Path Changes Direction on Privacy

PathPath, the mobile-exclusive personal social network, was in the middle of the limelight when it was discovered that the startup collects and stores address book data of its users without consent. According to the company’s blog post, “the use of this information is limited to improving the quality of friend suggestions when you use the ‘Add Friends’ feature and to notify you when one of your contacts joins Path.”

I’m not a developer, but if I understand the statement correctly, in order for Path to notify you when any of your contacts join the network, instantaneously, it has to first know who are your contacts. This will only work when the network has your address book data on its servers.

Viber, a popular VoiP app for iOS and Android, has a similar feature. Whenever a contact of mine joins the service, I’ll be notified instantly by a push notification. A check on its privacy policy reveals that, just like Path, it’s also storing our address book data:

A copy of the phone numbers and names in your address book (but not emails, notes or any other personal information in your address book) will be stored on our servers and will only be used to:

(a) notify you when your contacts become active on Viber,

(b) indicate which of your contacts is already a Viber user,

(c) correctly display the name of each contact as it appears in your address book when a call is received.

Path’s privacy policy, on the other hand, is not so upfront. In fact, the link to its privacy policy is nowhere to be found on the homepage. That could explain the lack of awareness its users have on the app’s data collection behavior, and the subsequent uproar when the fact is revealed, by a third-party.

The Aftermath

Following the debacle, Path took drastic moves to regain user’s trust. First, the startup made the decision to delete all of its user’s address book data from its servers. Secondly, it has modified its mobile apps to stop collecting the said data automatically, without consent. Users can now opt-in or out to share their address book data with Path’s servers.

That’s a good move to regain user’s trust, but Gawker cautioned us to not trust the startup so easily again. According to the blog, Path founder Dave Morin once said that “Path does not retain or store any of your information in any way,” in a response to a similar allegation in 2010.

Of course, it turns out that they actually do. There are two possibilities. Either Morin was lying, or Path only started collecting address book data some time after Morin’s response. The latter could be the case, as Path was drastically revamped just few months ago. I believe Morin will respond to Gawker’s post in a timely manner to minimize the damage it could cause.

Who to Blame?

Is it really Path’s fault for not requesting for user’s consent before uploading their address book data, or is it Apple for not requiring apps to do so? If users are freaking out when Path, a high-profile startup, is collecting their address book data, how would they feel when they learned that just any other apps, even those by dodgy publishers, are capable of doing the same?

Apple made it mandatory for apps to request for user’s permission in order to access location data. But why isn’t it doing the same for address book data?

This is an issue that has to be addressed by Apple, especially when iOS is slowly creeping into the enterprise environment, where security and privacy are paramount. Just recently, multinational corporation Halliburton announced plans to issue iPhones to its employees, instead of RIM’s BlackBerry.

The company may have to reconsider its decision if Apple remains silent on this matter.

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>