Social network Path has reached an agreement with the FTC to settle charges that it violated users' privacy by improperly accessing contact data from its iOS users. During the investigation into the improper access of contact data, however, the FTC discovered that Path had allowed some children under the age of 13 to sign up for accounts in violation of the Children's Online Privacy Protection Act (COPPA), resulting in an $800,000 fine.
Path had originally built its reputation on enabling users to share photos, status updates, and location check-ins with a default focus on privacy—in contrast to sites like Facebook, where everything is public unless you say otherwise. However, the company found itself mired in controversy when a developer discovered that Path's iOS app was accessing users' contact data and uploading it to Path's servers without expressly informing users that it was doing so. The contact data was used to find other existing Path users that a user might already know, but transmitting it and storing on its own servers without consent was a clear privacy violation.
Path CEO Dave Morin apologized for the issue, revised the company's privacy policies, and wiped the stored data from its servers. Path also updated its iOS app to explicitly ask users to access and use contact data.
But the damage had been done, attracting the attention of Congress and the FTC. The FTC launched an investigation into the illicit access of contact data and in the process discovered that Path's sign-up process had allowed children younger than 13 to sign up for accounts without parents' knowledge or consent.
To settle the privacy and COPPA issues, Path has agreed to set up a "comprehensive privacy program" which must be independently audited every two years for the next 20 years. In addition, the company is paying an $800,000 fine for its previous violation of COPPA statutes.
"Early in Path's history, children under the age of 13 were able to sign up for accounts," Morin wrote on the company's blog on Friday. "Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any underage accounts that had mistakenly been allowed to be created."
Apple has since made changes to iOS that prevent developers from accessing contacts, photos, location, and other information from iOS devices without getting explicit permission from the user. The FTC has also published a guide for mobile app developers to encourage data privacy as a design goal. "The FTC expects app developers to adopt and maintain reasonable data security practices," according to the guide, and it's clear the Commission will take action if there are consumer privacy violations.
"Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it's mortgage applications thrown into open trash dumpsters, kids' information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers," FTC Chairman Jon Leibowitz said in a statement. "This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans."
reader comments
11