Users of the iOS app Path should be concerned about the app’s newly discovered privacy issue, in which it sends a .plist file full of the contacts in your address book over to their server. Included in this .plist file are the names, phone numbers, and email addresses of these contacts, and they are sent upon registering for an account with their service. The .plist was discovered by blogger Arun Thampi while packet sniffing the app, and users of the app now have a legitimate reason to be concerned as to how that data is being used and why Path uploads it to its server in the first place.
Thampi’s blog post goes more into the technical details behind all of this and outlines how one can recreate the situation.
The co-founder and CEO of Path, Dave Morin, issued a statement on the privacy concern that this has brought up:
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
While this is certainly better than nothing, as users will soon be able to opt-out of having that data transmitted in an update to the app, it doesn’t change the fact that this has already happened and doesn’t do anything to reverse it. Morin also doesn’t even explain why Path has been transferring users’ address books to their servers, which is kind of a sketchy dodge of the real concern behind everything.
Let’s hope the good people at Path don’t decide to do anything they’ll regret with all of that personal contact information, and that they will solve this issue the right way.