The mobile social network Path landed in the middle of a privacy firestorm this week, thanks to developer Arun Thampi, who learned that the company was uploading users' entire address books to its servers.
"I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service," Thampi wrote in a post outlining his findings. "I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy."
Today, Path CEO Dave Morin apologized. He said the company has rolled out a new version of its program that prompts users to either opt in or opt out of sharing their address books. Morin added that Path has already deleted the data it collected about users' contacts.
"We are deeply sorry if you were uncomfortable with how our application used your phone contacts," Morin said. He added that the Path's use of the data "is limited to improving the quality of friend suggestions when you use the ‘Add Friends’ feature and to notify you when one of your contacts joins Path."
Morin was smart to have acted quickly. Still, the incident is yet one more instance of a tech company treating privacy as an afterthought. Consider, last year KISSmetrics and Carrier IQ found themselves embroiled in privacy dust-ups after independent experts reported on the companies' technology.
In the case of KISSmetrics, privacy experts showed that the company was using ETags to store data in users' browser caches; when people erased their cookies, the company was able to recreate them with the information in the ETags. Carrier IQ has been under fire since late last year, when a developer posted a video showing how the company's software could log keystrokes. Both companies initially downplayed the significance of those findings. Both have since revised their software, or promised to do so.
As with Carrier IQ and KISSmetrics, Path could well soon face litigation over the uploads. Scott Kamber, who has sued numerous Web companies for privacy violations, tells MediaPost that Path's data collection is actionable. "It's no longer a valid excuse to hear app developers say, 'Now that you've caught us, we'll fix it,'" Kamber says. "If these guys truly don't get it by now, they don't deserve custody of the personal information they're harvesting."