Path hit with FTC fine, finds itself in a geotag muck up

Path privacy issues, FTC fine
Off the beaten path

Path is billed as a social networking app that allows you to remember all of life's moments, but this is one day that the company may want to erase from its timeline.

The Federal Trade Commission (FTC) and Path announced today that the entities reached a settlement over the company's unauthorized collection of address book information on mobile devices.

The social networking start-up must establish a comprehensive privacy program and obtain independent privacy assessments every other year for the next 20 years.

Path also has to throw a little bit of money into the federal pot. It will pay $800,000 in civil penalties for not rejecting new members who were under the age of 13.

FTC, Path issue statements

Outgoing FTC Chairman Jon Leibowitz made sure to highlight this settlement as a victory for privacy-threatened consumers in the United States.

"This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans," said the resigning chairman in a press release.

"The FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it's mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers."

Path, meanwhile, chalked this up to a learning experience.

"From a developer's perspective, we understand the tendency to focus all attention on the process of building amazing new things," the company said in a blog post addressing its Children's Online Privacy Protections Act violations.

"It wasn't until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent."

Path's blog post, curiously, didn't comment on its harvesting of users' address book data.

More Path privacy concerns

Path may need another "cautious and diligent" reminder, as the company's iOS app can still give away a user's location information without obtaining permission.

"Path's iOS app (yes, that same Path that was caught stealing users' entire address books last February) will use the embedded EXIF tag location information from photos," discovered self-described hacker and security researcher Jeffrey Paul.

This exploit happens when iOS Camera Roll photos are geotagged to Path posts, even when Location Services are disabled for the Path application.

Paul told TechRadar that he doesn't know if the issue also affects Android users, as he doesn't use the app on devices running Google's mobile operating system.

In a response to Paul's blog post, Path Product Manager Dylan Casey said that the company was unaware of the issue and has implemented new code to ignore the EXIF tag location.

A new version of the app has been submitted to the App Store for approval, according to Casey, who noted that "this only affected photos taken with the Apple Camera and imported into Path."

Matt Swider