Path is a somewhat obscure social network that lets users share their innermost thoughts and, for that matter, their most superficial insights with a network of up to 150 friends. It's sort of an online diary.
It's one of those cute little apps that uses a sort of baby patois to communicate with its users. On the subject of privacy, for example, Path says:
Path should be private by default. Forever. You should always be in control of your information and experience.
But its users' thoughts aren't always all that gets shared. The Federal Trade Commission charged the company with collecting personal info from its users' address books without bothering to tell them or ask their permission.
And not only that, but the FTC says Path illegally collected personal information from children without their parents' consent.
Path has agreed to pay $800,000 and button up its processes in the future.
"Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it’s mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers,” said FTC Chairman Jon Leibowitz. “This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.”
Path's response, posted on its website, seemed to credit itself with bringing the matter to public attention:
"We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. ...
"Throughout this experience and now, we stand by our number one commitment to serve our users first."
Path said it found about 3,000 minors in its system and purged them when the discovery was made.
No meaningful choice
In its complaint, the FTC charged that the user interface in Path's iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information.
In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks. The feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.”
However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the “Find friends from your contacts” option. For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.
Invaded children's privacy
The agency also charged that Path, which collects birth date information during user registration, violated the Children’s Online Privacy Protection Act (COPPA) Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent.
Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and upload, store and share photos, written “thoughts,” their precise location, and the names of songs to which the child was listening. Path version 2.0 also collected personal information from a child’s address book, including full names, addresses, phone numbers, email addresses, dates of birth and other information, where available.