Path pays dearly for stealing your iOS address book data

Path 2.5.6 for iOS (iPhone screenshot 001)Path 2.5.6 for iOS (iPhone screenshot 004)

The private social network Path was off to a great start following its iPhone app launch in November 2010. The success was, unfortunately, short-lived as the company soon found itself at the epicenter of intense public scrutiny after it was discovered it had been uploading iOS users’ address book to its servers without their explicit permission. Even though Path did apologize and update the app with the necessary changes and user prompts, the startup never really recovered from the eerie privacy scandal.

And as a result, Apple on its end introduced deeper privacy options in iOS 6 so users can select on a per-app basis which apps can access their contacts, calendars, reminders, photos and more. And now comes word that on Friday The Federal Trade Commission (FTC) announced that Path has agreed to pay a whopping $800,000 fine…

The agreement with Path is to settle the FTC charges that it “deceived consumers and improperly collected personal information from users’ mobile address books”. Specifically, the $800,000 fine covers Path allegedly “collecting kids’ personal information without their parents’ consent”.

Such an outcome is the worst thing that could happen to any aspiring social network, let alone one that prides itself from being a safe haven for sharing personal stuff with your closest friends and family.

It gets even better:

The settlement requires Path, Inc. to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.

Path commented on the settlement in a statement posted on its web site:

The gist of the FTC’s complaint is this: early in Path’s history, children under the age of 13 were able to sign up for accounts. A very small number of affected accounts have since been closed by Path.

As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13.

Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.

The FTC took issue with Path’s misleading handling of an “Add Friends” feature. As you’re probably aware, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the “Find friends from your contacts” option.

Path could have easily avoided the whole privacy brouhaha had it only implemented this simple prompt in the initial release.

The extent of personally identifiable information that ended up on Path’s servers was worrying: for each contact in your iOS address book, Path automatically collected and stored first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames and dates of birth.

And now, Path is mulling paid accounts.

Both Congress and the federal government appear to take these privacy issues seriously, with the FTC launching a probe of consumer privacy in the age of apps. Some House members are now proposing tougher restrictions on what data advertisers can obtain from app users.

And now, the FTC has proposed new guidelines for app developers, including a new ‘Do Not Track’ feature because mobile devices “facilitate unprecedented amounts of data collection”.

While we’re at it, can FTC please look into WhatsApp’s handling of private data?