The Trodden Path

While filing away e-mails from the past month, I noticed something that might be of interest to those of you with more than a passing interest in mobile apps, privacy policies and social networking.

Some background information might be in order here, so let’s get started: A while back, Arun Thampi found out that Path uploaded the entire address book to their servers upon signup.

I took special notice of this for two reasons:

  1. This is the kind of thing that mobile carriers’ law departments had screaming nightmares about back in the dark ages of sites and stamp-sized mobile apps, and with which I had more than a passing involvement1.
  2. I had registered for Path myself only a few weeks before, largely to see what all the fuss was about.

There was, of course, an unbelievable ruckus, most of which is pretty easy to follow. is sure to add something to their entitlements model (or an explicit user permission) to make sure this doesn’t happen, nobody will ever really know how many other apps do exactly the same or worse, etc., but that’s not my point.

No, my point is that I immediatly sent Path an e-mail asking for my account to be removed, and that the results were… interesting.

Especially considering that I did so from an address that wasn’t the one I used to sign up for Path in the first place.

Keep that in mind, will you?

A while later I was rummaging around in my mail and noticed my mistake (wrong Sent Items folder), so I then sent an exact replica of that message from the right e-mail account.

Here’s the raw (redacted) source for the wrong and the “right” e-mails I sent in.

A while later I got a message from Path stating that my account was closed, etc., and never gave it another passing thought.

Today, while clearing out e-mail, I noticed that I had an exact duplicate of that reply. That is, a reply for each of the e-mails I sent in.

Here’s the raw (redacted) source for their reply to the wrong and to the right e-mail address.

Now, consider this:

  1. Path did not know about the “wrong” address - not in the sense that it was directly associated with a live account.
  2. I got the exact same reply except for the CRM tracking ID. Exactly. As if both e-mails were associated with live accounts.
  3. Both said my account had been marked for permanent deletion.

Had it indeed? Given that they hadn’t even bothered to see if one of my e-mails was related to an active account, I decided to go and check.

Guess what, it wasn’t. My account is still active - I had to recover my password (since the last thing I did prior to asking for its removal was to remove most of my content and change my password), but it’s still there, a month later.

And I now have a vested interest in keeping it active, just so that I can figure out what the heck they’re playing at.

Three Updates

A few interesting things happened after I posted this. The first was that I got an automated deactivation e-mail only a few hours later - which I didn’t notice until today, and which preceded a few tests I did the morning after, when I used my account for a few test posts2 without noticing anything.

The second was that half an hour later I also got a formal reply (also redacted) from Path with a sensible explanation.

The third was that Fazal Majid e-mailed me this rather fascinating link regarding detecting use of ABAddressBookCopyArrayOfAllPeople under - it’s not as if couldn’t do this as part of a routine, automated check, now is it?

I certainly hope they start doing something along those lines.


  1. You simply wouldn’t believe the kind of thing carriers worried about before the ecosystem essentially nuked a bewildering amount of extra business models and shifted the focus of liability. It was . Seriously. ↩︎

  2. I also tested their and integration by enabling and disabling it a couple of times, trying out some corner cases. ↩︎