Path has hit a pothole.

Last night sharp-eyed developer Arun Thampi was tinkering with mitmproxy, a tool that allows you to monitor application programming interface (API) calls, and discovered that the well-loved social networking app was sending his address book to Path’s servers—without his permission.

As he explained on his blog:

It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers. I wonder how many other iOS apps actually do the same...

Like any good geek, Thampi tweaked, tested again, and got the same result. At that point, he figured he’d better share the information on his blog, which quickly blew up.

Roughly 250 comments later, Thampi heard directly from Dave Morin, CEO of Path. Morin assured him that there was no secret agenda, and that Path was simply storing the information on its own servers to speed things up for its users. Here’s the comment in its entirety:

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently [sic] as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

That it’s now opt-in for Android and soon to be opt-in for iOS users is great news. Those already using it, however, may wish to reinstall after the change—and debate the meaning of “proactive” versus “retroactive.”

Whether or not the practice is standard in the industry, as Morin claimed to Techcrunch, is beside the point. It’s skirting illegality in some countries where Path is available, and it’s pretty blatantly against Path’s own principles as laid out in their About page.

“Path should be private by default. Forever. You should always be in control of your information and experience.”

According to Morin, in a mere two weeks you will be.

Photo by VinothChandar