Path co-founder Dave Morin takes the high road today, after the news that your complete contact list is being uploaded to their servers. This morning a developer named Arun Thampi released an article titled: Path uploads your entire address book to their servers. Included in the article were a number of screenshots and detailed instructions to replicate his findings. Though there is no time stamp on the article, the first comment was left by Dave Morin, instead of ignoring or running from the issues he chose to immediately respond. First with the comment:
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently[sic] as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Co-Founder and CEO of Path
*Italics – Emphasis mine
A number of questions and comments followed.
From Matt Gemmell:
I’m sure I speak for everyone when I say that I appreciate the reply. However, you haven’t addressed what I see as the three main issues:
1. Why are you uploading the actual address book data, rather than (say) generating hashes of the user’s email addresses locally, then uploading just those hashes? You’d be able to do friend-finding that way, and similarly if you uploaded hashes of all email addresses in the user’s address book, you’d be able to do your notifications of when a friend joins. At no point would your servers ever need to see the actual email addresses or phone numbers from our contacts.
2. Why wasn’t this an opt-in situation to begin with? Isn’t that against Apple’s own T&Cs?
3. How can we have our contact information deleted from your servers, if we wish to do that?
I’d very much appreciate a response to each of these three points
1. This is a good alternative solution which we’ll look into. Thanks for the idea.
2. This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we’ve been proactively addressing this.
3. As I mentioned in the previous answer, we are rolling out this functionality for 2.0.6. In the meantime, if you would like your data deleted from our servers please contact our service team at firstname.lastname@example.org. We take this same policy for any of your data, if you’d like your account deleted, including all data, we’re happy to do this as well. We fundamentally believe that you as a user should always have control over your information and data and you can always email our service team and we will remove anything you’d like from our servers
*Bold emphasis mine.
This is a good step. Path may have made a mistake (I am of the opinion they made a misstep – it is only a mistake if they don’t learn from and rectify the issue). This is NOT a new issue. Business Insider erroneously states that Facebook does not do this. That is false. A few months ago it was made public that Facebook does upload your phone contacts to their servers. There are steps users must take to remove this information though finding the instructions to do so is extremely difficult on Facebook. There is no guarantee that these will actually be deleted from their servers.
The quick response to a disaster such as this can make a huge difference. By both acknowledging the issue and offering steps to take to remove the information Dave and Path have proven that they are paying attention and will move to address these issues. While this could have been avoided by any number of decisions, it wasn’t. Path had apparently made changes to the Android version released a few weeks back, stating that they collect your address book and then give you the option to opt-in and are in the process of awaiting approval on the App Store.
Revisiting the title – Path, your contacts, and disaster response: Dave Morin takes the high road - or not? Today Path posted this statement on their site, apologizing for the mistakes that they have made and they have made the decision to “Nuke the data”
We believe you should have control when it comes to sharing your personal information. We also believe that actions speak louder than words. So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers. Your trust matters to us and we want you to feel completely in control of your information on Path.
I think this is a good start and hopefully up and coming startups will learn from the missteps of others and choose the most secure and least invasive option in making social connections.