Having all that information (school, doctor, lawyer, pest control company, health insurer, employer, credit card company, ...) about one person or a family, together in one place, is a social-engineering / identity-theft cornucopia. Imagine if Path had a data breach resulting in this contacts database floating around the internet.

Now most people's response to that kind of threat is to think "I'm just nobody important, no one would ever go to the trouble of using this information to impersonate me or otherwise make my life difficult." Probably you are underestimating one or more of: (a) your importance, meaning how much money someone stands to gain by impersonating you, (b) the gullibility/apathy of customer service reps at the companies you interact with, or possibly (c) the amount of free time and/or perversity of someone who will fuck with you just for the lulz.

> I'm unclear on why them having the information you cited

First of all, my wife and I actually read and attempted to analyze Path's Terms and Privacy Policy before joining. They did not in ANY WAY have our permission, either implicitly or explicitly to collect private information about our children, who are, 3 and 4 years old.

> along with dozens or hundreds of other contacts from your address book

From path.com/about

  Path should be private by default. Forever. You should 
  always be in control of your information and experience.

I was never once asked, agreed to, or gave consent to allow anyone to collect sensitive information about where are children are schooled at, what buses they ride, where they receive medical treatment at, or OTHER PLACES I LEFT OUT OF THE ORIGINAL LIST BECAUSE THEY ARE PRIVATE TO MY FAMILY. :)

> for millions of users

"kill one, it's murder - kill 1,000,000 it's a statistic" - this isn't about your children - it's about mine. ;)

> constitutes some kind of terrible threat to your children

Where did I say this was a "terrible threat" to my children? Maybe it is, maybe it isn't - bottom line is we did not consent to it. And perhaps we just want to protect our underage children from having behaviorial profiles or credit risk assessments built up on them before they reach kindergarten.

Interestingly enough, according to Path it is VERY reasonable that I should protect my children's information:

  We take reasonable measures to protect your personal information 
  in an effort to prevent loss, misuse and unauthorized access, disclosure, 
  alteration and destruction. Please be aware, however, that despite our efforts, 
  no security measures are perfect or impenetrable and no method of data 
  transmission can be guaranteed against any interception or other type of misuse.

Combined with:

  (You)...accept all risks of unauthorized access to the Registration Data and any other information you provide to us.

My risk, right?

> But maybe there's a specific threat in mind that I'm not thinking of?

Yes, there is. And I acknowledge that you might live in a world where you have no problem allowing anyone in the world to know any detail they can illicitly sneak out of your phone about you, your family, and your friends - but most of the rest of us don't.

For fuck's sake a UIKit dialog box and handler code is less than a dozen lines of code and then NONE OF THIS WOULD BE AN ISSUE.

> Anyway, just thought your response was a little over the top, and more informed by emotion than reason.

I'm curious, do you have a spouse or children?

> They did not in ANY WAY have our permission, either implicitly or explicitly to collect private information about our children, who are, 3 and 4 years old.

What are you talking about? Do you expect them to perform complex data analysis to figure out that certain contacts are young children, and then explicitly ask permission to share those? Or do you expect them to preemptively ask for any potential sensitive contact information? "Can we use your children's information?" "Can we use your in-laws' information?" "Can we use the address of the President's safehouse?" Etc.

> What are you talking about? Do you expect them to perform complex data analysis to figure out that certain contacts are young children, and then explicitly ask permission to share those? Or do you expect them to preemptively ask for any potential sensitive contact information? "Can we use your children's information?" "Can we use your in-laws' information?" "Can we use the address of the President's safehouse?" Etc.

Just a "Can we upload your entire address book?" would have worked. Or perhaps listing "Your entire address book" in the "What personal information do we collect?" section of their Privacy Policy.

That still wouldn't be specific permission to share children's information specifically, which is what it seemed like your were requesting.

No, but giving him the information would have informed him sufficiently so that he could have decide whether he wanted to (a) not use the app (b) delete sensitive contacts before using).

I think you're spot on here mash but I have a disconcerting question. How do you intend to handle this situation with every other app you, and presumably your wife, have ever downloaded? Specifically those that may not be as 'transparent' as Path?

I ask because we would be foolish to think the developers of some less then typical quality apps have, or will, certainly exploit this for their own monetary gain.

> How do you intend to handle this situation with every other app you, and presumably your wife, have ever downloaded?

Not sure yet. Path is actually the first (and will certainly be the last) social network I've ever joined - and it was precisely because it was supposed to be private and they had a pretty reasonable privacy policy. I remember something of this nature after the App Store was first released but had honestly thought it was a fixed issue.

On our lap/desktops we use prompting firewalls and on occasion will even watch suspicious apps or behaviors, if you will, where on iOS this is much harder.

I have an idle FreeBSD box and may start mitm'ing like OP did, but seriously pouring through the kind of output a home network produces doesn't sound like fun at all and I already know that going back to a dumb phone would probably be just as easy.

I was worried that would be the response. Not that I think it's a bad idea, its just such substantial shift from what I'm used to.

I would be curious for someone to do this with other apps. Even those that aren't social networks. I have a strong inkling that most of the top free apps are doing this without any of us knowing.