Why we shouldn’t worry about address book uploads

Over the last week or so there has been a huge outcry from the tech community about how social network, Path, uploads a user's address book when it installed. The main criticism: Path doesn't ask if that's ok.

The case for the prosecution further states that Path is somehow evil for doing this, that this runs rough shot over privacy, how they are becoming like Facebook.

Here stands the case for the defence.

1. The outcry has come from the tech community. This is an important point. We understand security & privacy. We care about this stuff. Here’s the reality. In the user research I’ve seen it time and again: simply people don’t care. Upload my address book to a server somewhere? This is not in most people’s concept of technology – they aren’t bothered.

2. Which brings me to the next point. In highlighting this has happened, we are making our users concerned. This is our fault as an industry. We design password systems that require uppercase, digits & other complexity to access stuff as simple as a newspaper. My newsagent doesn’t ask for my mother’s maiden name to buy a copy of my daily paper.

The paradox is this. In warning people about security we worry them about security. It’s called Privacy Salience. [1] In asking for a password for something trivial we devalue privacy when it does count. [2] Is this same for security?

The solution suggested is we offer a security message that Apple set in iOS. Rather like Facebook’s.

But how many of us just click through these messages without seeing them? It seems quite a lot of us. [2]

The solution is not to warn people – it’s to be responsible in using that data.

I think a great many users will feel that Path hasn’t broken their trust, Instagram have been doing the same for some time. Trust would be broken if they sold the data, didn’t implement super security, or somehow added a feature where they sent your Mum a text message if you checked into one-to-many bars.

Yes we should be able to opt-out of these features but at the same time in warning about security or using some standard, shitty dialogue that Apple or Facebook have designed we end up making something more difficult to use. After all Path has be praised for it’s great UX.


  1. Reassuring people about privacy makes them more, not less, concerned. It’s called “privacy salience”
  2. Desensitizing the User: A Study of the Efficacy of Warning Messages
  3. The economics of user effort in information security, An Evaluation of User Password Practice
  4. 3 Responses to “Why we shouldn’t worry about address book uploads”

    1. Pete Fairhurst

      No business has any right to help themselves to people’s information without asking, and then just have it lying about the place.

      Ask for it as a one-time thing and then discard it immediately after use, sure – no problem with that; it’s a proactive, mutual action (assuming the business bothered to explain the benefits first). But to take it without asking and just keep it? No.

      And I’m amazed you’ve cited user ignorance as a real and valid defense of this practice; “users don’t really care, and the backdoor’s unlocked, so let’s just take it.” Are you kidding? This is awful behaviour in any circumstance – focussing on the technology angle merely clouds the base issue.

    2. joe

      I agree with you completely Pete.

      I’m not justifying it. I’m saying the the issue has been blown out of proportion.

      We do have a responsibility to take care with personal details. They shouldn’t have done it but that doesn’t mean we should knee-jerk and create some horrific data sharing interface & privacy sharing stuff.

      We have the power, and with great power comes great responsibility.

    Leave a Reply