SAN FRANCISCO (CN) – A man claims in a federal class action that the Path social networking app for mobile phones spies on customers, gleans sensitive data such as his location and contact information about their minor children, and stores it so insecurely that it’s accessible to “even an unsophisticated hacker.”
Oscar Hernandez, of Texas, claims that Path Inc “gained access to, and use of, plaintiff’s and class members’ mobile devices, without authorization and consent, to obtain and store contact address data, including personally identifiable information of minor children that was within the contact address book, bypassing the technical and code-based barriers intended to limit access, in addition to bypassing plaintiff’s and class members’ privacy settings, including offsite social network settings.”
Path “individually and in concert with Path Affiliates, has been systematically engaged in and facilitated a covert operation of surveillance of class members in violation of the following, to wit: 1) Violations of the Electronic Communications Privacy Act; 2) Violations of California Computer Crime Law; 3) Violations of California’s Invasion of Privacy Act; 4) Violations of California Unfair Competition Law; 5) Violations of California Consumer Legal Remedies Act; 6) Violations of California Customer Records Act; 7) Invasion of Privacy and Seclusion and Public Disclosure of Private Facts; 8) Conversion; 9) Trespass to Personal Property/Chattels; and 10) Unjust enrichment,” the complaint states.
Hernandez says he used the Path app to upload and share digital photos, audio and video, to visit other social network sites and to interact with people both in and outside of his address book.
Path describes its app in the iTunes App Store as “the smart journal that helps you share life with the ones you love – your thoughts, the music you’re listening to, where you are, who you’re with, when you wake and when you sleep.” The app allows users to interact on public networks such Twitter, Foursquare and Facebook.
Hernandez claims that Path’s intent behind its app is to “provide a platform which permitted uploads of digital content to allow a ‘GPS filtering process.’ This process includes, but is not limited to, digital content geo-tagging to correlate such with users’ content, including contact address book data, for mobile tracking of online social network ‘interactions’ with contacts, a tracking mechanism referred to herein as ‘filter cookies.’
“While Path’s practices include the unauthorized interception, use, and storage of contact address data, a review of Path’s provisional patent application reveals a higher level of tracking than that carried out by other apps. Path’s ‘uncommon practices’ include tracking its users’ interactions with users’ contacts in online social networks, correlating the user’s contact address data with digital media content that has been altered (‘fingerprinted’) to include exact GPS latitude and longitude coordinates, as revealed in its tracking protocol,” according to the complaint.
Hernandez claims that while Path’s business model is different from other social networking sites, the company’s business plan is the same: Provide a nominal service to attract users in order to collect and sell user data.
“The dilemma for app developers is how to obtain substantial amounts of user data without a user’s knowledge,” the complaint states.
“It is well known that users who are asked to opt-in to provide personal info will not agree to such due to privacy concerns. Such hesitation will ultimately cause users not to provide data, which will terminate VC [venture capitalist] funding, and then the apps would cease to exist,” according to the complaint.
Hernandez claims Path’s app design “is a simple but quite effective way to provide the mechanisms required for substantial user data collection, precise tracking of the user, and an ability to ‘turn on’ the device for data collection and monitoring without the user’s involvement. Path’s ability to have continuous network access to the users’ device is marketed to the public as a service to notify users’ friends if the user is asleep or awake by the use/non-use of the mobile device.”
While most social networking apps mine data about contacts, they do so by using a “Find Friends” pop-up after the user initiates an action within the app, Hernandez says. But he claims that Path obtains “contact address data immediately after the app was downloaded, without any user activity.
Hernandez claims that Path’s membership has grown quickly, expanding by 1 million people in two months at the end of 2011. He claims there was no explanation for this growth until a researcher discovered that the company was uploading its users’ entire contact address book to its servers, without the users’ knowledge or permission.
This violates Apple’s iOS Developer Agreement, which states that apps cannot transmit data about a user without prior permission and without providing the user detailed information about how and where the data will be used, according to the complaint.
Hernandez says that Path apologized to its users when the researcher’s information became public, and promised to delete all user information it had gathered and to update the app to require users to opt in or out of sharing their address books with Path.
“Path’s storage of user data was vital to its immediate and continued growth, since it did not want to delay building its platform slowly while prospective users spent time locating the app, experimenting with its functions to determine if they would remain a user, and prompting its users to assist in referring users’ contacts,” the complaint states.
But Hernandez says Path’s deletion of user data from its own servers is only part of the problem. He claims that Path has hidden tracking devices within users’ digital content, which was downloaded onto their mobile devices and computers.
“Like a toxic oil spill in the Gulf of Mexico causing loss and damage to the area residents, embedded ‘toxic filter cookies’ now require a ‘toxic filter cookie cleanup,'” Hernandez says.
He claims class members’ digital content files “are personal property that cannot be replicated. Plaintiff and class members cannot delete the tracking mechanism now contained within the photos merely by selecting a browser cleaner like that used to clean cookies. … Plaintiff and class members demand that defendant return the digital content within their mobile devices and computing devices to the state that existed prior to any and all activity implemented by Path and Path Affiliates, including but not limited to removal of all GPS coordinates attached to their digital content.”
Hernandez says the class will have to hire a computer forensics service to go through every byte of data looking for traces of Path’s tracking mechanisms. Costs for the service range from $50 to $850 for a mobile phone, $150 to $1,500 for a tablet, and up to $12,250 for a computer, according to the complaint.
“Defendant’s business practices unfairly wrest control from plaintiff and class members who choose to block and delete any mobile tracking device on their mobile devices in order to avoid being tracked. Plaintiff and class members who are aware of being tracked may attempt to delete any and all tracking devices periodically, believing that this will eliminate the tracking functions and hinder the ability to track their behavior across sites and apps,” the complaint states. “However, this is not the case. Path’s activities, individually and in concert with third parties including Path Affiliates, override this attempt, with little available redress for users.
“Defendant failed to disclose that it applied technologies to surreptitiously intercept, access, and collect electronic communications and information from an unsuspecting plaintiff and class members, nor its tracking of plaintiff’s and class members’ interactions with individuals within their contact address books, thereby obtaining personally identifiable information, monitoring their internet activity, and creating detailed personal profiles based on such information.”
Hernandez claims that Path “has obtained, compiled, and used this personal information for its own commercial purposes and benefit,” and that “(s)uch conduct constitutes a highly offensive and dangerous invasion of plaintiff’s and class members’ privacy.”
Hernandez seeks class certification, a permanent injunction prohibiting the unlawful activities described in the complaint, disgorgement, damages and restitution.
He is represented by Brian Strange with Strange and Carpenter of Los Angeles, and Joseph Malley of Dallas.