The tech journalists don’t seem all that eager to look at the dozens of social mobile apps that still download your address book information from your phone (because they haven’t been able to push their update yet). As I’ve said over and over, the fact that Path did this was annoying, but in my opinion not that big of a deal. Still, the company has been eviscerated.
At some point the press, or someone, will go to the trouble of looking at all the apps and figuring out who’s doing this. I’ll just kick things off by pointing out that one of the most popular social apps, Foursquare, is definitely part of this party.
The surface evidence is clear – I created a new foursquare account on my iPhone and it immediately told me that 402 of my contacts were on Foursquare and suggested I connect with them.
There are theoretical (but highly unlikely) ways Foursquare could connect me with them without uploading my contacts, but it’s highly unlikely. So a developer I know went to the trouble to proxy the iPhone through Charles Proxy to sniff the traffic. It showed a substantial amount of data being uploaded to Foursquare from the phone immediately before the screen above was shown with contact information. We perused that data, and it included email addresses and phone numbers for everyone in the phone contacts.
Does this excuse Path? No. But unlike Foursquare and others, (the relatively tiny) Path was proactively changing this before the press hit, which is why their updated app was available and approved the day after the initial stories. That means Path is significantly less evil than Foursquare. And Foursquare is, in my opinion, not evil at all.
Even if they’re also trying to kill Egyptian dissidents like Path.
My recommendation to Foursquare is exactly the same as it was for Path – just nuke all the data and move on. Just because everyone else does this doesn’t mean Foursquare and Path (two apps I love) should.
Who’s next? Let’s just pull the bandaid off and get this over with. And let’s point the blame where it should be pointed, or at least where it will do some good – at the platform which permits this. That would be Apple.
It would be awesome if the tech press changed the focus from “Path is evil” to “this needs to be fixed by Apple.” That would be one option. The other would be to just continue to scream uninformed invectives at anyone who’s trying to have an actual conversation about the issue.
Disclosure: CrunchFund is not an investor in Foursquare, but we’d sure love to be. That’s probably some kind of conflict of interest.
Uncrunched 
Mike, seems like Pinterest must be doing this too. How else would people I hardly know be following my (nearly) empty Pinterest account? There’s also a hashtag #pinterestspam that seems to indicate this is the case…
depends if they give the contact info to the feds … or the local government of the user … which they will if asked
Am I the only one who doesn’t care?
All of the other companies doing it should be exposed and shamed in public to fix it. That part of the post was useful. But I don’t think it counts as good defense of Path to keep arguing that other people are doing it to, so it’s not a dig. This will never work, it sounds evasive, even if Path is being unfairly singled out.
Best is to OWN it, implement a super-secure solution, blog about the details of the new protocol, be transparent, and then go after all of Path’s competitors who don’t do this securely.
But trying to downplay it, or play the victim I think always backfires.
yeah, clearly Path needs to be fucked with a whole lot more before we let this go.
Implementing hashing is fucking them? I think this whole thing would be let go if you guys just stop trying to defend them. It’ll blow over in a week or so, especially after the iPad 3 launch, we all know there’ll be about 59 thousand articles published, and no one will ever remember that Dave Morin can report them to the Iranian Revolutionary Guard.
Bit OTT here. No?
Q : isn’t social 2.0 about exploiting already-built graphs (such as address books) instead of mapping relation from scratch? How should we envision our growth strategy in 2012?
Users :
– Hate when the app they’re about to install asks for intrusive permissions. A typical Android complaint.
– Love frictionless peers discovery. Laziness is the future.
Facebook has been doing it for years :
– User A has Peer B contact in address book
– Peer B is already registered as a facebook user
– User A registers from facebook mobile
– User A gets Peer B friend recommendation on his very first experience on facebook web
Why all the fuss?
the dissidents!
Address book should not a silently accessible graph
You’d think your time at TechCrunch would give you an idea of how stories like this play out… Yet, apparently you don’t a have clue; or you just simply enjoy the fight.
