What do Path's privacy violations mean for Android?

Path's recent privacy violations have stirred up strong words of condemnation from numerous corners. What does it mean, if anything, for Path's Android users?

Path (Credit: Path)

The revelations about Path's contact list uploading, and the resulting mea culpa's first from Path and now from Apple, might have Path's Android users a bit spooked. In fact, they should have you worried--but over something much more important.

Could this happen on Android is a fairly cut-and-dry question. The answer is no, as in, a snowball's chance. No, nein, nyet, non. Why it can't happen on Android still only hints at the bigger problem.

The future possibility of the Path situation happening on Android can't occur because it already has happened. When you install any app on Android, it shows you a list of permissions that the app wants to access. Android's explicit call-out system for app permissions can be useful for people who care about such things. It's a moderately helpful tool that reveals how close to your personal data the app wants to snuggle.

Some of these permission requests make a lot of sense. These include the obvious, like Google Maps wanting access to your location data, or Skype integrating your contact list.

In the case of Path, says Jonathan Oberheide, co-founder of security app maker Duo Security, Apple's proposed changes simply bring the iOS version of the app into line with the Android's permission request to upload the contact list to Path's servers. "The Path application on Android does indeed request that permission," he wrote in an e-mail.

The difference, he added, is that Android apps make those requests visible to you when install any app.

For most people, though, the list of permissions is probably something that earns as much sincere contemplation as a software EULA. There are two reasons for this. One is that an app may have an unstated yet theoretically legitimate purpose for its request. The Scrabble game Words With Friends could, hypothetically, want your contact list to so that it can create an in-game dating network for its players.

Andrew Borg, research director at the Aberdeen Group, explains his skepticism via the hypothetical example of a Scrabble-style game asking for your contact list. "Why is Scrabble asking for your phone number? The potential for future rewards from aggregated consumer data tempts the business to gather data now and ask for forgiveness later. It's unfortunately the rule of the road right now," he said during a phone conversation.

The second is far less nuanced. If you don't like a permission request, what are you going to do about it? You have two options. You can stop the offending app from installing, or you can hold your nose and ignore your potentially legit concerns.

"Once that permission is granted, there's little the user can do to prevent a misbehaving app from abusing the permission," wrote Oberheide. "In general, I think that the user's desire to install an app overrides the user's perceived risk or impact of the permissions they're approving."

Borg offers a third option: better controls. He suggested a situation that would allow app permission control on a platform basis.

"I would expect Apple to address these concerns at a platform or OS level first; for example, withholding permission to share contact data as the default," Borg said. "This would require the app developer to explicitly ask for user permission to upload contacts, after the app had been installed, but before the contacts were accessed."

While that's an interesting idea when it comes to heightening people's awareness of privacy concerns on their mobile phones, even Borg himself doesn't think it's likely to come to fruition. "Whereas Apple has erred on the side of not asking for user input often enough, Android asks too much for the average consumer to sort through," he said.

Frustratingly for consumers, this is nothing new, Borg said. "Every two to three years, there's a new social ecosystem. And then it comes out that they weren't as diligent as they should have been," with our data or our privacy.

Privacy has a dim future. The options for better protections appear to be: relying on the vendors to act responsibly; relying on better data privacy laws from governments; and continued vigilance to expose wrong-doing. Forgive me if none of those inspire much hope.