The company was apparently already aware of the issue and was taking steps to address it prior to this post coming out. The Android app has an opt-in, and a version of the app with an opt-in is awaiting approval at Apple, says CEO Dave Morin in the comments to the original post. Morin has also flat out apologized.
This is a common problem with apps, due in large part to the fact that Apple doesn’t consider the data as sensitive as, say, location information. To get location info the app must alert the user and get their permission on screen. There’s no such requirement for address book data.
There’s an app coming that allows users on jailbroken phones to monitor and intercept when address book information is being exported, at least when it’s being done in the most common way.
But What About Path
A lot of users just don’t care about their address book integrity, they know that it’s been exploited, repurposed, shared and siloed for a long, long time. The argument that Facebook has always made is that it isn’t really your data since it includes personal information of others. So it isn’t really yours to control. The only way that mess ever gets sorted out is the courts, after a lot of guided lobbying-fueled meddling (or lack of meddling) in the legislative branch.
But back to Path. Their apps should soon be opt-in only for address book data, and a lot of users will want to send it to help Path find your friends and invite them to the service. Users can also ask Path to remove the data immediately – “In the meantime, if you would like your data deleted from our servers please contact our service team at firstname.lastname@example.org.”
Which is nice, but I’m wondering if there’s a better solution to this. Path should just state that they’re nuking all collected address book data for all users right now. Remove it from their servers entirely.
It definitely sends the right message to users – you can trust this company with your data. They’ve apologized and they were already in the process of fixing the issue. It seems like the perfect last piece is to remove all that data from their servers. And I doubt it’ll take them all that much time to collect the data all over again, this time with user permission.
And in the meantime, perhaps Apple will begin to protect address book data as closely as they do location data, which would eliminate this problem for users on all apps in the future.
Update: Data nuked.