Earlier this week, a Singapore-based iOS software developer made a startling discovery while working with the popular social-networking app Path: in the course of every new account creation, Path uploads the new user’s entire iPhone address book to their servers. To its credit, Path responded quickly, with its CEO and co-founder Dave Morin explaining that they use the address book data for “friend-finding” and “nothing more.” He also asserted that this technique was an industry standard for social iOS apps.
That response wasn’t enough to contain the firestorm of angry user reactions. Within a day, news of the address book upload had spread, and researchers discovered evidence of similar behavior by other apps, like the photo-sharing service Hipster. Path publicly apologized and promised to delete the address book data stored on their servers, and to begin using an opt-in system immediately. Hipster has also apologized, and plans to host an “Application Privacy Summit” at their office this month.
The strong user reaction demonstrates a fact that online privacy advocates repeat often: even as norms of sharing evolve online and in the social networking space, users still value their privacy highly. Users want control over how their data is shared, even if they ultimately choose to share it. By collecting information about not only Path users but also all of their contacts, Path violated the trust and the privacy of their community (not to mention their own privacy policy), and witnessed the backlash.
In their apology, Path acknowledged that the way they designed the “Add Friends” feature was wrong, which is true. As they acknowledged, they could have generated a “hash” of the e-mail addresses to provide a unique identifier. This would have allowed the matches necessary for friend finding, while being incapable of being converted back into the original address. Hopefully they will adopt this protection soon.
They also could have provided reasonable disclosure of the information they were collecting, but even that is not enough — applications on Android OS allow granular permission control, for example, but many users simply click through the installation process. Users need information present in a clear and understandable manner that allows them to make intelligent choices.
Setting aside the question of whether Apple should even allow application free access to sensitive user data like contact information, the route Path has now chosen — an affirmative opt-in process that explains what Path will collect — is certainly a good start.
Regardless of whether practices like checking addresses for friend-finding are “industry standard” in social apps, users expect and deserve respect from the providers of the services they use, and that means protecting personal data needed to use the service. Hiding behind the rationale that a certain functionality is commonplace among similar apps is not sufficient, the process must be proper whether it’s the uploading of data in the first place or its long-term storage.
In a Wired interview about the “privacy kerfuffle”, Morin assured Path users that the company stores address book data behind a firewall, and that they’re meeting with TRUSTe about their privacy policy compliance and keeping data secure. There was no mention of encrypting the data on the servers in case the firewall might fail. Even with industry standard security practices in place, the data is still vulnerable to a breach or a subpoena. Companies collecting personal data like Path have an obligation to keep as little personally identifiable data as necessary to provide their services.
Path is taking the right steps to recover from a public relations disaster, but providers of social services should take note: these problems are avoidable. Innovative products and rapid development are great, but service providers need to respect their users or be prepared to face the fallout.