Thoughts on startups by investors that
fund them & entrepreneurs that run them

Veering Off the Beaten Path Into Murky Legal Waters

Path, a high-profile San Francisco social media startup, ignited a firestorm this week with the revelation that its mobile application uploads users’ entire iPhone address books to the company’s servers without their knowledge or permission.  The practice, discovered by Singapore developer Arun Thampi, provoked outrage within the user community and was broadly condemned by the tech business press.  Jon Mitchell at ReadWriteWeb wrote that the upshot of Path CEO Dave Morin’s initial response was We did it first, and we’ll ask you for permission in a little while.”  The company quickly apologized on its corporate blog and, as I write this, plans to push out an updated version of the iPhone app to quell users’ privacy concerns.As most readers know, I’m a lawyer and advisor to social Web and mobile startups.  As one of the original in-house counsel at MySpace, I helped fight every kind of abuse imaginable as the site exploded into one of the most popular in history from 2004-06.  After that, I served as head of Legal at eHarmony, where we were entrusted with 20+ million users’ sensitive personal information.  I recognize that a business lawyer’s role is to advance the interests of the company and its shareholders — which, in a social media business, entails obtaining and preserving maximum latitude to use members’ content and contact information in whatever way turns out to be best for the business — within the legal and ethical boundaries that apply.

In most matters related to privacy and data security, “guardrails” emerge organically from companies’ self-interest.  Above all, earning users’ widespread trust is orders of magnitude more valuable than any reassuring statement in a privacy policy could ever be.  In dissecting the Path fiasco, key questions to consider are how things went wrong at such a highly respected startup and what lessons can be learned for entrepreneurs — setting aside the fundamental question of whether the architecture in question is sound or reasonable.

My immediate reaction (after “they did what?“) was to investigate:  (1) Where is the setting to “opt in” to this kind of data sharing? and (2) Where can I read about it in the Privacy Policy to verify what I agreed to when joining Path?

Let’s start by being candid about Terms of Use and Privacy Policies.  It would be an interesting exercise in Web analytics to log the percentage of new users who even click on these links for a fleeting glance before agreeing to the terms.  Perhaps the most flagrant example is one of the most common:  Every time Apple updates the Terms and Conditions for iTunes, it requires customers to agree to them.  This is particularly challenging task on a mobile device with a small screen like the iPhone, but even on a computer, the document has grown over time to an incredible 55 pages.  South Park parodies aside, it’s safe to assume very few people ever read them.  Nevertheless, these are critical risk mitigation documents for any consumer Web or mobile business.  As with the contract you sign at the rental car counter or wireless retail store, U.S. law generally holds consumers responsible for the contracts they enter into, whether or not read.  (Exceptions are occasionally made for particularly harsh provisions that harm consumers in a serious way.)

The first stop in my quick review was the Path iPhone app I’ve used regularly. Visiting the Settings page, there is no language about “opting in” to access and upload my iPhone address book.  (Common sense suggests that the app itself needs to access the iPhone contact data to find friends already using Path, if the user chooses to do so, but uploading — technically, making a remote copy on the company’s servers — is another matter.)  Moreover, there are no links in the application that I could find to any Terms of Use or Privacy Policy, nor is there a Path panel containing such settings or links in the iOS global “Settings.”

Next, I fired up the Web browser on a regular computer and visited Path.com.  After logging in with my username and password and exploring several different pages of the site, I found my way to the “Learn More” page and scrolled down two pages below the fold, where I finally encountered links to the elusive TOU and Privacy Policy in modest gray-on-gray type.  I found that neither document discloses that the Path iPhone app uploads users’ smartphone address books in their entirety to the company’s servers.  Bottom line, between the application itself, the installation process, the iPhone settings panel, and the company’s website, there appears to be no disclosure of the practice and no ability to opt in or out.

Privacy law in general, and particularly in the United States, is disclosure and consent-based.  A principle established by the FTC long ago is that Internet companies can generally gather, store and share information as they wish, provided they disclose these practices up front to users in written privacy policies.  (State laws such as California’s now require privacy policies.)  The rationale is that a consumer who objects is free to leave the site or decline to supply it with any personal information.  It’s understandable that businesses, particularly aggressive social startups seeking rapid growth, want to streamline the user experience and minimize barriers from things like pagefuls of legalese and boxes that must be checked to proceed.  Nevertheless, the prophylactic effect of those measures can be enormous in a scenario like the one Path found itself in.

