Apps and Privacy
An Ethics Case Study
Path is a social networking app that describes itself as "the smart journal that helps you share life with the ones you love." The company behind it was founded in 2010 by Dave Morin, who had previously worked at Facebook. In February 2012, Path found itself at the center of a privacy controversy after a Singapore-based blogger reported that the app collected all the information in its users' "Contacts" lists, without asking the users' permission to do so. As it turned out, that information, unencrypted, was transmitted to Path's servers, where it was stored-again unencrypted.
Initially, the founder of Path responded in comments to Arun Thampi's blog by stating, "We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path;" he added that his company's actions were an "industry best practice." Other commenters also noted that many other apps were similarly downloading users' contact information without notifying the users or asking for permission.
Within a day of the initial report, after further negative reactions from Path users and increasing press coverage, Morin apologized for the company's practice. The Los Angeles Times reported that "Path's chief executive and co-founder issued an apology on the San Francisco start-up's blog, and the company quickly deleted the collected user data and updated its iOS app, all while promising more transparency in how it collects and uses information from its users." Some bloggers and tech journalists, in turn, praised Path's prompt response. In an interview with Wired's "Gadget Lab," Morin noted that "[i]n social, you have to innovate in information," but added that the tech industry as a whole is "probably going to have to innovate on how transparent we are."
According to Arstechnica, some of the criticism of Path spilled also onto Apple, whose app platform (unlike the Android one) was not designed to force app developers to notify users before accessing and downloading the users' contacts list. At the time, Apple's guidelines did instruct developers that apps could not transmit data about a user without obtaining the user's prior permission. Path appeared to have ignored this guideline, yet was still available through the Apple app store.
The Path controversy echoed all the way to Washington, DC, where legislators demanded more information from Apple about its platform and about the practices of app developers and their implications for consumer privacy.
Update: On February 1, 2013, Path announced that it had reached a settlement with the Federal Trade Commission, which had been investigating the company's practices. In connection with alleged violations of the Children's Online Privacy Protection Act (COPPA), the company agreed to pay an $800,000 fine, delete approximately 3,000 accounts, and submit to privacy audits every other year-for the next 20 years. Path's CEO noted that the company had discovered and addressed this particular issue on its own, before the FTC focused on it; he added,
"From a developer's perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn't until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent."
Before formulating an answer to the questions below, please review this summary of the qualities of good ethical judgment and the questions that we need to examine when faced with an ethical issue:
Was it unethical for the Path developers to collect and store the app users' "Contacts" information in the way they did initially, before Arun Thampi raised the issue on his blog?
What, if anything, should Path's designers have done differently?
Was the company's response an appropriate and sufficient resolution of the controversy around Path's initial practices?
Did the developers at Apple share some of the responsibility for Path's practices, because Apple had not configured its platform to prevent those practices?
Irina Raicu is the Internet Ethics Program manager at the Markkula Center for Applied Ethics.
Oct 1, 2012
Decisions about free speech and privacy
Would Brandeis have approved of the "right to be forgotten"?
On personal data, personalized advertising, and pain
How can we change online practices that lead to marketing that's both intrusive and inaccurate?
An upcoming talk by journalist Julia Angwin
The criminal justice system is one of many contexts currently impacted by algorithmic decision-making. The notion of “algorithmic accountability,” however, is a developing concept.