Dave Morin, CEO of Path, speaks during a conference in New York in May 2011.

Story highlights

Users upset that Path uploads users' address book information to Path's servers

Without contact info, some of these features just don't work, CEO says

We're growing accustomed to handing over our data to social media services

WIRED  — 

“We thought we were doing this the right way. It turns out, we made a mistake.”

Dave Morin, the CEO and creator of social media app Path, tells me this as we sit in his 22nd-floor headquarters in downtown San Francisco. It’s a mere 24 hours after an independent app developer exploded Morin’s world with a simple blog post that led to a torrent of bad publicity.

Arun Thampi of Singapore discovered that Path uploads users’ address book information to Path’s servers. This action isn’t in Path’s Terms of Use, and it’s enraged a user community concerned about privacy rights.

Some social media companies, including Path, subscribe to a philosophy that says access to your personal data — if used safely and in the right way — can only improve your experience. To this extent, address book data is the bread and butter of Path, an app that distinguishes itself as “the first truly personal network.”

“We don’t want to connect you with just anyone on Path,” Morin says. “Without the contact list information, some of these features just don’t work.”

The address book data, Morin says, is used in only three ways. “We give you a list of suggested friends to connect with who are already on Path. We notify you when other friends of yours join Path.” And the third reason speaks to the very uniqueness of Path itself — its “Friend Rank” algorithm.

FriendRank uses data on your phone to determine the most helpful friending suggestions. The feature looks at the interaction you have with friends across platforms, so, in theory, you’ll get the most relevant friend suggestions possible without the chaff that Facebook, for one, may serve up.

“We used the data for the sake of simplicity,” Morin tells me. “Any time you build a network, you have to help users find their friends. And that entire experience is designed to suggest people who you’re close to.” In other words, it’s the whole point of the app itself.

But that’s not an easy sentiment to convey to users who feel their privacy has been violated. Morin told me he wants to take all measures possible — all explained in a blog post — to prove to users that Path is serious about privacy. “We’ve deleted the entire collection of user contact information from our servers,” Morin says. “Unlike some other companies, we believe that users should have complete control over their data. This is just the right thing to do.”

Following Tuesday’s privacy kerfuffle, Morin’s company is caught in an existential morass of data and privacy issues. Users are enraged, which is to be expected, but social media software development has blurred the lines between what users want from a social media app, and what users will tolerate in terms of data mining.

To what degree can a technology company collect users personal data without facing backlash from the public at large? What is acceptable, and what is going over the line?

With the rise of Facebook, Twitter and Google+, we’re growing accustomed to handing over our data to social media services, all of which claim the best intentions. The goal, theses services say, is to improve applications, tailoring them to act and react to our personal preferences.

Google has countless terabytes of data on its users, and is incorporating this trove of data more and more in the spirit of improving services. Last month, for example, Google rolled out Search plus Your World, a function that incorporates your Google+ social network information into simple Google search queries, an attempt to provide the most relevant search results possible.

To some degree, companies such as Facebook, Google and Path are forced to push the envelope. The landscape for social applications is nearing full capacity, with little room for copycats that provide no added value outside of what others are doing.

“In social, you have to innovate in information,” Morin says. “If you have the same thing as everyone else, you’re just not interesting.”

Yet on the flip side, social media companies have faced serious privacy concern backlashes in the wake of any major changes. Google users have been chaffed by Search plus Your World — almost as if they just finally realized just how personal data is that Google has stored on its servers. Facebook, too, has encountered its share of user outrage: It happens nearly every time the company makes a major change in the service. In fact, Facebook was caught doing the exact same thing that Path is currently taking heat for, over two years ago.

It’s indicative of a larger issue in today’s technology landscape — the tension between how much data we’re comfortable giving, and how much data we expect to remain private. And this is where Path got in trouble. Its privacy policy never explicitly pointed out that it would access your contacts, nor does the iOS app prompt users for access to their address book in the first place.

But some security researchers say this shouldn’t come as a surprise.

“We’ve seen a great many examples of this type of thing in the press, but it’s somewhat commonplace for applications to access user’s personal information without users knowing,” said independent security researcher Ashkan Soltani in an interview. “Smartphones are small personal computers that people carry along with them. They contain a great amount of personal data including e-mails, contacts, and calendars, yet we blindly download apps from small third-party developers without any due diligence.”

And to some degree, Path and other app developers are crippled by Apple’s submission process. “It’s fundamentally a flaw in the way the platforms are set up,” Soltani says. “The only data that’s restricted and requires notification as part of the platform is location. Apple is supposed to detect when apps send information to third parties, but it’s still a very subjective thing. Path is a social app, so to some degree, it’s to be expected.”

Morin stresses that Path isn’t the worst offender in that the data it’s collected is used only for the features Morin outlined. Path has no advertising, so unlike Facebook and Google, no information is used to target and tailor ads to individuals, he says. What’s more, he says, his company’s servers are secured behind a firewall, and Morin and his team are meeting with TRUSTe, a privacy policy certification service, on Wednesday afternoon to discuss Path’s measures in keeping user data safe.

Ironically, Path had already been working on changing the way it notifies users of access to the address book. “We had proactively rolled out an opt-in for this on our Android client a few weeks ago,” Morin says, “and were literally preparing to roll it out for iOS on Friday.”

All of which makes this week’s bad publicity a matter of seriously unfortunate timing.

Morin says he hopes his company’s situation will spark a larger conversation about privacy in the industry. “We’re probably going to have to innovate on how transparent we are,” he says.

But, ultimately, Path is in it for the long haul, and hopes to make good with its user base with a swift resolution.

“From the beginning, we’ve been working on building a 30-year company here,” Morin tells me. “And trust takes time.”