Facebook, Foursquare, Twitter, basically any app that allows you to "search my address book for friends" will do this.
All these services require either a email or phone number to sign up, so to search for friends who have also signed up for the service, you need to compare two data sets: emails or phone numbers of users you already have, and those in the person's address book.
You obviously wouldn't download your entire database of users contact information to the phone to compare the data sets, so you send the data set up to the server.
The addresses from the user's address book should be hashed before sending to the server and compared to hashed addresses on the server. Then only positive matches are registered, and the server doesn't see more private information than it needs.
Hashing data from address book doesn't work because people write the same addresses and even phone numbers in many different ways. Normalizing it on the client is not really an option either because it requires a lot of data to do decent normalization - not practical to send it all to each client.
Phone numbers are easy to canonicalize: convert to international form.
Email addresses can be effectively canonicalized by lower casing. Not many mail servers are case sensitive these days. Additionally, for the local part, you can generally strip off anything after a "+", and with gmail, you can drop any period in the local part. (Granted, it's not perfect-- so make sure that's not a security concern.)
These techniques have been working fine so far in my app for my "Find My Friends" feature.
If so many apps do this, why all of the sudden uproar with Path doing the same? I'm not condoning it, just curious why it still happens and so frequently. It seems to me that the "industry best practices" actually need to be best practice.
