Hey Path, Just Nuke All The Data

The story of the day is definitely about Path (a CrunchFund portfolio company). The company has been copying address book information to their servers without user knowledge.

The company was apparently already aware of the issue and was taking steps to address it prior to this post coming out. The Android app has an opt-in, and a version of the app with an opt-in is awaiting approval at Apple, says CEO Dave Morin in the comments to the original post. Morin has also flat out apologized.

This is a common problem with apps, due in large part to the fact that Apple doesn’t consider the data as sensitive as, say, location information. To get location info the app must alert the user and get their permission on screen. There’s no such requirement for address book data.

There’s an app coming that allows users on jailbroken phones to monitor and intercept when address book information is being exported, at least when it’s being done in the most common way.

But What About Path

A lot of users just don’t care about their address book integrity, they know that it’s been exploited, repurposed, shared and siloed for a long, long time. The argument that Facebook has always made is that it isn’t really your data since it includes personal information of others. So it isn’t really yours to control. The only way that mess ever gets sorted out is the courts, after a lot of guided lobbying-fueled meddling (or lack of meddling) in the legislative branch.

But back to Path. Their apps should soon be opt-in only for address book data, and a lot of users will want to send it to help Path find your friends and invite them to the service. Users can also ask Path to remove the data immediately – “In the meantime, if you would like your data deleted from our servers please contact our service team at service@path.com.”

Which is nice, but I’m wondering if there’s a better solution to this. Path should just state that they’re nuking all collected address book data for all users right now. Remove it from their servers entirely.

It definitely sends the right message to users – you can trust this company with your data. They’ve apologized and they were already in the process of fixing the issue. It seems like the perfect last piece is to remove all that data from their servers. And I doubt it’ll take them all that much time to collect the data all over again, this time with user permission.

And in the meantime, perhaps Apple will begin to protect address book data as closely as they do location data, which would eliminate this problem for users on all apps in the future.

Update: Data nuked.

45 thoughts on “Hey Path, Just Nuke All The Data

  1. Ilan Richter says:

    I actually sent them an email 6 weeks ago saying people from my address book have been showing up as Path users thought they’re not really on the network, and received absolutely no reply.

  2. It would indeed help if Apple were to have the same system for the address book as the location services, but this is probably quite some time away.

    But I don’t mind that Path is doing this because it is so clear what they do with this data, and that it improves their services for me. I think the biggest problem is that if I install some app that has nothing to do with this data and just steals my contacts for completely different reasons..

    Our view on privacy is really changing fast, but how long will it take for the majority of the users to give up such personal information? For now the media is anyway blowing this whole thing out of proportion and I just hope that it won’t hurt Path!

    • Peter Austin says:

      @Barry: Very cynical. They load the data of your friends,putting them at additional risk from hackers and identity fraudsters, and you don’t care because you benefit.

      @Arrington: The issue is not the data of users. They at least installed the app. The issue is the much greater number of non-users who, without their knowledge, had their contact details uploaded and put at risk. Like a lot of people, I follow government advice to shred envelopes and letters that contain my address, so it’s very annoying that here’s a company loading addresses wholesale.

      Path don’t seem to have even provided any way for non-users to check whether their data is on the servers. And, no, potential victims are not going to parcel up all their data in an email and ask Path to please delete anything that matches, because Path’s are not trustworthy right now.

      So, I suggest they keep the data of users – without it, they don’t have a business. But delete all the data for non-users.

  3. Shankar says:

    “A lot of users just don’t care about their address book integrity, they know that it’s been exploited, repurposed, shared and siloed for a long, long time.”

    Oh yes, they do care. They also care and concerned about stuff that is automatically sniffed without explicit request to access and/or share.

    Can you leave the Facebook’s argument to Facebook alone and have a word with Dave as “why” they didn’t let the user know in the 1st place about this ?

    As Constantine Z mentioned(http://goo.gl/bzYFD), this is not a proactive step. It’s rather “When the shit hits the fan” moment.

  4. Mark says:

    Yes they should nuke the data. I dropped my FB app when I heard they uploaded my address book (and even shared it with my FB friends), and I will do the same with Path if they don’t remove my data.

    Dave Morin: if you read this, will you send me your iphone contact list? I promise I won’t do anything evil with it.

  5. alialtugkoca says:

    They definitely nuke it. “Send us email” not the right way.

  6. Ray Cromwell says:

    Whether Apple adds protection or not, the fact that they thought they could exploit this loophole without notifying the user seems to speak volumes about the way the company is being run.

    I mean, who in their right mind, would think it was ok to grab all of the address book data and just upload it, without even telling the user, nevermind opt-in? You can’t accidentally implement this, it’s not a ‘bug’, it pretty much has to be intentional. That means, you either have to be incredibly oblivious to your users concerns or planned it all along, much like many other startups that get away with evil until they get a large user base, and then go to confessional and reclaim nobility again. (Hi Zynga!)

