Path is a lovely app. It pushes all the right buttons. It’s mobile, it’s tactile, it’s personal, it’s full of people we love and moments that matter to us. It makes us feel good. It’s got all the greatest hits a post-Facebook social app should have. It’s also free.

“Facebook will always be free,” it tells us, so free is now the standard. Free apps are expensive, though; we pay with our data. Whenever Facebook or Google messes with our privacy, this is the cost of doing business for free. Path is no different. It’s already using our personal data in ways we didn’t expect. Arun Thampi discovered today that it uploads the entire iPhone address book to its servers. Surprised? Don’t be.

Thampi was using a cool new tool to observe Path’s API calls, just out of curiosity. The first thing that surprised him was a POST request to https://api.path.com/3/contacts/add. When he looked into it, he found that the entire address book – names, email addresses, phone numbers, everything – was being sent to Path’s servers. He created a new Path and duplicated the results.

It’s a secure exchange of information between Path’s servers and your phone, and it’s not necessarily doing anything flat-out wrong with the information. But Path never asked its users if it can do this. It may be using our contacts for the benefit of our user experience, for finding friends on Path, for example. But we need an explanation.

Why didn’t we know about this until an enterprising hacker stumbled over it by accident? Is this a sign of how Path will treat user data in the future? What do Path’s adoring users do now? Well, they should get used to it. This is the price of free.

The functionality is opt-in on Android, and CEO Dave Morin says it will be opt-in on iOS soon, but the fact is, the app added it before asking.

UPDATE 11:53 a.m.: Path CEO Dave Morin replied to Thampi’s post in the comments:

“We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.”

Translation: We did it first, and we’ll ask you for permission in a little while. Also, this makes clear that Path uploads Android contacts as well.

Developer/blogger/legend Matt Gemmell raises three questions missing from Morin’s explanation:

“1. Why are you uploading the actual address book data, rather than (say) generating hashes of the user’s email addresses locally, then uploading just those hashes? You’d be able to do friend-finding that way, and similarly if you uploaded hashes of all email addresses in the user’s address book, you’d be able to do your notifications of when a friend joins. At no point would your servers ever need to see the actual email addresses or phone numbers from our contacts.

2. Why wasn’t this an opt-in situation to begin with? Isn’t that against Apple’s own T&Cs?

3. How can we have our contact information deleted from your servers, if we wish to do that?”

UPDATE 12:22 p.m.: Morin responds to Gemmell’s questions point-by-point:

“1. This is a good alternative solution which we’ll look into. Thanks for the idea.

2. This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we’ve been proactively addressing this.

3. As I mentioned in the previous answer, we are rolling out this functionality for 2.0.6. In the meantime, if you would like your data deleted from our servers please contact our service team at service@path.com. We take this same policy for any of your data, if you’d like your account deleted, including all data, we’re happy to do this as well. We fundamentally believe that you as a user should always have control over your information and data and you can always email our service team and we will remove anything you’d like from our servers.”

The response is in the right spirit, but Path should now see the repercussions of setting it up this way. The only opt-out for users is to manually email the support team, and the opt-in version is coming to the App Store after the fact. If Path had just asked its users before adding this functionality, and if the app hashed the sensitive info locally before uploading it, everyone probably would have said “yes,” and this wouldn’t be a story.

Are you using Path? What do you think about this news?