What Path did with users' address books was ill-advised, to put it kindly. But thanks to the company's blunder, Apple will finally do what it should have done years ago: enforce its address-book protection policy.
Apple said today that apps that are collecting user contact lists without permission are in violation of its app guidelines, and that a software fix is on the way to keep that from happening.
The practice of rifling through address books is at the core of many social apps.
Apps vendors are running fast, trying to build the best social apps they can. Social apps are by nature interconnected, and the best way to build a socially-connected user base is to throw all users' contact books together and see who's connected to whom, to give users the option to match up, in their apps, the connections they already have.
Other vendors have done this, and in fact have been burned by it. Ted Livingston, who launched the Kik instant messaging app in 2010, knows Path's pain. He's been there. His app absorbed address books. Not because Kik had any intention of misusing the information or in breaking users' trust. In fact, Livingston told me, "We thought it was a cool feature of the app. We didn't think it was a violation of privacy."
Was he naive? Certainly. He was 22 at the time, running an app that had achieved explosive success: it had 2 million users after 22 days. (This figure has been corrected from the original version of this story.)
Kik revised its contact data-collection procedure fast when a Path-like (but smaller) dust-up arose. "We got messages from a handful of users who told us we should be asking for permission." Then it became a painful news item, Livingston said.
Livingston said it took Kik "just a few days" to modify the app to be more transparent. Not only did new alerts tell users that their address book would be uploaded, but a secondary confirmation, if you opted out, reminded them that the whole point of the app was to make connections. "Are you sure?" the pop-up asks. "You will have to add each of your friends manually."
Other companies use hashing or encryption to protect address book privacy. Localmind CEO Lenny Rachitsky, for example (see Localmind gooses location-advice service) told me that "We hashed all address book data and sent it over SSL." So not only were users' address books not human-readable on the Localmind servers, but the transmission of the data was encrypted on the way there.
You are not your user
The challenge for developers is to recognize that data that one person doesn't care about may be of life-or-death import to another. That's why being deliberate when it comes to data practices is a good idea. But deliberation slows you down.
And that's why the platform companies, like Apple, Google, and Facebook, have to moderate developers eager to have their app suck up data first, and ask questions later. This has already happened with location data to a much greater extent than it does with address data. And Google, at least, does block Android apps from accessing address books without user permission. Facebook provides social matching as a service to developers who use that social network--so Facebook-reliant apps don't actually get the address books.
Apple has been behind in this. It relied on policy to protect address books. That policy, clearly, has failed. And it failed a long time ago.