Path apologizes, offers opt-out for address book uploading
Social networking app Path issued an apology through its blog on Wednesday for the implementation of a back-end "feature" that uploaded a user's iPhone contacts list to the company's servers, and released an update to remedy the problem with new opt-in/opt-out settings.
On Tuesday, Developer Arun Thampi discovered that the Path app was uploading user contacts in an unseen background task, which triggered a subsequent deluge of criticism from those who viewed the action as a privacy violation.
Path claims that the data upload was meant to streamline the app's "Add Friends" feature, not to horde sensitive information:
Quote:
We are sorry.
We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.
As our mission is to build the world’s first personal network, a trusted place for you to journal and share life with close friends and family, we take the storage and transmission of your personal information very very seriously.
Through the feedback we’ve received from all of you, we now understand that the way we had designed our ‘Add Friends’ feature was wrong. We are deeply sorry if you were uncomfortable with how our application used your phone contacts.
We are sorry.
We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.
As our mission is to build the world’s first personal network, a trusted place for you to journal and share life with close friends and family, we take the storage and transmission of your personal information very very seriously.
Through the feedback we’ve received from all of you, we now understand that the way we had designed our ‘Add Friends’ feature was wrong. We are deeply sorry if you were uncomfortable with how our application used your phone contacts.
The letter goes on to explain that the information gathered is used to improve the quality of friend suggestions and to notify users when a contact joins Path. The data transfers are also encrypted and stored on "servers using industry-standard firewall technology."
In response to the public outcry, Path has erased all user-uploaded contact information in concert with the release of an updated version of the software that prompts users to select whether they want to opt in to sharing contacts.

Path has released an updated version to fix privacy issue. | Source: Path
Path 2.0.6 is currently available in the App Store.
[ View article on AppleInsider ]
Comments
But this “mistake” was not some accident or technical glitch, and just because they chose the right PR move after they got busted, that doesn’t make them a company I can trust.
That would be the perfect gesture if they had ACCIDENTALLY collected the data and never realized it was happening.
But this ?mistake? was not some accident or technical glitch, and just because they chose the right PR move after they got busted, that doesn?t make them a company I can trust.
Doesnt apple screen apps?
Apple needs to add more bricks to that wall garden. Maybe a dome?
If they really want us to trust them, shouldn't they make this an opt-IN service, rather than opt-out? I shouldn't have to hunt for a setting inside the app to turn something like this off, it should explicitly ask me to turn it on.
It was probably in their EULA
It was probably in their EULA
Doesn't matter. Apple doesn't allow it at all.
Doesn't matter. Apple doesn't allow it at all.
Well Apple screwed up. They should have denied the app.
More bricks on the walled garden
Well Apple screwed up. They should have denied the app.
More bricks on the walled garden
Exactly. This exposes a enormous problem with Apple's procedures if an application can get approved while doing something like this.
From what little I have seen on this incident, Apple seems to be getting a pass in the coverage and I don't understand why. Has any person/site covering this asked Apple about what went wrong and what are they planning to do to prevent something like this in the future?
I heard an iOS developer talking about how easy it is to get bad behavior around Apple's approval process. He said that all he has to do is have the app check for a date past the time Apple would have approved the app. Once that date arises, the app would then go out to his web site and get instructions that would change its behavior. The developer indicated he is already using this technique to collect data that Apple wouldn't normally allow.
Walled garden indeed.
-kpluck
Nearly sounds like a clever marketing trick this whole thing.
next cleaver idea. Steal peoples apple I'd and use it to buy your app
next cleaver idea. Steal peoples apple I'd and use it to buy your app
Pwned by your spellchecker.
Damn.
Exactly. This exposes a enormous problem with Apple's procedures if an application can get approved while doing something like this.
From what little I have seen on this incident, Apple seems to be getting a pass in the coverage and I don't understand why. Has any person/site covering this asked Apple about what went wrong and what are they planning to do to prevent something like this in the future?
I heard an iOS developer talking about how easy it is to get bad behavior around Apple's approval process. He said that all he has to do is have the app check for a date past the time Apple would have approved the app. Once that date arises, the app would then go out to his web site and get instructions that would change its behavior. The developer indicated he is already using this technique to collect data that Apple wouldn't normally allow.
Walled garden indeed.
-kpluck
I wish Apple would catch these offenders automatically—let the arms race begin!--but neither Apple nor Google does so at present. At the same time, Apple never promised to make this abuse impossible: their policy is simply to disallow it, but it must first be caught.
This isn’t the first nor last instance, just a high profile one.
I do think they deserved to be kicked off the App Store even AFTER this fix. That "feels" fair! However, any developer might make a mistake, so that’s a bad policy for Apple to set: imagine if your favorite app accidentally sent data even if you opted out. It should be fixed or get pulled by Apple—and I’m glad fixing it is an option. Punishing the company after the fix would also punishes its users.
I'm all for giving this company another chance -- in time. But it won't be with my data. I'm still waiting for the final e-mail confirming my Path.com account has been permanently deleted.
As punishment, Apple should ban this company's apps from the App Store for one year and institute a resubmission fee for the banned app, like $10,000 to cover increased monitoring costs during a three-year probationary period. In addition, Apple should stipulate that account deletion be possible from the app itself. Currently, there is no way to delete an account on their website apart from sending an e-mail to their customer service inbox.
That would send a far stronger message to other app developers about respecting the privacy of user data.
I wish Apple would catch these offenders automatically?let the arms race begin!--but neither Apple nor Google does so at present. At the same time, Apple never promised to make this abuse impossible: their policy is simply to disallow it, but it must first be caught.
This isn?t the first nor last instance, just a high profile one.
I do think they deserved to be kicked off the App Store even AFTER this fix. That "feels" fair! However, any developer might make a mistake, so that?s a bad policy for Apple to set: imagine if your favorite app accidentally sent data even if you opted out. It should be fixed or get pulled by Apple?and I?m glad fixing it is an option. Punishing the company after the fix would also punishes its users.
Apple makes point and touts that they examine all the apps that they approve. So either they knew about path copying the entire contacts of users or they were negligent.
Wall Garden Failed. More bricks on the wall
Sometimes, you people are despicable.
Suddenly, everyone's a dev company, with years of experience in management of men AND complete understanding of Apple processes? Come on. Those guys MAY have tried to play un-nice. They also may have made a honest mistake. It's Apple's to decide. Don't burn the guys yet.
This is not Mississippi, 1830. There is a legal system. There are rules in place. And by the way, how many of you buy games at EA and Sony? If you're SO DISTRAUGHT by such "horrible practices", shun them (the bigger, multibillion companies) first. Sue them. Don't just go with the crowd.
It's just not credible to me, that they put this feature in, and the privacy implications never occurred to anyone. And I am a person who gives people the benefit of the doubt by inclination. Unless they outsourced development to another country where people have different values, and it didn't even occur to them that people might mind.
And of course, you perfectly understand all the programming in the app, since the source is open and you know Objective-C? You also know exactly how competitors apps work, since they're also opensource?
Gimme a break.
Apple makes point and touts that they examine all the apps that they approve. So either they knew about path copying the entire contacts of users or they were negligent.
Wall Garden Failed. More bricks on the wall
Apple doesn't. They have some automated tests and some human screening. They can't just test everything or they'd need human readers to go through the source of everything, which would raise monopoly issues. Imagine if Microsoft demanded access to the source of every Windows program ever made to authorize it to run?