To recap: In February 2012, it was revealed that photo-sharing mobile application Path uploaded users’ entire address books without permission, and there was substantial public criticism of the company’s actions. After initially dismissing the criticisms, Path CEO Dave Morin apologized in a blog post and announced that the company had deleted the contact information uploaded to its servers and was releasing an updated version of the iPhone app to allow users to opt-in to the address-book upload.
The Federal Trade Commission opened an investigation, and it has announced a settlement with Path over the privacy charges. However, the settlement comes as new charges of privacy-invasive behavior are being made against the mobile application (see below). The FTC says of the settlement:
The operator of the Path social networking app has agreed to settle Federal Trade Commission charges that it deceived users by collecting personal information from their mobile device address books without their knowledge and consent. The settlement requires Path, Inc. to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent. […]
Path operates a social networking service that allows users to keep journals about “moments” in their life and to share that journal with a network of up to 150 friends. Through the Path app, users can upload, store, and share photos, written “thoughts,” the user’s location, and the names of songs to which the user is listening.
In its complaint, the FTC charged that the user interface in Path’s iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information. In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks. The feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.” However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the “Find friends from your contacts” option. For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.
In addition to the $800,000 civil penalty, Path is prohibited from making any misrepresentations about the extent to which it maintains the privacy and confidentiality of consumers’ personal information. The proposed settlement also requires Path to delete information collected from children under age 13 and bars future violations of COPPA. Path has already deleted the address book information that it collected during the time period its deceptive practices were in place.
The settlement comes as security researcher Jeffrey Paul says that Path grabs user location data even when the user has turned off location-data sharing — meaning that Path is ignoring its users’ privacy settings:
Path’s iOS app (yes, that same Path that was caught stealing users’ entire address books last February) will use the embedded EXIF tag location information from photos in the iOS Camera Roll to geotag your posts, even when you’ve explicitly disabled Location Services for the Path application. (The app knows, of course, that it’s not getting location data via normal means from Location Services, yet behaves this way even in that case.)
Path Product Manager Dylan Casey responded to Paul and said, “1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location. 2. We have submitted a new version with this fix to the App Store for approval. 3. We have alerted Apple about the concerns you’ve outlined here and will be following up with them.”