Path, the mobile social network that first launched on the iPhone in November 2010, has agreed to settle Federal Trade Commission charges that it deceived its users by collecting personal information from their address books without their knowledge or consent. The settlement requires the company to establish a comprehensive privacy program and to have independent privacy assessments carried out every other year.
The company has also been fined $800,000 for illegally collecting personal information from children without their parents’ consent.
Back in February 2012, a developer discovered that the Path app for iPhone was taking users’ address books and uploading them to its servers — complete with every piece of information that had for their contacts.
Path did not ask users for permission to do this, and nor did it even notify them that it would happen. It just happened quietly in the background without the user’s knowledge.
This led to all kinds of controversy over privacy violations and how mobile apps access and use our personal data. Path apologized and quickly updated its app to prevent it from stealing address books, but the damage was already done. The issue attracted the attention of U.S. Congress, security experts, Apple CEO Tim Cook, and of course, the FTC.
In its complaint, the FTC charged Path for a “misleading” user interface, and for providing its customers with no meaningful choice regarding the collection of their personal information. It also noted that in version 2.0 of the Path app, users were given the option to “find friends” using their contact data, but Path automatically collected and stored their contact information anyway — regardless of whether than actually chose to use the feature.
According to the FTC, for every contact in a user’s address book, Path collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and even dates of birth. It didn’t just do this once, either — it happened when you launched the app for the first time, and then each time you logged back into your account.
The FTC said that Path deceived users by telling them that it only collected obscure information like their IP address, operating system, browser type, and site activity information. It has also charged the company $800,000 for violating the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from approximately 3,000 children under the age of 13 without first getting their parents’ consent.
“Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it’s mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers,” said FTC Chairman Jon Leibowitz. “This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.”
In addition to its fine, Path is prohibited from making any misrepresentations about the extend to which it maintains the privacy and confidentiality of its users’ personal data. The settlement also requires Path to delete information collected from children under 13 years of age, however, the company has already deleted the address book information it collected during the time its “deceptive practices” were in place.
Path has since issued a statement to its users, which reads:
Today the United States Federal Trade Commission (FTC) announced that it reached a settlement pending court approval with Path regarding alleged violations of the Children’s Online Privacy Protections Act (COPPA). The gist of the FTC’s complaint is this: early in Path’s history, children under the age of 13 were able to sign up for accounts. A very small number of affected accounts have since been closed by Path.
As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.Throughout this experience and now, we stand by our number one commitment to serve our users first.