On the Wrong Path
Today, the FTC announced a settlement with Path — a social networking site that promoted itself as a different kind of social network. Primarily available to users through a mobile app, Path claimed that it “should be private by default. Forever. You should always be in control of your information and experience.”
That’s a nice sentiment, but the FTC charged that what Path told people it was doing with their personal information didn’t jibe with what was going on behind the scenes.
In version 2.0 of the Path App for iOS, a new feature to “Add Friends” gave people the option to “Find friends from your contacts.” But even if users didn’t choose that option, the app automatically collected personal data from users’ contact lists and stored it on Path’s servers. What did Path collect? To the extent the information was available, the first name, last name, address, phone numbers, email addresses, Facebook username, Twitter username, and date of birth of each contact. Path automatically collected and stored this data the first time the user launched the app and, if they signed out, each time they signed back in again.
The FTC complaint also charges that the company — which collected birth dates during the registration process — had actual knowledge that about 3,000 users were under 13. So, to comply with COPPA, Path should have gotten parents’ consent before collecting, using, or disclosing information about their children — an obligation Path didn’t live up to.
The upshot of Path’s alleged COPPA violations? Kids under 13 could create journals, share photos and “thoughts,” and share their precise location. The FTC says with version 2.0 kids’ contact lists were collected, too.
- If you’re providing information through an app, someone may be collecting it — say, the app developer, the app store, an advertiser, or an ad network.
- Whoever is collecting your data may be sharing it with others.
- When you download an app, it may ask for permission to access information on your device. Pay attention to the request. Some apps access only the data they need to function, but others access data that’s unrelated.