If a hypothetical company similar to Path were my client, I’d recommend that there be:

  • At a minimum, conspicuous disclosure that this data transfer is necessary for the app to function (i.e., if you don’t agree, don’t use it);
  • Better, a setting both in the mobile app and on the member Settings page on the website enabling users to opt out of the address book sharing; and
  • Links in the app itself and in the footer of every page on the website to the Terms of Use and Privacy Policy.

Path is not a uniquely irresponsible company.  Countless startups have made similar mistakes in their early days, particularly when urgency and innovation have a tendency to trump circumspection (e.g., “Move fast and break things“).  I myself am a fan of the Path service.  Nevertheless, there are simple preventive measures that could have been put into place that might have avoided such an eruption of animosity — not to mention potential legal and financial consequences.  (Some commentators are suggesting Path violated privacy laws outside the U.S., particularly in the European Union member countries.)  In building trust with the user community and business media, there is power in being able to respond truthfully and immediately to critics that the company informed consumers, sought and received their consent before doing the act in question.

In the bigger picture, as smartphones and mobile apps become ubiquitous, we as a society will have to come to terms with the nature and degree of privacy expected when enjoying their cutting-edge features.  Judging by the reaction, Path clearly crossed a line here, but with adequate disclosure, one could argue the company did nothing wrong.  Jon Mitchell posits that “Whenever Facebook or Google messes with our privacy, this is the cost of doing business for free. Path is no different. It’s already using our personal data in ways we didn’t expect. ”  Nevertheless, from the startup’s point of view, it’s worth bending over backwards to disclose and/or seek permission from users for any unusually aggressive practices in the handling of their personal information.

 
This article is for general informational purposes only, not a substitute for professional legal advice. It does not result in the creation of an attorney-client relationship. All opinions expressed are those of the author, and do not necessarily represent those of Gust.

Written by Antone Johnson

user Antone Johnson Founding Principal,
Bottom Line Law Group

Antone is a business lawyer and executive advising technology and media companies, entrepreneurs and investors in corporate, commercial and intellectual property matters. Johnson is Founding Principal of Bottom Line Law Group, a business and IP law firm and was the former VP and head of worldwide legal affairs at eHarmony.

prev next

You might also be interested in

Market Opportunity From Customer Hostility, Exhibit 802.11: Airline WiFi

Entrepreneurship is often born of founders’ sheer frustration with the status quo.  One class of clear business opportunity, which wouldn’t exist in an ideal world, is created by the service that seemingly makes it as difficult as possible for potential paying customers to make it take their money.  This sort of chronic customer dissatifaction flies in the face of both

Read more >

What is it like to lose all of your investors’ money?

I’ve been on both sides of this event, and believe me, it is not fun. But it is, unfortunately, a virtually inextricable part of the entrepreneurial life, and what matters most (at least in the US, where entrepreneurship—and even valiant failure—is celebrated rather than reviled) is how you deal with it.

I am one of the more upbeat, positive-thinking people on

Read more >

The Road to Crowdfunding Hell

The lack of rational analysis about equity crowdfunding is remarkable to me.  Sure, it sounds like an easy source of startup capital that should lead to happy entrepreneurs, delighted investors and job creation galore.  However, this will likely not be the case. Few pundits seem to have the depth of knowledge and foresight to look far enough down the equity

Read more >

Copywrong: Brilliant, Disruptive, Illegal Business Plans

Entrepreneurs tend to focus on opportunity rather than risk, and rightly so.  As Steve Blank has written, at its core, a startup is an organization formed to search for a repeatable and scalable business model.  In the lexicon of the lean startup movement, once “product-market fit” has been achieved, the focus shifts to scale and execution as the startup matures

Read more >

The Great Crowdfunding Train Wreck of 2013

The verb “to disrupt” in all its forms is rightly popular in the startup world.  To many entrepreneurs, few things are as personally satisfying (or as lucrative) as disrupting an entrenched, complacent, monopolistic, inefficient or stagnant market in ways that often empower consumers and producers alike.  Consumer Internet and mobile technology businesses continue to be rife with opportunities for disruption.

On

Read more >

Comments

5 thoughts on “Veering Off the Beaten Path Into Murky Legal Waters”

  1. seo agencies says:

    30% seems to be the magic number

  2. ebpp says:

    it seems like a lot of companies nowadays go raising their next round as soon as their 1st round comes in

  3. Keep up the fantastic piece of work u r just a emblem reader

  4. Maybe they should have gone beyond even “conspicuous disclosure” to actually marketing the feature.