Almost a year after social networking app Path came under fire for uploading users' mobile address books without permission, the company has agreed to settle Federal Trade Commission (FTC) charges.
The settlement, according to the FTC, requires Path to establish a comprehensive privacy program and obtain independent privacy assessments every other year for the next 20 years.
The photo-sharing app landed in hot water in early February 2012 when a developer discovered that it snagged names, numbers, addresses, birthdates, email addresses, and Facebook and Twitter usernames from his phone's address book, without approval. While the app offers three choices to find friends (through a contact list, Facebook, or invitation), it apparently automatically collected and stored personal data from the user's contact list, even when "Find friends from your contacts" was not selected.
Path CEO Dave Morin acknowledged the issue, saying that the company pulled those details "in order to help the user find and connect to their friends and family on Path quickly and efficiently," and nothing more.
A day later, Morin apologised for the mix-up, and Path released a new version of its iOS app that allowed users to opt in or out of sharing contact information. The company also said it deleted all details formerly uploaded to its servers.
Launched in November 2010, the social network allows users to keep a sort of journal — or "Path" — which can be shared with a group of up to 150 friends. Users can upload, store, and share photos, text, location, and music.
"Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it's mortgage applications thrown into open trash dumpsters, kids' information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers," FTC chairman Jon Leibowitz said, in a statement. "This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans."
The Path snafu sparked a grand-scale inquisition of app privacy; two members of Congress asked Apple for more information about iOS apps that access users' contact lists. In March, Path, along with Facebook, Twitter, Apple, and others, were named in a privacy lawsuit filed in Texas. The suit claimed that those firms "surreptitiously harvest, upload and illegally steal the owner's address book data without the owner's knowledge or consent."
Meanwhile, the agency slapped Path with the charge of illegally collecting personal information from children without their parents' consent.
"Early in Path's history, children under the age of 13 were able to sign up for accounts," Path wrote in a 1 February blog entry. "A very small number of affected accounts have since been closed." According to the company, there was a period of time a few years ago when its system did not automatically reject those users who indicated that they were under 13.
Path claims it fixed the sign-up process in May — before the FTC reached out — and has been compliant with the Children's Online Privacy Protection Act [COPPA] ever since. But that didn't protect the company from incurring an $800,000 (£509,000) fine from the agency. Additionally, Path must delete all information collected from children under 13.
"We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA," Path wrote. "It wasn't until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent."