# The Trodden Path

While filing away e-mails from the past month, I noticed something that might be of interest to those of you with more than a passing interest in mobile apps, privacy policies and social networking.

Some background information might be in order here, so let’s get started: A while back, Arun Thampi found out that Path uploaded the entire iPhone address book to their servers upon signup.

I took special notice of this for two reasons:

1. This is the kind of thing that mobile carriers’ law departments had screaming nightmares about back in the dark ages of WAP sites and stamp-sized mobile apps, and with which I had more than a passing involvement1.
2. I had registered for Path myself only a few weeks before, largely to see what all the fuss was about.

There was, of course, an unbelievable ruckus, most of which is pretty easy to follow. Apple is sure to add something to their entitlements model (or an explicit user permission) to make sure this doesn’t happen, nobody will ever really know how many other apps do exactly the same or worse, etc., but that’s not my point.

No, my point is that I immediatly sent Path an e-mail asking for my account to be removed, and that the results were… interesting.

Especially considering that I did so from an address that wasn’t the one I used to sign up for Path in the first place.

Keep that in mind, will you?

A while later I was rummaging around in my mail and noticed my mistake (wrong Sent Items folder), so I then sent an exact replica of that message from the right e-mail account.

Here’s the raw (redacted) source for the wrong and the “right” e-mails I sent in.

A while later I got a message from Path stating that my account was closed, etc., and never gave it another passing thought.

Today, while clearing out e-mail, I noticed that I had an exact duplicate of that reply. That is, a reply for each of the e-mails I sent in.

Here’s the raw (redacted) source for their reply to the wrong and to the right e-mail address.

Now, consider this:

1. Path did not know about the “wrong” address - not in the sense that it was directly associated with a live account.
2. I got the exact same reply except for the CRM tracking ID. Exactly. As if both e-mails were associated with live accounts.
3. Both said my account had been marked for permanent deletion.

Had it indeed? Given that they hadn’t even bothered to see if one of my e-mails was related to an active account, I decided to go and check.

Guess what, it wasn’t. My account is still active - I had to recover my password (since the last thing I did prior to asking for its removal was to remove most of my content and change my password), but it’s still there, a month later.

And I now have a vested interest in keeping it active, just so that I can figure out what the heck they’re playing at.