Hacker News new | comments | show | ask | jobs | submit login
Path fined $800,000 by FTC (ftc.gov)
177 points by tzm 1603 days ago | hide | past | web | 50 comments | favorite

This is from february. The money is almost immaterial, the rest of the consent decree is interesting, since Path is now stuck doing stuff for 20 years. It can be found here:


The real stuff starts on page 12

There are always little idiosyncrasies in these things, like, for example "Defendant shall provide the initial Assessment by overnight courier (not the U.S. Postal Service) to the Associate Director for Enforcement".

I'm not sure what triggered them to add that, but google searching '"not the U.S. Postal Service" ftc' pulls up a crap load of consent decrees.

People use the argument 'it's in the mail' as an excuse to temporize or avoid their obligations. Requiring overnight courier delivery creates a paper trail (via the tracking #) and also says 'we really mean it.'

USPS actually offers overnight express mail, and it's standard practice to courier this stuff anyway when dealing with agencies. My guess is that someone wasn't really trying to avoid obligations (consent decrees are immediately enforceable, there would be no trial, so this would be a bad move), but just messing with them by sending stuff worst class mail. In most jurisdictions, service by postal mail is effected on deposit, etc.

I'm not sure why you'd try to piss off the FTC though.

But the USPS offers tracking as well...

Have you ever used it? Their tracking consists of a notification when the package has shipped and a notification when it is delivered. If you're wondering where your package is between those two, too bad. You just hope you get that delivery confirmation sometime this decade.

Incorrect. They actually offer stop by stop tracking. The only trick is that they are only required to track that they received it and that it made it to its destination facility. But in my experience (I ship probably 30-40 packages a week with Priority Mail and Express Mail tracking), they always track them pretty reliably.

I think the former name of "Delivery Confirmation" is where the confusion comes from. They recently changed that to "USPS Tracking" (I'm guessing to avoid confusion).

What are you talking about? How long does it take to ship something coast-to-coast with USPS? A week? Why does it matter that it's in Aurora, Ohio on day 3? What calls for the hyperbole?

The USPS is not that slow for how cheap they are. In fact I feel bad for them. The post office in Redmond just had to close and I think it was because of budget. It doesn't seem like they're doing too well against their private competition. But I doubt it's because their tracking system is inferior.

All the USPS locations in my area open after most people are at work and close before they leave.

In a nutshell, that is why they are failing: an antiquated product with horrible service and little to no accountability.

Banks have similar hours and generally aren't failing, I don't think that part is relevant. I agree with the rest though.

Hours of operation alone isn't killing the USPS but it's a symptom of the larger, some would say terminal, disease.

Like most people who work in cubicles, I work 8-5. The nearest PO to my home is open M-F 8-4:30. The next closest is open M-F 8-5 and Saturday 9-12. That means I've got a single 3-hour window if I need to pick up a package or do something that requires human interaction. If I happen to be out of town or busy during that short window, I have to wait until the next weekend.

As has been discussed before, the majority of a bank's income is not on personal checking and savings accounts. For most larger banks, it's an ancillary service that they really don't try that hard to compete for most of the time. The real money is in business accounts and lines of credit (both personal and business). Even so, my local bank is open 10-7 every weekday as well as Saturday mornings and Sunday afternoons.

They've come a long way with online address forwarding, usps.com/redelivery, and other online features, but the window hours are terrible and it's endemic of the USPS' apathy with regard to customer service.

Hm, I had a package delivered via USPS a few days ago that gave me full tracking from source to destination.

But a notification when the package has shipped is all that the FTC needs to prevent procrastinating via the mail.

They probably don't track the USPS service catalog to make sure all boilerplate legal text needs to be updated. The current wording still meets their criteria, and there's not really much of a reason to update it.

Why is this being posted now? (Thanks for pointing out the date.) Still news to me, but I don't understand why the new interest...

Path broke 10M users yesterday. It's likely someone was reading up on the company and found this...

Sidenote: after the address book debacle people are pretty quick to jump to conclusions about what the fine was really for though.

Good. But why does Facebook get off scot-free? I feel like their contact-uploading behavior was even more egregious than Path's.

EDIT: I missed when originally reading the post that the fine was for violating COPPA, while the other provisions (privacy assessment every 2 years) are for their privacy violations.

They don't. The FTC settled with Facebook in February of 2012 with similar terms.[1] Regardless, however you feel about Facebook, they do have robust privacy controls if users choose to learn them and are transparent about what they do with personal data. While they do quite a bit with users' data they do comply with current laws and regulations.



If you really choose to control your Facebook privacy, you can do it but then the engagement experience becomes very limited. Facebook gives you controls but then it's given in a manner that it becomes a choice between use it or not use it.

Facebook doesn't allow account creation by under-13s, and is well aware of COPPA.

Curious, if Path is acquired does the purchaser also acquire the 20 year privacy assessment requirements? Does this make acquisition unlikely?

All of the big players have already gotten similar consent decrees. Twitter got one over a password leak. Google got one over Buzz. Microsoft got one over Passport/Wallet (though that has perhaps expired). Facebook got one over Beacon.

Everyone gets one sooner or later, it seems. It's a giant PITA, but everyone has the audit infrastructure in place by now, so I wouldn't expect it to matter too much.

It's a convenient way to regulate an industry without having to pass any additional laws.

Path will probably just sell the tech, and the employees, and not the actual company. Corporations can do strange things like that.

