Path caught storing users’ unencrypted data

February 8, 2012

Path is a 16 month old social network that acts as a personal journal and allows you to share photo, video, music, people, places, and text to a select network of 150 people. Since version 2 was released, Path has surged to just over 2 million users.

In the last few hours since Thampi posted his discovery online, Path users have been up in arms. They were never asked permission for Path to access their address book. The bigger worry? Though with most apps collected data is encrypted, it appears Path is storing the actual information so all of your contacts are now online.

Dave Morin, Co-Founder and CEO of Path, was quick to respond in the comments of Thampi’s post. We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval. When asked why an opt-in for them to collect your data wasn’t included from the very beginning, Morin responded that it was industry best practise.

 The App Store guidelines do not specifically discuss contact information. However we believe users need further transparency on how this works, so we’ve been proactively addressing this…We fundamentally believe that you as a user should always have control over your information and data and you can always email our service team and we will remove anything you’d like from our servers.

It is good to see such openness in response but it’s a naive one. Apple’s app store guidelines states “Apps cannot transmit data about a user without obtaining the user’s prior permission.”

%d bloggers like this: