Privacy Breach? Path Social Network Uploads Address Books

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.theinfoboom.com/articles/privacy-breach-path-social-network-uploads-address-books/

The new Path social network, advertised as a "smart journal" that you
can share, was found to be uploading users' mobile address books
without consent. According to an article in PC World, the apparent
privacy breach was uncovered by iOS developer Arun Thampi, who saw the
entire contents of his digital address book uploaded to Path's server.
After some experimentation to confirm that this was indeed happening,
Thampi wrote about it in his blog, and that ultimately led to a
response from Path co-founder and CEO Dave Morin. Morin issued an
apology and an explanation on the Path blog.

For small and midsize businesses (SMBs) that allow employees to use
their mobile devices for both business and personal use, the security
issues that Path raises is significant. IT shops should raise
awareness among employees that if they were using Path and keeping
business contact information in their mobile address books, they may
have inadvertently subjected the company to a privacy breach. Whether
it is client information or other employee information, SMBs are
obligated to keep contact information privileged under the company's
own data privacy standards. In the event of a breach, the company is
further obligated to follow through in accordance with their security
protocols, which may mean notifying contacts whose information was
inadvertently shared.

For Path's part, Morin's blog statement says that information on Path
to their servers is "shared" over an encrypted connection and stored
securely.

Presumably, this included address book information shared without
users' knowledge. Further, Morin states that Path has "deleted the
entire collection of user uploaded contact information from [its]
servers." Path 2.0.6 was subsequently released to allow users to opt
in with regards to future sharing of contact information.

According to Mobile World Live, a recent survey taken by the GSM
Association (GSMA) of 4,000 mobile phone users showed that 89 percent
of users wanted to know when personal information is shared by an app
and wanted the ability to turn sharing on or off. Further, 92 percent
were concerned about apps collecting personal information without
consent. In an effort to address such privacy issues, the Mobile
Marketing Association (MMA) recently released mobile policy guidelines
intended to aid app developers.

While it is impossible to track every app that an employee may use,
the Path social network incident should serve as a reminder to IT to
continue to preach caution to the mobile-enhanced employee and to
continue to evaluate and upgrade the company's mobile use policy. IT
may also wish to review the MMA mobile policy document to understand
privacy considerations for mobile apps.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/