Yep, quite possible. I guess they may also forget to reissue share options to non-execs in the process. ;)

>>Curious, if Path is acquired does the purchaser also acquire the 20 year privacy assessment requirements?

Probably, or else Path2 made of the same investors could buy Path and get out of the agreement.

Despite how odd it is that they chose to specifically fine Path, I'm rather stunned to see the U.S. government even somewhat reacting to the startup culture.

I'm rather stunned to see the U.S. government even somewhat reacting to the startup culture.

Huh? Path is a company, they broke the law, and were investigated and fined as a result. How is that "stunning"? It happens all the time.

It's got almost nothing to do with "startup culture", it is just a business that didn't play by the rules.

> company, they broke the law, and were investigated and fined as a result. How is that "stunning"?

I believe the answer is somewhere in the question.

Agree. When was first discussed here everyone was up-in-arms. Why is it now bad that the government is holding path accountable?

Path gained quite a bit of attention when this happened: https://www.google.com/search?q=path+upload+contacts

And the FTC policing COPPA isn't really new either: https://www.google.com/search?q=coppa+violation+cases

Can someone more familiar with COPPA give a summary of the requirements?

Simple answer: Don't get information from kids under 13 unless you have parents permission. You must also have a privacy policy.

Complex answer: How you determine if the person is under 13 and how you get the parents permission can be done a lot of different ways. Some of the most popular is doing a test charge against a credit card number, assuming kids won't have those.

That isn't how it works. COPPA is pretty narrowly defined.

You only have to take action to get parent's permission if:

a) Your site or app is very specifically targeting children (LEGO or Disney for example)

b) You have asked for some information from the user that positively identifies them as a child - birthdate is the main one

Path were fined because they asked for birthdate during the signup process and then allowed registration even if the user was under 13.

Do you have a citation for that? The legislation doesn't seem to make the distinction[1]. If you can provide evidence for the 2 points you made that would be awesome. Thanks!

[1] http://www.law.cornell.edu/uscode/text/15/6501

It's right there at the start of the law you cite in A.1.:

  It is unlawful for an operator of a website or
  *online service directed to children*, or any operator
  that has *actual knowledge that it is collecting
  personal information from a child*, to collect personal
  information from a child in a manner that violates the
  regulations prescribed under subsection (b) of this section.
So either:

* service directed to children (LEGO, Disney etc) * actual knowledge that it is collecting information from a child (birthdate, age etc)

My understanding was from internal legal guidance at a previous company I consulted for but I haven't worked on COPPA projects for a few years so I don't know if there have been any major cases.

In any event Path specifically asked for birthdates and then allowed children to carry on and use the service with no changes which is a violation that should have been spotted by anyone with some understanding of COPPA.

I completely missed that paragraph, thank you! That solves my questions regarding COPPA.

wait wait wait, surely putting "You cannot use this website if you are under 13" in their terms of service is enough? I know COPPA is pretty ridiculous but if they require actual proactive enforcement of no under 13s they would literally break the internet.

I thought that there were 2 options with COPPA compliance: Allow <13s to register and have an email sent to their parents IF they select that they are under 13 OR disallow under 13s through a terms of service "Do not register if you are under 13" type clause. Is that not compliant?

I'm not an expert, but I imagine there's something in there about if you know people under 13 are using your product and they shouldn't be, you have to proactively do something about it. Facebook delete accounts belonging to minors, perhaps Path weren't and this played into it?

> wait wait wait, surely putting "You cannot use this website if you are under 13" in their terms of service is enough?

Absolutely categorically not.

A ToS clause alone has been tested and found not compliant.

For a while, when the ToS clause was tested and failed, the panic reaction acid test was asking for a valid CC.

Over the past decade best practice has relaxed to a gating page asking for confirmation of over age, or, for the more cautious, asking for the user to explicitly provide their birth year (not birthday).

Is the simplest answer then to have a T.o.S. that states no one under 13 is allowed to use your product until you can afford staff charged with handling security & privacy?

Then you can CFAA those little twerps.

This is very unethical. None of these companies who blow the trumpet of innovation and user experience care about privacy. No one. Neither Google nor Facebook. I can count on Mozilla. But rest all are prowling for info to show us targeted ads. Period.

I'd rather see targeted ads than non-targeted ads

The problems is the millennials aren't as focussed on privacy as the generations before. They're open to participating in targeted content whether it be ads, stories, offers, etc.

But this isn't to discredit privacy concerns at all. Google anonymizes its users so that individuals aren't identified. This is a better approach compared to other questionable "targeting methods".

I think it's overstated to say that millennials are properly perceiving the privacy issues in play and making a reasoned judgment to participate anyway. None of my friends (not millennials, but 20-somethings) really understand all the things Facebook allows themselves to do with your information via their ToS (and many of them are lawyers!) They just assume that it wouldn't be legal to do anything really egregious (which is how most people view most things, actually).

Furthermore, you can't point to a group consisting entirely of young people and just write off their behavior as "generational". A lot of youth behavior is simply driven by... youth. Youths are known to take greater risks even when fully informed of the potential consequences.

Should this really have been posted now? It's from February and may cause confusion over the current kerfuffle on the front page.

why were they collecting it anyways? to notify you if someone you knew joined?

How does a startup with no revenue expect to pay an $800k debt?

The same way it's paying for everything else - out of VC money.

They might not (I don't know) have turned a profit, but they certainly have a revenue stream selling filters and stickers.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact