Some great finds by Arun Thampi:

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

I always wondered how Path managed to match me up so quickly to my friends when the only thing I’d given it was my email address. Turns out that it uploads your entire phone book and then matches names / email addresses to give you recommendations. It’s incredibly slick, but it is a privacy concern.

The CEO of Path replied to the post with:

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

At least they are going to make it opt-in but the various commentors on that article do point out that a hash table would have avoided this whole scenario. I’m glad that I finally know how Path were doing that matching though - it’s been bugging me for weeks…