Path, Privacy and Permission

Earlier today Arun Thampi published his investigation into data uploaded by the iPhone application Path. Arun was participating in a hackathon when he noticed Path making an API call that indicated it was submitting a contact from his phone. Upon further inspection it was determined that Path had uploaded his entire address book to their servers.

Dave Morin the CEO of Path quickly responded on Arun's blog when negative sentiment started spreading online about Path's contact uploading.

"Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

Dave Morin

Co-Founder and CEO of Path"

The general sentiment on Twitter at least is that Path shouldn't be doing this or at the very least should be asking user's permission before uploading their entire address book. I don't know Dave but it appears from his swift response and continued response on Twitter that this was not a nefarious use of data and truly was designed to enhance the user experience. Dave seems like a stand-up guy and Path will weather this, but it does bring up a good lesson for those developing applications be they web apps or mobile apps.

You must put yourselves in the shoes of the user and respect them.

At my previous job we investigated the use of aggregated, largely anonymous data to compare an individual to a larger peer set. This was essentially utility consumption data (electricity and natural gas) that would be aggregated anonymously such that a peer comparing it would never see the original data points but only see three aggregate comparison groups to their own consumption. We didn't collect names or even specific addresses but we encountered enormous pushback from various partners that insisted this data could not be shared without explicit user permission.

As a developer and prolific user of online and mobile applications this seemed overly protective and pessimistic. I was initially not able to put myself in the customer's position. Personal data, any personal data carries with it details about someone's life. Potentially damaging or life threatening secrets in the case of who you might have in your address book. 99.9% of the time contact lists and information like energy consumption are probably benign but the customer doesn't know how that information is stored or the entirety of its use.

I think people are concerned for the most part about the things they can't conceive of, not the things they can. Add to that the general and justifiable mistrust of companies and you can see why many of the comments in Arrun's blog post are in my opinion exceedingly over the top in terms of criticism towards Path.

I believe Path are taking the right approach. 1. Admit to the mistake, quickly and honestly 2. Deal with feedback in a calm and professional manner 3. Define how you will address the problem

Developers need to be conscious of the information they're collecting. Keep it to a minimum and ensure your motivations are to improve the experience for the user. Ensure that you're explaining your reasons clearly and always ask for permission.

Update: Path has issued an update to the app and a statement that they will remove all uploaded contact information and have added an opt-in prompt in the new version when you add a contact.