Home The Price of Free: Path Uploads Entire Address Book To Its Servers

The Price of Free: Path Uploads Entire Address Book To Its Servers

Path is a lovely app. It pushes all the right buttons. It’s mobile, it’s tactile, it’s personal, it’s full of people we love and moments that matter to us. It makes us feel good. It’s got all the greatest hits a post-Facebook social app should have. It’s also free.

“Facebook will always be free,” it tells us, so free is now the standard. Free apps are expensive, though; we pay with our data. Whenever Facebook or Google messes with our privacy, this is the cost of doing business for free. Path is no different. It’s already using our personal data in ways we didn’t expect. Arun Thampi discovered today that it uploads the entire iPhone address book to its servers. Surprised? Don’t be.

Thampi was using a cool new tool to observe Path’s API calls, just out of curiosity. The first thing that surprised him was a POST request to https://api.path.com/3/contacts/add. When he looked into it, he found that the entire address book – names, email addresses, phone numbers, everything – was being sent to Path’s servers. He created a new Path and duplicated the results.

It’s a secure exchange of information between Path’s servers and your phone, and it’s not necessarily doing anything flat-out wrong with the information. But Path never asked its users if it can do this. It may be using our contacts for the benefit of our user experience, for finding friends on Path, for example. But we need an explanation.

Why didn’t we know about this until an enterprising hacker stumbled over it by accident? Is this a sign of how Path will treat user data in the future? What do Path’s adoring users do now? Well, they should get used to it. This is the price of free.

The functionality is opt-in on Android, and CEO Dave Morin says it will be opt-in on iOS soon, but the fact is, the app added it before asking.

UPDATE 11:53 a.m.: Path CEO Dave Morin replied to Thampi’s post in the comments:

“We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.”

Translation: We did it first, and we’ll ask you for permission in a little while. Also, this makes clear that Path uploads Android contacts as well.

Developer/blogger/legend Matt Gemmell raises three questions missing from Morin’s explanation:

“1. Why are you uploading the actual address book data, rather than (say) generating hashes of the user’s email addresses locally, then uploading just those hashes? You’d be able to do friend-finding that way, and similarly if you uploaded hashes of all email addresses in the user’s address book, you’d be able to do your notifications of when a friend joins. At no point would your servers ever need to see the actual email addresses or phone numbers from our contacts.

2. Why wasn’t this an opt-in situation to begin with? Isn’t that against Apple’s own T&Cs?

3. How can we have our contact information deleted from your servers, if we wish to do that?”

UPDATE 12:22 p.m.: Morin responds to Gemmell’s questions point-by-point:

“1. This is a good alternative solution which we’ll look into. Thanks for the idea.

2. This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we’ve been proactively addressing this.

3. As I mentioned in the previous answer, we are rolling out this functionality for 2.0.6. In the meantime, if you would like your data deleted from our servers please contact our service team at [email protected]. We take this same policy for any of your data, if you’d like your account deleted, including all data, we’re happy to do this as well. We fundamentally believe that you as a user should always have control over your information and data and you can always email our service team and we will remove anything you’d like from our servers.”

The response is in the right spirit, but Path should now see the repercussions of setting it up this way. The only opt-out for users is to manually email the support team, and the opt-in version is coming to the App Store after the fact. If Path had just asked its users before adding this functionality, and if the app hashed the sensitive info locally before uploading it, everyone probably would have said “yes,” and this wouldn’t be a story.

Are you using Path? What do you think about this news?

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.