The mobile social network Path landed in the middle of a privacy firestorm this week, thanks to developer Arun Thampi, who learned that the company was uploading users' entire address books to its
servers.
"I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service,"
Thampi wrote in a post outlining his findings. "I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy."
Today, Path CEO Dave Morin
apologized. He said the company has rolled out a new version of its program that prompts users to either opt in or opt out of sharing
their address books. Morin added that Path has already deleted the data it collected about users' contacts.
"We are deeply sorry if you were uncomfortable with how our application used your
phone contacts," Morin said. He added that the Path's use of the data "is limited to improving the quality of friend suggestions when you use the ‘Add Friends’ feature and to notify you
when one of your contacts joins Path."
Morin was smart to have acted quickly. Still, the incident is yet one more instance of a tech company treating privacy as an afterthought. Consider, last
year KISSmetrics and Carrier IQ found themselves embroiled in privacy dust-ups after independent experts reported on the companies' technology.
In the case of KISSmetrics, privacy experts
showed that the company was using ETags to store data in users' browser caches; when people erased their cookies, the company was able to recreate them with the information in the ETags. Carrier IQ
has been under fire since late last year, when a developer posted a video showing how the company's software could log keystrokes. Both companies initially downplayed the significance of those
findings. Both have since revised their software, or promised to do so.
As with Carrier IQ and KISSmetrics, Path could well soon face litigation over the uploads. Scott Kamber, who has sued
numerous Web companies for privacy violations, tells MediaPost that Path's data collection is actionable. "It's no longer a valid excuse to hear app developers say, 'Now that you've caught us, we'll
fix it,'" Kamber says. "If these guys truly don't get it by now, they don't deserve custody of the personal information they're harvesting."