
in iPhone edited January 2014


Path, a popular social networking iPhone app, has come under heavy criticism after it was discovered that it uploads users' address books to its servers without asking for permission.



Developer Arun Thampi encountered the back-end feature while attempting to hack the application to run on Mac OS X. After he went public with the news, it sparked a backlash from users who viewed the address book upload as a violation of their privacy.



Path CEO Dave Morin quickly responded to Thampi by clarifying that the upload was meant to help users find their friends. The Android version of Path recently switched to opt-in, and Morin said that an update to the iPhone version would also switched to opt-in and was awaiting approval from Apple.



The address book upload feature would appear to violate Apple's own App Store guidelines. The iPhone maker specifically states that "apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used."



AppleInsider has contacted Apple for comment, but it has yet to hear back from the company.



Apple has in the past taken a strong and vocal stance on protecting its customers' privacy on the App Store. When the company unveiled its in-app subscriptions feature for the storefront last year, it stated that privacy is "a key feature of all App Store transactions." Publishers initially balked at Apple's insistence that subscriber details not be automatically forwarded on to them.



The application in question is not alone in implementing this feature, as several developers The Next Web's Brad McCarty that other apps do the "exact same thing."



Path launched in 2010 as a social journal that was meant to be more private than other broader social networking services like Facebook or Twitter. Though the application received warm reviews, it failed to gain much traction until it relaunched last November. The app's user base grew from 10,000 to 300,000 in just two and a half weeks after its 2.0 version was released.



[ View article on AppleInsider ]

Comments

  • Reply 1 of 19
    jragostajragosta Posts: 10,473member
    Slimy people. Even after they change the app, Path will not be on my phone.
  • Reply 2 of 19
    There's no direct way to delete your account from the Path app nor their website.



    I requested them to do so earlier today, but I have yet to hear back from them. In any case, I am done using their services. They have lost my trust.



    Someone else who cares more about user data, privacy and disclosure will replace Path.
  • Reply 3 of 19
    2 cents2 cents Posts: 307member
    Summon the firing squad!
  • Reply 4 of 19
    nasseraenasserae Posts: 3,167member
    Apple should enforce the rule and ban the developer from the app store to make an example of them.
  • Reply 5 of 19
    Quote:
    Originally Posted by NasserAE View Post


    Apple should enforce the rule and ban the developer from the app store to make an example of them.



    Absolutely!



    Who knows what other data they may have managed to extract from users' phones? bank info? credit card info? SS info?



    about the data they stole from users' phones - have they sold it to any 3rd parties yet?



    Anyone in his right mind will dump the app and never deal with the company again. Apple should do the same, but likely will not.
  • Reply 6 of 19
    Meh. FaceBook probably does stuff like this all the time and you unknowingly agreed to it. For example, FB knows what web sites you visit if that site has a "Like" button--even if you never click the like button. It's there, and it records your IP address and links that back to you.
  • Reply 7 of 19
    nagrommenagromme Posts: 2,834member
    Quote:
    Originally Posted by Suddenly Newton View Post


    Meh. FaceBook probably does stuff like this all the time and you unknowingly agreed to it. For example, FB knows what web sites you visit if that site has a "Like" button--even if you never click the like button. It's there, and it records your IP address and links that back to you.



    That doesn’t let Path off the hook—it makes Facebook a problem too!



    Thank goodness for whistleblowers and hackers, finding these things out. No Path for me—the company is disreputable even if they change certain things just because they got caught. And although I do have a Facebook account, I don’t stay logged in. So those Like buttons can’t track me.



    EDIT: I stand corrected. Facebook can track you even when logged out, but they “say” they don’t keep most of the data they gather that way:

    http://blogs.wsj.com/digits/2011/09/...ged-out-users/



    Better clear those cookies!
  • Reply 8 of 19
    It's quite easy for apps and websites to find ways to "steal" your info. An easy solution is to have separate profiles on your computer, one for business and the other strictly for social networking (with the social networking profile never having personal or sensitive data). As for the iPhone apps? Developers should be immediately and permanently banned, and Apple should be more attentive to the back end of submitted apps preventing such matters from reaching the app store.
  • Reply 9 of 19
    jkichlinejkichline Posts: 1,369member
    Quote:
    Originally Posted by old-wiz View Post


    Absolutely!



    Who knows what other data they may have managed to extract from users' phones? bank info? credit card info? SS info?



    about the data they stole from users' phones - have they sold it to any 3rd parties yet?



    Anyone in his right mind will dump the app and never deal with the company again. Apple should do the same, but likely will not.



    The information you are referencing (CC, SS#, etc) is not available to developers. The contact information they retrieved is available in the iOS SDK and anyone can retrieve it freely. It's really hard to say they stole it when it's freely available in the SDK, although they should have stated that they were doing it, or asked to do it.
  • Reply 10 of 19
    jkichlinejkichline Posts: 1,369member
    I think there are a number of people who are pissed that this information was shared without user consent. I think that's a fair generalization. However, many of the apps that you know and love work because they upload something about you to a server. This includes Twitter, Facebook, Google, etc. Many apps upload your device ID number to keep track of you. It's not because they are trying to do something nefarious, but without this information the features of these apps won't work. Path is able to connect you with other Path users *because* it accesses this information. It's one of the reasons it works.



