Path privacy blunder could fall foul of Euro data penalties

Social network Path has found itself at the eye of a privacy storm, with the revelation that the iPhone and Android apps have been automatically uploading users' entire address books to the company's servers. First spotted by Arun Thampi, and subsequently confirmed by Path itself – the CEO of which claims it is intended as a beneficial feature, though Path has retroactively been adding opt-in preferences – the data protection blip could see Path face significant penalties under European privacy laws.

Thampi caught Path's upload behavior when tinkering with the company's APIs. "Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path" he writes, "I created a completely new "Path" and repeated the experiment and I got the same result – my address book was in Path's hand."

Path CEO Dave Morin weighed in in the comments, describing the data handling as "an important conversation" and arguing that the uploads were useful because they helped notify users when their contacts joined the service:

"Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval" Dave Morin, CEO, Path

He later went on to highlight that Apple lacks strict policies about specifically warning iOS users over apps that access address book data, unlike, say, location information. "The App Store guidelines do not specifically discuss contact information" Morin argues, though says that if users would like their information deleted from the server now they should email service@path.com with a request.

Unfortunately for the social network company, while an apology and PR offensive might be enough to salve North American wounds, the same may not be true in Europe. Forbes highlights the UK's Data Protection Act, which insists that users must be made aware of what is being done with their data. "Fairness generally requires you to be transparent," the Act says, "clear and open with individuals about how their information will be used."

Companies found to have contravened the Data Protection Act can face penalties of up to £500,000 ($795k) as well as prison sentences, if investigated. There's no word on whether Path is likely to face increased attention for its glitch.