Privacy Breach? Path Social Network Uploads Address Books
The new Path social network, advertised as a "smart journal" that you can share, was found to be uploading users' mobile address books without consent. According to an article in PC World, the apparent privacy breach was uncovered by iOS developer Arun Thampi, who saw the entire contents of his digital address book uploaded to Path's server. After some experimentation to confirm that this was indeed happening, Thampi wrote about it in his blog, and that ultimately led to a response from Path co-founder and CEO Dave Morin. Morin issued an apology and an explanation on the Path blog.
For small and midsize businesses (SMBs) that allow employees to use their mobile devices for both business and personal use, the security issues that Path raises is significant. IT shops should raise awareness among employees that if they were using Path and keeping business contact information in their mobile address books, they may have inadvertently subjected the company to a privacy breach. Whether it is client information or other employee information, SMBs are obligated to keep contact information privileged under the company's own data privacy standards. In the event of a breach, the company is further obligated to follow through in accordance with their security protocols, which may mean notifying contacts whose information was inadvertently shared.
For Path's part, Morin's blog statement says that information on Path to their servers is "shared" over an encrypted connection and stored securely. Presumably, this included address book information shared without users' knowledge. Further, Morin states that Path has "deleted the entire collection of user uploaded contact information from [its] servers." Path 2.0.6 was subsequently released to allow users to opt in with regards to future sharing of contact information.
According to Mobile World Live, a recent survey taken by the GSM Association (GSMA) of 4,000 mobile phone users showed that 89 percent of users wanted to know when personal information is shared by an app and wanted the ability to turn sharing on or off. Further, 92 percent were concerned about apps collecting personal information without consent. In an effort to address such privacy issues, the Mobile Marketing Association (MMA) recently released mobile policy guidelines intended to aid app developers.
While it is impossible to track every app that an employee may use, the Path social network incident should serve as a reminder to IT to continue to preach caution to the mobile-enhanced employee and to continue to evaluate and upgrade the company's mobile use policy. IT may also wish to review the MMA mobile policy document to understand privacy considerations for mobile apps.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.