Developer Arun Thampi was doing a bit of hacking around with Path 2, trying to get a version of it running on OS X as an experiment, when he discovered that the app actually uploads your entire address book when it is launched. This obviously raised concerns about what the app is doing with that information and, in fact, why it needs it at all.
Now Path’s CEO Dave Morin has addressed Thampi’s concerns in a comment below his post:
We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
So. Much. Tech.
Some of the biggest names in tech are coming to TNW Conference in Amsterdam this May.
Note that many applications on the App Store that have anything to do with address book data do grab it, hash the data and save a checksum, ditching the plain text data afterwards. It’s a fairly standard procedure, but normally the data is not stored whole on the servers, which is a move that Path still has yet to justify or clarify.
There is also the matter of the application not asking explicit permission to access and/or store the data, which the Android version does. The iOS version currently out does not, but Morin says that an update is on the way which will.
These questions, along with an additional request to be able to delete the existing contact data from Path’s servers, if it is indeed stored there, were also asked by developer Matt Gemmel, in a response to Morin’s comment.
Morin then replied further, saying that the Path team would look into implementing the hashing procedure. He also says that the App Store guidelines do not specifically require a notification to the user, although he does acknowledge that it is the current ‘industry best practice’.
Morin also reiterates that the ‘opt-in’ functionality but says that “We fundamentally believe that you as a user should always have control over your information and data and you can always email our service team and we will remove anything you’d like from our servers.”
To that end, if a user would like the entire account, or just their address book data, deleted, Path is happy to do so if a user contacts it at email@example.com.
We have reached out to Path for comment and clarification and will update this post when they respond.