Why Path's FTC settlement differs from Twitter's or Facebook'sBy http://profile.typepad.com/1237764140s22740 // February 6, 2013 in Privacy, Social Media
If a recent settlement announced by the FTC is eventually approved by a court, Path will join Twitter and Facebook in the ranks of social media companies who have agreed to subject at least certain of their privacy practices to government oversight for years to come.
Like Twitter and like Facebook, Path is faulted for not following the standards that it told users it would follow.
Pictured is Exhibit A from the FTC's complaint against Path. The complaint alleges that the design of version 2.0 of the Path App for iOS was deceptive, because it implied to a user that she had control over whether contacts were exposed to Path, or not. Instead, the complaint alleges, "regardless of whether the user elected to 'Add Friends,' Defendant automatically collected personal information from users' mobile device contacts (also known as the user's 'address book') and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. . . . Contrary to the representation made by the Path App's user interface . . . Defendant automatically collected and stored personal information from the user's mobile device contacts even if the user had never selected the 'Find friends from your contacts' option."
The point that a social media company can get into legal trouble for violating standards the company sets for itself, that is hard for some to fathom. Many people assume the trouble must follow violations of a prescribed regulatory standard, some minimum threshold of objective privacy protection that all companies dealing in personal information should meet. That's not the typical case, however. (Aside: Path did indeed get in trouble for violating positive standards that apply when dealing with children.)
For instance, as I wrote about two and a half years ago in a post on this blog titled Bitter Twitter Boilerplate, Twitter got into trouble with the FTC for making this kind of statement to users:
"Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical and electronic measures designed to protect your information from unauthorized access."
Vague as the promise was, Twitter apparently was unable to point the FTC to any reasonable measures designed to protect user information.
For its part, Facebook made a number of unqualified, negative assurances to users, all of which the FTC alleged were false. These included the statement "we do not give your content to advertisers." (For a laundry list of Facebook's broken promises, see this post I wrote for Geekwire, Why Facebook's privacy settlement may not be a done deal.)
The broad implication of Twitter's settlement was - and remains- that it's better to have no privacy protections, than to state or imply that you have protections that are not in fact in place. The upshot of Facebook's settlement is, you shouldn't lie to users.
In a sense, Path repeated the errors made by Twitter and Facebook and compounded them. Instead of non-existent processes, Path did indeed have sophisticated processes dealing with personal information; it's just that those processes were deliberately siphoning user information, by default, in flat out contradiction of an assurance that users would be in total control:
"Path should be private by default. Forever. You should always be in control of your information and experience."
Now, just as with Twitter and Facebook before it, Path does not appear to be admitting the FTC's allegations to be true. (Judge Rakoff, we need you; but that is another topic.) So we have to assume Path had no malice nor intent to deceive. Even so, it's hard to imagine how this kind of disparity between promise and practice could occur. Perhaps the people designing the Path app and those writing the Path terms of service had never spoken with one another, and neither group had a common report.
Here's a big difference between the FTC proposed settlement with Path and the prior settlements with Twitter and Facebook: Path alone among the three has been fined. The amount is not trivial for a struggling startup: $800,000. I think the fine arises out of alleged violations of the Children’s Online Privacy Protection Act, pursuant to which there are in fact objective standards for online businesses to follow.