Path’s Nosy App Shows that Privacy is the Third Rail of Mobile

Written by Andrew Jaquith. Posted in Blog Post

Most readers of the Perimeter STAR Team blog probably know where I stand on mobile security issues. I believe that mobile malware, other than on the Android platform, is a tempest in a teapot stirred up by anti-virus vendors scaring up new markets. I believe that modern mobile operating systems are, as a species, much more secure than their PC counterparts due to platform features such as sandboxing, trusted boot and code signing. I believe that vendor-managed App Stores, as constraining as they are in many ways to developer freedom, offer the prospect of significantly increasing customer security.

And most significantly, I believe that data privacy is the third rail of mobile. Exhibit #2,080 was furnished today by Path, a social networking service that connects friends and family. Path offers both web-based and native clients, and is the arguably the fastest-growing social network out there, mushrooming to 2 million users in just over a year of operation.

But Path has a problem. Earlier today, researcher Arun Thampi found that its mobile apps have been caught copying customer data up to Path servers without consent. Just what did Arun find? He found that:

  • The Path iOS app uploaded the entire contents of customer address books to Path servers. While running mitmproxy as part of a hackathon, Arun noticed that his iPhone was posting something to  https://api.path.com/3/contacts/add. Upon further investigation it became clear that the Path app was posting his entire address book.
  • Path isn’t doing anything nefarious with the data. According to Path CEO Dave Morin, who has been personally commenting on Arun’s blog, “We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.”
  • The app uploaded the address book without explicit opt-in. It’s always good when the CEO of a company takes the time to comment on customer concerns, such as the address book upload. But we learned from his comments that Path didn’t obtain customer consent. As he put it (somewhat disingenuously): “we are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.” Meaning consent wasn’t something they bothered to ask for, and that they are just getting around to it now.
Arun’s post has gotten one heck of a reaction: over 1,800 people have Tweeted about the article, and the blog page itself has, as of this writing, garnered over 160 comments in less than four hours. Here’s what it all means.
  • The furor shows that customers don’t like nosy apps. It goes without saying that the tinfoil-hat crowd is angry about unsolicited copying of their address books. (“Fsck you. Stealing my private data is class action lawsuit time, a$$hole.”). Other commenters are inclined to be more charitable, but wish that Path had obtained customer consent first. Said David Thomas Smith:  ”I love your app and hope you move forward with the needed changes, but please do be clear about things like this.”
  • Path’s nosy app probably violates European privacy laws. Although I am not a lawyer, I sometimes play one on TV. And to my eyes, the contents of one’s address book strike me as the very sort of personally identifiable information (PII) that statutes like the European Union’s Data Privacy Directive was designed to regulate. Names, addresses, phone numbers, email addresses: it’s all in the typical address book. Path violated at least 3 out of 7 DPD principles: notice, disclosure and consent. That Path didn’t bother to think this through with the EU in mind is mind-bending.
  • Apple’s App Store screening process gets a black eye. An important marketing differentiator for Apple’s iOS operating system compared to Android (and indeed, compared to Windows) is that all iOS apps are downloaded from a single place: Apple’s App Store. All applications are digitally signed by Apple after having been screened in a windowless workshop filled with elves and, one hopes, stocked with a few automated code security scanners. In theory, these measures ought to give the apps that non-jailbreakers download from the App Store a provenance (to use the art history term) customers can trust. Except when it doesn’t work. Apple somehow didn’t know that one of the apps they distributed was uploading customers’ entire address books without consent. As one commenter put it, “Our app got rejected for just sending the user’s email address. How you guys slipped this through Apple’s review process seems disingenuous in comparison.” For Apple, this is not good.

Excessive data sharing by nosy applications is not a new problem. Applications on PC-style operating systems have had relatively unfettered access to address books, calendars, mail stores and other system services for years. What’s different about mobile phones and tablets compared to PCs is that they are, as Jean-Louis Gassée once put it, Very Personal Computers. They know who your friends are. They know what you look like, and what your spouse, kids and family look like. They know where you have been lately, thanks to GPS, and where you might be going next. They know when you are free, and where you are traveling. And they contain all of your recent work and personal correspondence.

By contrast, that company-issued laptop you use? Well, that’s mostly something you use for work. You’ve got your work email on it, and maybe a few photos of your kids. But if you lose your laptop, it’s likely going to be more embarrassing to your employer than to you. By contrast, personal mobile devices are… personal. That’s why anything that seems remotely nosy in the mobile realm is so toxic.

Path should have remembered that. And in the mobile era, so should we all.

Tags: , , ,

Trackback from your site.

Andrew Jaquith

Andrew Jaquith is the Chief Technology Officer of Perimeter E-Security. Before Perimeter, he was a senior analyst with Forrester Research and Yankee Group.

Leave a comment