Regardless of whether Path was in the right (they weren’t), it’s obviously in your best interest to just shut up about this. The same goes for Siegler. Continuing to write post after post defending Path just keeps the story in the headlines that much longer. The AirBnb story, by and large, ended with their apology and reimbursement of their client. This story should have ended with Path’s apology and their app update.
I hope your stake in Path is large enough for them to tolerate your continued chest pumping of this issue, because you’re beginning to look a little embarrassing for them. If I was the Path CEO, I’d be on the phone with you ASAP, politely asking you to STFU; especially when you begin to wrongfully attack other companies.
Replied on twitter already to this but character limits make it harder to get point across. While I’m glad noise is being made about this issue, it’s wrong that everybody gets a free pass while path keeps taking the attack on its own. Instagram, four square, stumbleupon seem to be just a few doing the same. It’s not as big of a deal to me personally as these apps or apple not giving me the option to be undiscoverable on these apps using this type of feature. For example just because I shared my email with someone and they have me in their address book, doesn’t mean I want them to be able to find me on path, whatsapp, or instagram. It’s not fun not ignoring their friend requests and then running into those people and having to explain why you aren’t answering their invites.
As far as the Lyons piece, thought it was overly harsh but he did raise a few points and that is you, mg, and pando daily have your biases but as readers we are smart enough to know what those biases are and keep them in mind. Not a big deal since everyone has their own bias including lyons. Everybody knows for example mg is an apple fan boy/google pessimist. Pando daily is also tougher on google giving a free pass to twitter with the censorship issue a couple of weeks ago, while simultaneously bashing google for a week straight over search plus.
Two wrongs don’t make a right.
Also, everyone should checkout the following page of links to permission pages – I’m pretty damn paranoid, but still a few apps had pulled the wool over my eyes and grabbed permission to do stuff on my behalf when all I wanted to do was register to use them or write comments. I’ve fixed that now – hopefully not too late.
http://mypermissions.org/
http://support.foursquare.com/entries/20650271-why-do-you-search-my-phone-s-contacts
We search your contacts for other friends using foursquare who you may want to connect with, but we do not store the information from your phone book (that’s private to you!). We simply match the numbers and email addresses against users on foursquare. We do not share this information with anyone else and do not save copies of this search. All the information is encrypted when it moves between your phone and our servers, meaning it’s even more secure.
That’s right. What Arrington didn’t test here (or didn’t indicate he tested) is whether or not that substantial amount of data was uploaded just the first time or every time before accessing that screen.
Path got in trouble not because the information was uploaded but because it was stored. If Foursquare is uploading it every time they are most likely not storing it, although sending your phonebook over the airwaves has issues of its own.
Path DID get in trouble for accessing peoples contacts. It looks to me like you are trying to redefine the issue as one of storage instead of access. Accessing peoples contacts without asking for permission is the issue at hand here. Storing it was just a matter of making it worse.
It is great that foursquare doesn’t store the data, nothing to nuke. The ask needs to added though. The ask is what needs to become industry standard practice.
I agree with Mike and some others that the real problem was Apple not locking down contacts in the first place that allowed this bad practice to become standard.
Hmm, well looking over the apology from path (http://blog.path.com/post/17274932484/we-are-sorry) it looks as if they apologized for both storage and transmission of address books. I wasn’t trying to redefine the issue, there are issues with both.
I think you’re onto something with Apple locking down access to the address book. Facebook & Twitter require permissions to be granted before accessing your information. Apple could implement a pop-up in iOS (akin to the push notifications permission request) when something tries to access your address book.
The issue everyone has is the exact same that Arum Thampi stated clearly as the title of his original post — “Path uploads your entire iPhone address book to its servers.” Accessing your contacts is something every app (web or mobile) does, unlike what Path does, this is not concealed from users at all.
http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html
How about doing some research before playing the victim? Foursquare does NOT transmit and store your address book on their servers. Applying your logic then, Path is evil.
