Friday’s announcement of Path’s settlement is illustrative of the way regulation works when you're trying to safeguard consumers from technology that the regulators themselves don't understand. It's also the way regulation works when you're trying to drum up press that illustrates how you catch the bad guys and make them pay.
Unfortunately, in this case, the FTC managed to nab a pickpocket, who has actually reformed his ways and is now providing a really useful product to millions of people. All the while, big bosses have their armies of lawyers tirelessly adjusting the fine print of their T&Cs in order to stay one step ahead of the law, as well as the consumer.
I followed the Path privacy fiasco pretty closely back in February of last year. The company did wrong, it knew it, and it admitted to it. And with today's revelation of Path's settlemen—an $800,000 fine and a commitment to a "comprehensive privacy program"—the FTC has made an example of the company, however unfair.
The FTC framed its penalty against Path within the context of the Children’s Online Privacy Protection Act (COPPA), saying that the company had violated COPPA when it collected information on 3000 children under the age of 13 (that sounds so much worse than what it actually did).
FTC Chairman Jon Leibowitz, who has since announced his resignation, then went on to pat the agency on the back, noting that the FTC has been vigilant in responding to a "long list of threats to consumer privacy, whether it’s mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers."
“This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans,” Leibowitz wrote.
What's unfortunate about this judgment is that Path seems just the right-sized target out of which to make an example. It's not quite big enough that it could wage a lengthy legal battle, while also being recognizable enough that developers might heed the government's warning on how it will deal with privacy concerns in the future. Granted, I want be protected from services that misuse my information, but it’s not just innovative start-ups like Path that I’m worried about.
I guess you have to start somewhere, but am I crazy in suggesting that there are much more nefarious entities out there, as well as much larger, "well-liked" networks that have plenty of users under the age of 13 from whom they mine data?
At the time that Path's wrongdoings were revealed, CEO Dave Morin released a comment apologizing for the misdeed, saying that users should have control of their personal information and that the company had deleted all stored user contact information.
"Through the feedback we've received from all of you, we now understand that the way we had designed our 'Add Friends' feature was wrong," Morin wrote. "We are deeply sorry if you were uncomfortable with how our application used your phone contacts."
Morin said use of the information was limited to improving the quality of friend suggestions when a member used the 'Add Friends' feature and to notify users when one of their contacts joins Path.
After years of watching Steve Jobs apologize for absolutely nothing (I wish he was alive to apologize for the lightning connector), maybe I'm a sucker for an apology from any CEO. Path got the shaft here, after admitting to and correcting what a number of other much larger companies are still doing today in one way or another.
If anything, I fall closer to the paranoid side of the scale when it comes to digital privacy, but the way the FTC singled out Path just feels wrong.
Announcement of a punishment against a well-known criminal is also not a bad way to drum up press for your new developer guidelines, which apparently code writers everywhere would do well to peruse here.