My thoughts are simple on this matter:
* Nearly all social apps will do this, in order to facilitate the ‘find people you know’ function. Some companies will discard the information, some will retain it. Your social graph is valuable.
* To trust companies to keep your interests as priority is foolish and naive. You are the commodity being traded, as a result you are responsible for your own information and how it’s handled. If you do not want your private contact list being uploaded, disable this function, or don’t use the app (assuming you are forewarned).
* The key discovery is not that a social app company is taking your contact list (this is standard fare), but that the iOS permissions model does not warn the user of this. There is only a facility to warn of apps requestion your location (via a pop up bubble). Apple has since reactively (as per normal) announced they will be adding contact list permission requests in a future iOS update. How much do you value convenience over security?
^Important to differentiate between uploading data with and without explicit user permissions. Also important to specify whether that information is uploaded securely (HTTPS) and/or encoded.
So looking forward, the question then is, let’s say future users of Path on iOS then have to click two bubbles to approve both requests. There are far more application actions than just these two which the user should be prompted for (as functionality is extended on the device), such as connectivity changes, aesthetic or ringtone modifications, credentials, storage access and more. It will either be denied, or accepted without informing the user, both of these decided by the application developer (and subsequently Apple’s app approval team, which has proven so far to be fairly easy to slip by).
A granular permissions system which informs the user of EXACTLY what each app will be doing on the phone is required, from the ground up, prior to the app being installed. This is the only and true way to maintain impartiality and transparency. Oh look: http://developer.android.com/reference/android/Manifest.permission.html
“Although Apple is known for its stringent security and opt-in mentality, in five versions of its mobile operating system, there seems to have been no safeguard against the practice. Even in the Android version of Path, users are warned that their data will be collected before they install the program.”