Some PR job this!
Privacy vs Personalization
The war goes on everywhere from an relatively unknown(at least to me) social network that has Privacy as one of its six guiding values(pretty ironic) to Google(http://imgur.com/gallery/AfJRS) to Facebook(http://www.ft.com/cms/s/0/8e575f8e-529c-11e1-ae2c-00144feabdc0.html) .
The only problem I see here is Michael’s compelling need to defend them and prove that others do it too. Then again, its your personal blog and you can write whatever the frack you want.
As a regular reader, I can only urge you to move on and stop fanning a fire that has already burnt out.
Fair enough. I agree that it’s time to move on. This story has taken a weird turn and we can do without all the personal attacks that are flying. But here’s the question that has drawn the spotlight to Path: It stored user data on its servers. Does Foursquare do the same?
this reminds me of the Jedi mind trick …. “Path did nothing wrong … everybody does it …. these are personal attacks … I am a victim … “.
I wonder why they expose themselves. You can have the exact same feature by uploading MD5/SHA1 hashes of the emails: enough to compare against their user database, but much more private.
To me, the fact that you can see it’s being transferred using a proxy is at least a sign of lack of evil: if I wanted to “steal” your address book and be nasty, I’d make sure it’s encrypted and looks like protocol gibberish to a simple sniffer.
My address and phone number (along with everyone else’s) used to be listed openly in something called the white pages. Nobody seemed to give a crap then. Why now?
Probably because of the connections that can now be made between you and other people in a database of address books. That can be monetized, exploited, whatever.
The white pages did not have a list of who your friends and associates were though. There is no relational information in the white pages to analyze and learn more about you.
You also had the ability to opt out of the white page listing. Here we are looking at opt in but we are also giving a lot more information than just our contact details. We are giving out other peoples details. That is a different level of privacy.
Apps don’t kill Egyptian Dissidents, Egyptian Dissidents that are too dumb not to post to social media sites do.
You should issue a correction and apologize to Foursquare. Foursquare says they don’t store address book information on their servers like Path does, which was the issue. They did it right, so there is no data there for them to nuke.
http://support.foursquare.com/entries/20650271-why-do-you-search-my-phone-s-contacts
So, to defend one of your investments, you libeled a company you don’t invest in. That is the state of tech “journalism” now.
https://plus.google.com/107117483540235115863/posts/hGv77THkuEc
… Wow! — what a mess… Mike, on a previous post I revealed my true feelings about “journalists.”
In a way, I admire your insistence on considering some of them as friends, as I used to do many years ago… until I got really tired of being maligned and, in short, being kicked in the face — “journalists,” including the “tech” journalists, may look and dress like humans [male and female ones] but they are actually worst than SNAKES, and as such, we should keep them at a distance… USE them, pitch them one against the other when appropriate,
Reality tells us over and over that they are never friend material — We count for nothing when they have to answer to a “higher calling.” In summary, screw them all!
Foursquare doesn’t store contacts. I don’t know why you’re attacking them.
http://support.foursquare.com/entries/20650271-why-do-you-search-my-phone-s-contacts
I laugh wondering why everyone got their panties in a bunch to begin with. What do you expect when mobile devs try to compete in the app world on a social level? the data has to come from somewhere! If you dont want your data co-opted dont use the program, period!
Simple solution huh!
“Path is significantly less evil than Foursquare”
This is cynical. There is no “less evil”, you’re either innocent or responsible for breaching privacy and acting without users consent and in bad faith, which is the case here.Trivializing the Dissidents thing just shows a poor knowledge on social and privacy affairs. How do you know Path or Foursquare won’t sell the address books to third parties or get their servers hacked?
The screenshot looks like foursquare is asking you/informing you that you might use iPhone address book or facebook or twitter to find friends. What I am I missing here?? Its a legitimate question to ask whether path is disproportionally being picked on v others, but should we spend more time asking the question: is it okay to take my shit without asking me?