    An app I have written uploads your GPS coordinates occasionally to offer location based data that offers the user a lot of value. Yes, you agree to have your location tracked, but what am I doing with that information? Don't be fooled, this is happening all around you.



    Not to sound like a jerk, but... get used to it. Privacy is dead. If you want to have high technology and amazing features and want it for free, don't expect to never share any of your information. If that's the case, you probably want to sell your iPhone/Android and pickup a CB radio. Let's face it, for $10 I can find out anything I want about you by just knowing your name thanks to the interconnectedness of the Internet and public records.



    Hopefully app developers let you know what they are doing with that information, but most people don't care or won't understand.
  • Reply 11 of 19
    Quote:
    Originally Posted by appleinsider View Post


    it uploads users' address books



    =



    Quote:
    Originally Posted by appleinsider View Post


    user base grew from 10,000 to 300,000 in just two and a half weeks after its 2.0 version was released.



    ?



    Maybe they create profiles for every uploaded contact and call them a user!



    \
  • Reply 12 of 19
    asciiascii Posts: 5,936member
    I simply don't use the Apple Address Book. I like the look of it, and the way it works, it's just that they provide an API for it.
  • Reply 13 of 19
    irnchrizirnchriz Posts: 1,616member
    Quote:
    Originally Posted by ascii View Post


    I simply don't use the Apple Address Book. I like the look of it, and the way it works, it's just that they provide an API for it.



    What do you keep all of you contacts in in your iPhone?
  • Reply 14 of 19
    this is a gross overreaction to a feature that is actually used by countless apps on the app store (e.g. Kik or any chat app).



    all it does is it cross references your address book contacts with their database of active users to help suggest which friends to add. in order to perform the cross referencing, it needs to upload your address book contacts to their server.



    I believe this can only be done if you elect to find friends by address book.
  • Reply 15 of 19
    habihabi Posts: 317member
    Quote:
    Originally Posted by jkichline View Post


    I think there are a number of people who are pissed that this information was shared without user consent. I think that's a fair generalization. However, many of the apps that you know and love work because they upload something about you to a server. This includes Twitter, Facebook, Google, etc. Many apps upload your device ID number to keep track of you. It's not because they are trying to do something nefarious, but without this information the features of these apps won't work. Path is able to connect you with other Path users *because* it accesses this information. It's one of the reasons it works.



    I dont think that all the information Google collects is really needed to make web searches for me. Its just that its their business to profile me to serve targeted adds to me. It has nothing to do with making a web search. Rhheheheeeeaaaallllyyyy!!!!! Why would google need to know my deviceid to serve me search results. Huh. I read googles new privacy policy and I WONT use ANY google services after this my logging into them.



    Going to delete my gmail account (took a me.com account from apple). I even asked Apple what the privacy policy is for google maps on the iphone (are they collecting info of me and my devices and locations). If so they should switch NOW to someone elses map service.



    I really hope people stop using Google services if they stop to think about what they are starting doing about private information collection. Its this thing that they where telling years ago "no, we would _never_ do that!"



    Do I want my googlechat talks recorded? hell no.



    GET OUT OF GOOGLE ACCOUNT SERVICES WHILE YOU STILL CAN!!!! (before 1.st march!!!)



    Atleast twitters and fb core business isnt refining serving of adds for their web site users (which is done better by knowing what you like and where you are, how rich you are, who your friends are etc).



    When do people start thinking about the information they are shareing....\
  • Reply 16 of 19
    cnocbuicnocbui Posts: 3,613member
    Oh dear, did someone just deposit excrement in the vaunted sandbox.



    Android is so virus prone....You can't trust Google....Facebook is evil....Apple protects us from all the nasties of the world....



    It isn't nice when any entity does this sort of thing, no matter what platform. Perhaps some people will stop being so supercilious when it comes to the 'dangers' of using Android, but I doubt it.
  • Reply 17 of 19
    habihabi Posts: 317member
    Quote:
    Originally Posted by cnocbui View Post


    Oh dear, did someone just deposit excrement in the vaunted sandbox.



    Android is so virus prone....You can't trust Google....Facebook is evil....Apple protects us from all the nasties of the world....



    It isn't nice when any entity does this sort of thing, no matter what platform. Perhaps some people will stop being so supercilious when it comes to the 'dangers' of using Android, but I doubt it.



    Would you trust your life in the hands of a medical doctor OR an organ sales rep that is also a doctor? You only need to look at what be big picture is in each case who gets wealthy from what. I think the organ sales rep gets a bigger share from selling your kidneys and other organs so I dont trust his judgment over my life! Ask yourself what is googles motive for android, google+ AND the new privacy policy??? Or are you still in denial??? SMACK - SLAP!!!



    Google doesnt give a fsck about you, it only cares about its advertising dollars! The pedestrian drone running after "free" stuff is just the means to an end.
  • Reply 18 of 19
    The fault is with iOS.



    Ever since I got the Kik app which does the same thing, I realized that unlike Location data, iOS does not have a security prompt for Contact access.



    Apple need to implement finer grain security for Contact/Calendar access etc. I.e. an app should be sandboxed and not be granted access to anything private without prompting the user. Just like it does with Location.
  • Reply 19 of 19
    dualiedualie Posts: 334member
    They ALL want to "help" you don't you know.
Sign In or Register to comment.