The popular photo sharing service Path is deep in the weeds today after a blogger revealed that the company's app automatically uploads iPhone users' entire address books to its servers.
In a blog post, a developer named Arun Thampi said that he discovered that his "entire address book (including full names, emails, and phone numbers) was being sent...to Path." And while he also wrote that he wasn't accusing Path of doing anything "nefarious," he noted that the service had never asked for his permission to upload something as sensitive as his contacts.
In a response to Thampi's post, Path founder and CEO Dave Morin wrote:
We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and [efficiently] as well as to notify them when friends and family join Path.
Morin's response also noted that while Path has specifically been asking Android users for permission to upload the address book for "a few weeks," the company has not yet made the feature opt-in on iPhones. Path is "rolling out the opt-in for this in 2.0.6 of our iOS client, pending [Apple's] App Store approval."
Path launched the 2.0 version of its app in November.
Some, of course, are wondering why Path didn't make the address book uploading opt-in to begin with on iOS devices. The alleged Morin comment also addressed this point, reiterating that Path is rolling out opt-in functionality in its next update and explaining how users can have their data deleted from the company's servers: "We fundamentally believe that you as a user should always have control over your information and data and you can always email our service team and we will remove anything you'd like from our servers."
Apple, of course, has learned the hard way that it needs to be strict about how iOS apps use, share, and distribute users' private data. And in the most recent version of its App Store guidelines, Apple writes specifically under the subheading of privacy that "Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used."
One question then is how Path's address book uploading functionality made it past Apple's famously strict vetting process. Apple did not immediately respond to a request for comment.
Update (Tuesday, 4:44 p.m. PT): This story now includes confirmation of Path CEO Dave Morin's response to Thampi's blog post.