    Yes, Apple should add protection for this. But a startup should not assume that anything that is permissible is a good thing to do. I mean, what if you could turn on phone mic/video recording without the user noticing, and uploaded recorded conversations to the cloud, for say, ‘experimental purposes’. Would that make it right just because the OS security model doesn’t prevent you? Same goes for the ability to install keyloggers.

    At some point, people have to have better judgement. I would hope that VCs look for people that not only have good judgement in how to grow a company, but how to do it in an ethical way that does not abuse their users to ‘grow fast’.

  7. Mike says:

    Usual pathetic blog post to defend (vs. pump as before) one of the CrunchFund companies. This kind of post make lose any credibility left in Mr. Arrington. Sad.

  8. TS says:

    Path is trying to offer a more private, intimate place to share. It is about building trust with users. No matter how important one’s address book info is, users should know if you access their data. Path has no opt-in on the iPhone and it is not mentioned in the TOS or privacy policy (actually these look a bit copied from another service and not really adequate for Path). In that regard Path has definitely taken the wrong way to build trust with its user base.

    I don’t understand why Path didn’t see this coming though. So many other apps have made the same mistake (Facebook, Kik Messenger, Viber, etc.) before.

  9. Andrew Harcourt says:

    Sorry, Mike, but I hope CrunchFund loses its entire investment in Path. This was a sneaky, underhanded thing to do and unethical companies should be killed off by the market. Failing the market, I hope it’s done via class action.

    As an investor, I hope you’re pushing for the immediate sacking of anyone on the board who knew about this.

  10. Tom says:

    Path’s response has been insufficient to say the last. You don’t suddenly ‘become aware’ of a feature like this, it was built in on purpose. The problem for Path is that users have become aware.
    It shows a total disrespect for user privacy and they should take full responsibility.

  11. “send us an email” is the worst thing around the issue

    • tundey says:

      Right. First you steal people’s data and now you put the burden on them to get it back. This is why people need to be very careful about sharing data with all these startups. Sure their services are cool but their ethics are very very suspect. And where you don’t have legal protections (i.e. everything not related to money and health), it’s user beware!.

  12. I’d just like to know what data gets uploaded, and how its stored.

    If its name, phone, email (the basics) then I’m cool with it.

    Where things start to get a bit stickier is when I have notes in the contact about that person. Those are much more personal 🙂

  13. My friends and family have shared their private contact information with me — *not* with Path, *not* with Facebook, not with anyone else.

    Making me a bad person to share secrets with is almost worse than taking my personal secrets directly.

    Finally: it’s relatively easy to matching with anonymised hashes. So, don’t upload “arrington@example.com” or “514-555-1212” from my phone; upload md5(arrington@example.com) and md5(514-555-1212). That can help with making matches without potentially compromising my friends’ and family’s data.

  14. tundey says:

    So that’s it? An apology and everything is right with the world? While I agree that Path should just nuke all that data (and have it verified by a 3rd party), I believe this just reinforces the idea that it’s better to be wrong and ask forgiveness than to ask for permission in the first place. Regardless of what Apple T&Cs are, anyone with half a brain should know that people aren’t gonna like having their entire address book uploaded without their consent. But why ask permission when you can take the data, expand your service and apologize if/when you are exposed.

    Also since this was a deliberate API call, someone somewhere thought about this and said “sure, ethics be damned, just get the data”.

  15. kosso says:

    My issues is that they have broken European Data Protection laws. http://en.wikipedia.org/wiki/Data_Protection_Directive

    The Address Book app on most people’s phones contains information and data and goes way, way behind the realm of any ‘social networking’ site. Phone numbers, addresses, other information, etc.

    This isn’t a case of an app looking at your Twitter/FB friends and making matches there, it has stolen personal and private information which was entrusted to us by *people who might never, ever want it to be online, let alone on Path*.

    The trust has been irretrievably broken, as far as I’m concerned. Dave Morin should know better. He was a “Co-inventor of the Facebook Platform and Facebook Connect” (Facebook being a company who still doesn’t delete photos from their servers, three years after being specifically asked to do so (See Ars Technica).

    Even if they did ‘say’ they’ll delete the data they stole, why should we ever believe them again? How can it be proven? How do we know that they haven’t already sold that data and telephone numbers on to telemarketing companies?

    We don’t. We never will.

    That’s a major trust issue. Especially for an outfit like Path, whose main tenet was to keep your life and data private and under your control.

  16. This would be the point where someone should point out how massively unethical it is for Mike to blog about a company his company invests in.

    “It definitely sends the right message to users – you can trust this company with your data.”

    How is this whole article not a conflict of interest ~?

  17. Carl says:

    Don’t be a weasel, Michael. You make it sound like it was a bug, or some unfortunate accident that befell Path, that they are now working diligently to correct, and how this response shows what trustworthy folks they are.


