The operator behind the Path social networking app has agreed to settle federal civil charges that it deceived users by collecting personal information from their mobile device address books without their knowledge and consent, said the Federal Trade Commission.

Path Social Networking App Deceived Users, Wrongly Tapped into Data: FTC

Path Social Networking App Deceived Users, Wrongly Tapped into Data: FTC

Path Social Networking App Deceived Users, Wrongly Tapped into DataThe operator behind the Path social networking app has agreed to settle federal civil charges that it deceived users by collecting personal information from their mobile device address books without their knowledge and consent, said the Federal Trade Commission.

The settlement requires Path, Inc. to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.

Path also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.

“Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it’s mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers,” said FTC Chairman Jon Leibowitz.  “This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.”

Path allows users to keep journals about “moments” in their life and to share that journal with a network of up to 150 friends.  Through the Path app, users can upload, store, and share: photos, written “thoughts,” the user’s location, and the names of songs to which the user is listening.

The FTC complaints charges that the user interface in Path’s iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information.

In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks.  The feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.”

However, Path automatically collected and stored personal information from the user’s mobile device address book, even if the user had not selected the “Find friends from your contacts” option.

For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information.

In fact, version 2.0 of the Path app for iOS automatically collected and stored personal information from the user’s mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account.

The FTC also charged that Path, which collects birth date information during user registration, violated the Children’s Online Privacy Protection Act (COPPA) Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent.

Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and upload, store and share photos, written “thoughts,” their precise location, and the names of songs to which the child was listening.

The COPPA Rule requires that operators of online sites or services directed to children, or operators that have actual knowledge of child users on their sites or services, notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13.

Operators covered by the Rule also have to post a privacy policy that is “clear, understandable, and complete.”

 

 

Leave a Reply