The U.S. Federal Trade Commission announced a slew of measures to address mobile app privacy concerns on Friday, on the heels of a long-anticipated resignation of FTC Chairman Jon Leibowitz, who will end his four-year-term as the head of the agency on February 15.
The agency announced it had fined Path, a cult hit social networking app for iPhone and Android, to the tune of $800,000 for allegedly violating children’s privacy. On top of that, the FTC released a new report urging Apple, Google, Microsoft, Blackberry and Amazon to add stricter requirements for privacy disclosures of apps accepted into their relative mobile app stores, and to be more transparent with consumers about their app review processes.
“Path is used by millions of Americans to share personal journals, it’s actually quite innovative,” Leibowitz said in a teleconference on Friday morning. “Path also collected information from children under 13 years old without parental consent, in violation of the Children’s Online Privacy Protection Act.”
Specifically, the FTC found that Path’s account creation form on the iPhone and Android versions of its app asked for users to provide their age and other information. Path’s system allowed for users who listed their age as under 13 to create accounts and then collected from them other signup information including their names, phone numbers, email addresses, and gender in some cases. In total, Path collected information of 3,000 users under age 13, according to the FTC, which is a violation of the Children’s Online Privacy Protection Act of 1998 (COPPA), which the FTC recently updated.
Path took to its own blog Friday to explain the violation on its end, which it said was due to a combination of human and technical errors:
“As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.”
The startup company went on to say that it hoped its experience with the FTC and its fine of $800,000 would serve as a cautionary tale to other apps developers when taking into account privacy considerations.
The FTC also faulted Path for another separate privacy violation related to accessing users’ address book contacts data without their permission, which the FTC used as the basis of a new settlement with the company. As part of that, Path has agreed to independent privacy audits every two years for the next 20 years, similar to previous settlements the FTC reached with Google and Facebook.
The FTC said that Path, which launched first for the iPhone in 2010, presented a “misleading” interface in a 2011 update for that device. The interface allowed users to “Add Friends” from their phone’s address book contacts list, email or SMS, or from Facebook. But even if users didn’t select that option, Path automatically collected information from the phone’s address book.
Path’s surreptitious collection of address book data was first observed in February 2012 by a developer in Singapore, who alerted others about it on his blog, including the New York Times, which ran a prominent story about it.
Path CEO Dave Morin initially defended his company’s access of user address book data as standard industry practice, but later issued an apology.
To his point, many other apps have accessed users’ address book data and contacts without express permission, as The Verge reported, including Foursquare and another app called Hipster, both of which have since updated their software to prevent such practices.
Asked why the FTC pursued Path for this violation over other perpetrators, Leibowitz told reporters that it was a combination of the address book collection and the children’s privacy fault that prompted the FTC to move against Path.
“We like to think of ourselves as a small but mighty agency, but the truth is we are very small, especially by Washington standards,” Leibowitz said. “You have to pick and choose which malefactors you want to go after.”
Leibowitz acknowledged that with the number of mobile apps growing every day, there could be other companies committing similar privacy violations.
“If there are other companies in the space doing that, we’d like to hear about it,” the outgoing Chairman added.
Leibowitz also used the occasion of what he confirmed would be his major press conference on Friday morning to call for Congress to grant the FTC more authority to impose civil fines outside of children’s privacy violations.
“If Congress wants to give us this authority, we’d be a stronger and more effective agency,” Leibowitz said, calling consumer privacy one of the few issues of genuine bipartisan agreement. Leibowitz said that there had been an effort to grant the FTC this authority when the Dodd-Frank Wall Street reform bill was first proposed, but that it was stripped out well before final passage.