Path, the excellent mobile social network for iPhone and Android, has a self-inflicted problem on its hands. Developer Arun Thampi noticed that the iPhone version of Path’s app uploaded his address book–unencrypted, in its entirety, without permission–to the company’s servers. He wrote about it, and an interesting conversation is going on in his comments, including responses from Path cofounder Dave Morin.
It turns out that Path has already made the uploads opt-in for the Android app, and has submitted an iOS update that does the same to Apple’s App Store. Little by little, Morin is addressing the company’s actions–it uses the address-book info to find your friends on Path–and expressing regret for grabbing personal information off phone without permission. But he hasn’t explained himself to the satisfaction of all of Thampi’s commenters, and the Path Blog doesn’t yet cover the kerfuffle. It’s not clear that Path thinks this a particularly big deal.
I don’t doubt Morin’s word that Path was using address-book information for an innocuous, useful purpose. But that doesn’t get it off the hook: That information could be intercepted, or stolen off Path’s servers. Or maybe some Path users would simply prefer that their stuff not leave their phone without explicit permission. Path is, after all, a service that plays up the notion that plays up privacy. As its own site says:
Path should be private by default. Forever. You should always be in control of your information and experience.
I like Path and hope that it thrives–so I’ll be happy if this mini-controversy dies down quickly. A “We screwed up badly and here’s how we’re ensuring it won’t happen again” statement from the company would help.
And if we’re lucky, other developers are watching and making mental notes about the steps they should take to avoid making the news in the way that Path did today. It’s not all that complicated. In cases like this, asking permission is always smarter than asking forgiveness.