"So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers."

That sounds like exactly what you were hoping for.

Except for the "and then implement hashing from here on out." part.

So, they haven't changed their implementation, they've just added the ability to opt out of the poor implementation.

But hashing doesn't add any protection in this case. There are a very limited number of phone numbers in North America and so those hashes can be pre-computed and rainbow-tabled in a short, reasonable timeframe.

Is this true if they were salted with a very long phrase?

But the app would need to contain the salt in order to send it to Path's servers hashed and salted. So a hacker could decompile the app to determine the salt.

So you can opt out then, since they're not doing enough to address your concerns. They're being upfront about it, though, and putting that choice in your hands.

> putting that choice in your hands

They are putting a false choice in your hands that they hope will lead to the status quo while still giving a show of making good on this issue. They could, through sophisticated hashing and matching algorithms, do the user matching without ever learning your contact details. But they aren't bothering to do that. Instead they are just planting a checkbox in front of the user before they go and violate their privacy, and they hope that the vast majority of users will just check it and they'll only lose data from a minority of privacy nuts. Which means Path will end up exactly where they would have been anyway - with a giant database of personally sensitive information sitting unencrypted on their servers, waiting to be exploited, abused or leaked.