    They didn’t accidentally collect Address Book data. They deliberately coded the collection of Address Book data. They deliberately transmitted it to store in the servers they had deliberately set up for this purpose. So to say that Path was “apparently already aware of the issue” is disingenuous at best.

    This is not a “bad things happen to good people” situation. This is a “good people did a bad thing” situation.

    • I agree completely. Apparently they were already aware that their engineers designed a database and tons of code to upload/store/sync user’s address book data. They even became more aware when they kept it in the requirements to design the Android version–so aware that they even added an opt-in function! It’s just amazing how aware they are.

  18. While we are on the subject of mishandling user data, why don’t we look at companies that don’t hash user passwords in the database. Last offender I saw – 4shared.

  19. Tom T. says:

    What hell hath Facebook unleashed upon a Generation of boys with code?

    The underlying issue goes to the mindset of these (kids) who build apps which appropriate personal data without user permission — AND THEY DON’T THINK TWICE ABOUT IT.

    Only if some PR nightmare happens do they consider their own actions (“oops, I never thought about that”)…

    Or, how about ye olde Due Diligence amongst “sophisticated” investors who might want to dig into these issues before coining-in? Maybe help the youngsters to grow up before releasing product and nabbing consumer data?

    Let’s not cut these guys as much slack as you have, Senor Arrington. Let’s skewer them a little, both for their own good, and for the next one’s up to the plate.

  20. Jeff Peters says:

    If you are going to write a puff post defending Path’s mistake and weak response, at least be upfront about your investment in them. The average reader isn’t going to connect the dots between Uncrunched and Crunchfund unless they read your About blurb.

  21. This sounds like a PR nightmare, and being a writer who has unfolded a lot of these stories I’d think you’re the perfect investor to help them unwind it.

    Assuming the best – that the Path team made a mistake and that they had no ill intent – they need apologize sincerely, take swift and decisive action to make it right, and communicate directly to EVERY support request even if that means having every employee in the company, their friends, and significant others, manning the support desk for 48 hours. The extraordinary efforts shows, instead of tells, that they are truly sorry and determined to set it right. If they really don’t have time to write back to everyone customer, they’re going to loose some of their earliest influential users and biggest fans… what a waste that would be.

  22. n1 says:

    Not surprising. Things like this are why smartphone users should be given control over what information an app can access on their phone. In a case like Path, I would simply uncheck the “access Contact information” permission during the install.

    Instead, Google has refused to allow users this control over their own data:

  23. zato says:

    “A lot of users just don’t care about their address book integrity, they know that it’s been exploited, repurposed, shared and siloed for a long, long time.”

    That sounds like a flat-out lie to me. Name one.

    “The company was apparently already aware of the issue and was taking steps to address it ”
    I see. The code to upload your address book to Path servers just somehow “happened” unawares, and the “issue” is being “addressed”.

  24. zato says:

    I want to know what Path did with my info. I want a list names of who Path sold or gave that info to.

  25. Daniel K says:

    Looks like they did just that:

    > as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers


  26. Terra Carmichael says:

    Well, they’ve done just that (nuked the data). Sounds like *someone* has some influence. I thought their apology was well done.

  27. yetanothersteve says:

    What is this, printed on dead trees and mailed? No follow up that they just did what you suggested?

  28. David Fuhrer says:

    Michael, is there a scenario in which a startup(ish) company (distinguished mainly in this case by a less than full in-house legal team) that consciously and purposefully employs a tactic to gain user data that is against its platform provider’s stated guidelines in order to improve a key performance metric versus their competitors, then gets “caught”, apologizes, and takes corrective action by “nuking” the controversially gained used data….is there a scenario in which that company response is not enough since it will not have included in its “nuking” the destruction of the enduring benefit realized via acquisition of vast numbers of new users through the use of the controversial tactic? Wouldn’t a competitor be an aggrieved party….having suffered damages described above….and thus within their rights to at least ask a court to adjudicate whether the offending company should have to forfeit the BENEFITS GAINED….rather than just the nuking the data that facilitated those benefits?

    I’m as unconflicted (in interest) as it can get. I live in Thailand and spend more time managing my own chronic illness than worrying about whatever “Path” might be doing. I don’t and have never owned an iPhone or iPad (though I do use an iMac desktop). I follow the “tech scene” as closely as I can, and this story caught my eye because of the issue I brought up here……whether there are times when, “I’m sorry” isn’t enough, and more precisely, if so, what the heck can be done about it? I do absolutely care about how many other apps did the same thing as Path, but only in as much as it relates to my question.



  29. Hello just wanted to give you a quick heads up.
    The words in your article seem to be running off the screen in Safari.
    I’m not sure if this is a formatting issue or something to do with web browser compatibility but I figured I’d post to let you
    know. The design look great though! Hope you get the problem resolved
    soon. Cheers

  30. jamesgoode98 says:

    We seem to be sleepwalking into a world where Big Brother watches us, and we don’t even care. I carry some articles on computer security on my blog, but even programmers dont seem too aware of how intrusive the surveillance is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: