Maybe it's time to create a Hippocratic Oath for developers to publicly commit to?
A future Path developer could then refuse to implement an unethical "feature" by pointing out that the company had hired them with the full knowledge that the oath had been undertaken.
I don't think the company would pink slip the developer, as they would probably want to avoid any attention being drawn to the unethical "feature" in a tribunal or other legal setting.
> The case originated with two lawsuits claiming that Classmates.com had sent out millions of deceptive e-mails telling users that an old friend was trying to contact them, and had viewed their profile or signed their "guestbook." For the great majority, that wasn't true; no one at all had shown an interest in their profile. About 60 million users were contacted, and about 3 million actually took the bait, paying between $10 and $40 to Classmates.
Another hook might be a violation of the Telephone Consumer Protection Act (TCPA) which has been interpreted to prohibit automatically sending text messages without the recipient's consent. The statutory damages are $500 per incident.
Classmates.com was sued in 2008 for sending emails claiming former classmates were searching for you. Similar, but Classmates.com was actually requiring a paid subscription before telling you there wasn't actually anyone on the other end.
See, I am not convinced that it was an innocent "automated mistake". This is equivalent to the anecdotal old excuse one always hears from the government officials: "the computer did it". When some spamming process like this is automated, all it means is that it is being inflicted on lots of people and most likely deliberately, so automation is not something that can be accepted as an excuse, on the contrary, it is an aggravating circumstance.
I incline towards the opinion that these sharks do it quite deliberately. They just don't care how many people they embarrass and annoy, as long as some of those tech-innocent grannies and plumbers join up and thus put figures on their business projection sheets that get these sharks closer to cashing in big on an FB style IPO.
Facebook does that exact thing by the way - my boss came back from a week of vacation and wondered how I found him on Facebook. Facebook had sent each one of us in the office a link, that he didn't know about. Anytime you send email as a user - it needs to be very explicit.
There's no way to sue, but I suppose the FTC could take action and fine.
They will claim it's a "bug"... albeit one of those "viral bugs" that seems to lead to topping the App Store download charts. These tactics make me think there's no such thing as organic growth within the app stores.
Reminds me of the emails Facebook sends me telling me that I've missed important notifications when I don't log in for a while. I log in, and there are no notifications waiting.
And the messages Facebook sends me telling me about an event and letting me know that one of my friends is a guest, when they've been invited but haven't actually confirmed.
Well, I don't think we should look for malice when is just incompetence.
LinkedIn keeps asking me to share my mail user/password so I can connect with more people, and says that X and many others already did it. I can't tell about others, but X is my wife and I'm certain she didn't do it.
So well, as I said I think that this is just a matter of incompetence (ie. automated message gone wrong).
How about another detail — the fact that – according do another comment here, the only one that seems to actually have looked at how the app behaves before jumping the gun – the app tells you it's going to invite everyone on first launch and you need to tell it not to?
This is proven (and risky) way to grow. I really cannot blame them: they have to pay their rent and VCs are nervous.
This approach might burn them completely but also can get them to some significant number of users (after which they will issue an apology and pay all fines if needed).
Path seems to do all the shady things with your data that we fear Google and Facebook could do. FB and G definitely push the boundaries of privacy/creepy sometimes, but Path seems to have no qualms about blowing right past them. I am staying away.
It reminds of one of Facebook's early growth tactics - as part of the contact import process, they'd send out spam IMs to all your contacts saying you just joined Facebook and ask if they wanted to join. It was very shady.
The impact is also smaller, FB has 1 billion or so accounts and Google probably has about the same. Plus, they can track every move you make across the web, things you like, searches you make, what type of content you email, share etc.
If Path grows, I hope they just die (two strikes is enough for me!) more and more people will look under the hood.
And this is why I fundamentally don't trust my smartphone.
It's a fun device. But it's a spy, outside my control, in my pocket.
I've rooted it, but haven't yet modded it (and if anyone cares to point me at a gentle introduction for CyanogenMod or another option that works on an HTC Incredible, I'm all ears).
I've been reasonably conservative in what apps I place on my phone, and several (Pandora specifically comes to mind) were removed when permissions were extended to include contacts (Pandora, you listening?).
I'm waiting eagerly for the following capabilities:
To define at the phone level what information I'm willing to share. Existing "privacy controls" make a mockery of any semblance of either "privacy" or "control" by distributing vague and conflicting access among a great many applications with no ability to centrally audit them.
To specifically grant to specific applications specific rights. My location is something I'll disclose very guardedly (I disable GPS functions on my phone). Other rights generally shouldn't be shared.
To request and audit ALL information a given application has of me in a convenient electronic format (such as a database dump accessibly by MySQL or Postgresql). Such functionality is of course a three-edged sword, as what information the vendor has and I wish to request a third party might also request pretending to be me. Or having legal authority to make the request (though that's already the case), via subpoena or warrant.
My contacts list is off limits. Full stop. Specific contacts might be contacted by way of an application if specifically designated by me, but no other use may be made of their information. Hell, it's not even mine to give.
The existing state of smartphones is interesting, but it's also a little shop of horrors. And if application authors, smartphone manufacturers, and telecom providers don't get their act together on this Real Soon Now, we're going to see some horror stories.
Why on earth are people still using Path after it has become so very obvious a long time ago how unethical this company is?
This kind of behavior doesn't just go away after a bit of bad publicity or a few fines. It's part of the DNA of a company. Such a lack of ethics permeates everything from strategic decisions to technical choices to hiring.
Remember when a while back they downloaded far too much information from each phone (for the convenience of connecting you to people)? Everyone was surprised (some outraged) and then they pushed an update to stop that "feature" and when the CEO/Boss man posted a blog entry apologizing, everyone forgave the company, people were holding hands singing Kumbaya.
For those with WordPress installs who want to survive an HN frontpage:
1. if you don't have sudo, use the W3 Total Cache plugin http://wordpress.org/extend/plugins/w3-total-cache/
2. if you have sudo:
2a. the easy way: apt-get install memcached, add the pecl memcache extension, and use object-cache.php http://plugins.svn.wordpress.org/memcached/trunk/object-cache.php and batcache http://wordpress.org/extend/plugins/batcache/
2b. the hard way: varnish https://www.varnish-cache.org/ https://github.com/pkhamre/wp-varnish
I don't know the exact details of this story, may be the blogger accidentally pressed a button in the app and the messages were queued up for the following day.
However, if the story is indeed cut and dry:
1) Path sent messages that qualify as spam both because they had no permission to send them and they were false.
2) If this was intentional, this should be a red flag to investors not just of the company but the kind of people that run it.
3) This is nothing new. Tagged did the same thing, with e-mail, which to some degree falls afoul of less laws than using text messages or the telephone (other commentators pointed out that land line carriers convert SMS to voice calls, which is news to me.)
4) Using spammy methods to acquire users is a red flag for any web service. While arguably Facebook used and uses extremely aggressive e-mail notifications (sending out an e-mail for every minor thing, and whenever a new feature is added opting in the user to receive notifications by default), using spammy techniques means that your service will skew toward the bottom of the market that actually "falls" for these techniques (poor and illiterate) early on and actually scare away early adapters for multiple reasons.
5) In the short term, Path's metrics will look really good, but in the long term it could result in serious problems, least of which will be another news story with FTC settlement in it.
The weirdest part of this is that it apparently made voice calls to landlines? Why would they do that, it makes no sense. Unless maybe that's what the phone company does if you text a landline? Never tried it but I would be surprised...
If you send a text to a landline, a lot of providers will convert it to a phone call using some sort of text-to-speech API. I've done this by accident on older cell phones when I'd add someone's landline to a text message instead of their mobile number. This sounds like a nightmare scenario though for this poor chap and his family (and his dentist).
It's a reasonably standard thing in the UK. Useful at times, really annoying at other times... You can get landline phones that will actually receive the texts as texts; other phones get calls.
Various API that let you send SMS will make a call if the SMS can't be delivered, and then use text-to-speech to read the thing out to you. It's fairly obnoxious really.
One of my clients wanted me to implement the same thing for his iOS app. I told him, that I think it is illegal and if it is not, that it should be. Anyway, I never wrote that code.
From http://www.theverge.com/2013/4/30/4286090/path-is-spamming-a... it sounds like it's a result of "finding your friends" actually texting invites to friends, and then text messages being put in a queue so they're getting sent out even after the app is deleted.
Obviously such an action should be more clearly labelled. If it was, could they whitelist the times it sends out text messages to not do it at 6am? How easy is it to lookup an approximate region for a mobile number?
This seems to be a direct violation of Google Play policy:
"Do not send SMS, email, or other messages on behalf of the user without providing the user with the ability to confirm content and intended recipient."
Not quite. The messages aren't being sent from the device, they're being sent by Path from their own infrastructure once they've uploaded the address-book.
I share this guy's frustration. But with Whatsapp not Path - I heard not so nice things about Path so didn't bother trying it.
Anyway, after installing Whatsapp on my Android the app didn't spam my contacts, but quickly uploaded by entire contact list and hours later I started receiving spam from recruiters that had my phone number.
So far, not the app's fault.
But then I went on the delete the app, but first I wanted to delete any contact it had previously uploaded so it wouldn't keep my data.
How naive was I?! Whatsapp wouldn't let me delete the contacts it had previously uploaded.
Eventually I just gave up and deleted the app without clearing the app's data.
Deactivating your account just effectively hides your profile. You're only a couple clicks away from having it all restored if you so choose. They seem quite good at finding ways to screw up, surely they can still find a way to do this until they actually remove your data.
Path seems like a company which is doing everything wrong these days. My peeve with them is that I signed up and used it happily for a long time because it should be possible to get my data exported later. Now they have removed that from the FAQ/Support and their support mails are just ignorant saying "not possible but the team will look into it".
This might be off topic but I loved reading that post, it turned into comedy gold. The time I was at the third... (I don’t have any photos to share with them) I was giggling. And the list of people path called at the end killed me.
This is not a comment specifically on Path -- I don't know anything about what they are doing or not doing.
But more generally: one of the most interesting parts of startups is the tension between "Don't Be Evil" and "Don't Fail". It would be good to be able to discuss this more openly -- "Don't Be Evil" by itself is too utopian. Many of the most successful companies in the world did things in their early days -- or later -- that new entrepreneurs would never even consider -- until of course their own backs are up against the wall.
I have been a Path user since the app launched and have never had any text messages sent to my address book. Path informed users that the address book data hook was no longer there and that all data had been removed from their services after the initial FTC inquiry. I took that at face value but after this article I would be interested in hearing a response from the company about how my information is handled.
This is a feature while signing up if you use Facebook. It shows your friends with a phone number and if you don't uncheck them before tapping ‘next’, it will invite them.
[+] [-] crazygringo|13 years ago|reply
There's annoying spam, and then there's straight-out-lying spam -- the "x has sent you a message, you need to create an account to view it" type.
Just curious, is there a way to sue/fine a company like this for false advertising, essentially?
[+] [-] bitcartel|13 years ago|reply
Maybe it's time to create a Hippocratic Oath for developers to publicly commit to?
A future Path developer could then refuse to implement an unethical "feature" by pointing out that the company had hired them with the full knowledge that the oath had been undertaken.
I don't think the company would pink slip the developer, as they would probably want to avoid any attention being drawn to the unethical "feature" in a tribunal or other legal setting.
[+] [-] Avenger42|13 years ago|reply
http://arstechnica.com/tech-policy/2012/11/how-lawsuit-again...
> The case originated with two lawsuits claiming that Classmates.com had sent out millions of deceptive e-mails telling users that an old friend was trying to contact them, and had viewed their profile or signed their "guestbook." For the great majority, that wasn't true; no one at all had shown an interest in their profile. About 60 million users were contacted, and about 3 million actually took the bait, paying between $10 and $40 to Classmates.
[+] [-] matthewmcg|13 years ago|reply
[+] [-] JGM564|13 years ago|reply
http://arstechnica.com/tech-policy/2010/03/classmatescom-set...
[+] [-] creativityland|13 years ago|reply
Another app doing similar spamming is Circle: http://discovercircle.com - surprised no one talked about that...
[+] [-] SagelyGuru|13 years ago|reply
I incline towards the opinion that these sharks do it quite deliberately. They just don't care how many people they embarrass and annoy, as long as some of those tech-innocent grannies and plumbers join up and thus put figures on their business projection sheets that get these sharks closer to cashing in big on an FB style IPO.
[+] [-] joelhaasnoot|13 years ago|reply
[+] [-] jpatel3|13 years ago|reply
[+] [-] Tsagadai|13 years ago|reply
[+] [-] andrewhillman|13 years ago|reply
They will claim it's a "bug"... albeit one of those "viral bugs" that seems to lead to topping the App Store download charts. These tactics make me think there's no such thing as organic growth within the app stores.
[+] [-] mike-cardwell|13 years ago|reply
And the messages Facebook sends me telling me about an event and letting me know that one of my friends is a guest, when they've been invited but haven't actually confirmed.
[+] [-] Alex3917|13 years ago|reply
Yes. It's illegal to use someone else's likeness for advertising without their permission.
[+] [-] jrs235|13 years ago|reply
UPDATE: That appears to be related to collecting info on minors. Looks like they need to be fined again for this.
[+] [-] reidrac|13 years ago|reply
LinkedIn keeps asking me to share my mail user/password so I can connect with more people, and says that X and many others already did it. I can't tell about others, but X is my wife and I'm certain she didn't do it.
So well, as I said I think that this is just a matter of incompetence (ie. automated message gone wrong).
EDIT: typo
[+] [-] micampe|13 years ago|reply
Still bad, but quite a different perspective.
[+] [-] tlogan|13 years ago|reply
This approach might burn them completely but also can get them to some significant number of users (after which they will issue an apology and pay all fines if needed).
[+] [-] maxcan|13 years ago|reply
[+] [-] jacquesm|13 years ago|reply
Here's to hoping the next fine will exceed their cash reserves and we can put an end to this madness.
The post is proof positive that path still uploads phonebooks from the app to their servers right after installing it.
[+] [-] greghinch|13 years ago|reply
[+] [-] NoPiece|13 years ago|reply
[+] [-] OGinparadise|13 years ago|reply
If Path grows, I hope they just die (two strikes is enough for me!) more and more people will look under the hood.
[+] [-] dredmorbius|13 years ago|reply
It's a fun device. But it's a spy, outside my control, in my pocket.
I've rooted it, but haven't yet modded it (and if anyone cares to point me at a gentle introduction for CyanogenMod or another option that works on an HTC Incredible, I'm all ears).
I've been reasonably conservative in what apps I place on my phone, and several (Pandora specifically comes to mind) were removed when permissions were extended to include contacts (Pandora, you listening?).
I'm waiting eagerly for the following capabilities:
To define at the phone level what information I'm willing to share. Existing "privacy controls" make a mockery of any semblance of either "privacy" or "control" by distributing vague and conflicting access among a great many applications with no ability to centrally audit them.
To specifically grant to specific applications specific rights. My location is something I'll disclose very guardedly (I disable GPS functions on my phone). Other rights generally shouldn't be shared.
To request and audit ALL information a given application has of me in a convenient electronic format (such as a database dump accessibly by MySQL or Postgresql). Such functionality is of course a three-edged sword, as what information the vendor has and I wish to request a third party might also request pretending to be me. Or having legal authority to make the request (though that's already the case), via subpoena or warrant.
My contacts list is off limits. Full stop. Specific contacts might be contacted by way of an application if specifically designated by me, but no other use may be made of their information. Hell, it's not even mine to give.
The existing state of smartphones is interesting, but it's also a little shop of horrors. And if application authors, smartphone manufacturers, and telecom providers don't get their act together on this Real Soon Now, we're going to see some horror stories.
[+] [-] onemorepassword|13 years ago|reply
This kind of behavior doesn't just go away after a bit of bad publicity or a few fines. It's part of the DNA of a company. Such a lack of ethics permeates everything from strategic decisions to technical choices to hiring.
Expect more of the same.
[+] [-] eksith|13 years ago|reply
Edit: Here's when they flubbed a year ago.
http://news.cnet.com/8301-19882_3-57373474-250/path-ceo-we-a...
Edit2: Er... apparently, I suffered a seizure of some sort (and an aneurism and a stroke simultaneously). Reworded.
[+] [-] kemayo|13 years ago|reply
So, google cache: http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...
[+] [-] taylorbuley|13 years ago|reply
[+] [-] raverbashing|13 years ago|reply
I'll make sure to never install Path
There are some abuses that can't be solved by an apology.
[+] [-] w1ntermute|13 years ago|reply
[+] [-] AJ007|13 years ago|reply
However, if the story is indeed cut and dry:
1) Path sent messages that qualify as spam both because they had no permission to send them and they were false.
2) If this was intentional, this should be a red flag to investors not just of the company but the kind of people that run it.
3) This is nothing new. Tagged did the same thing, with e-mail, which to some degree falls afoul of less laws than using text messages or the telephone (other commentators pointed out that land line carriers convert SMS to voice calls, which is news to me.)
4) Using spammy methods to acquire users is a red flag for any web service. While arguably Facebook used and uses extremely aggressive e-mail notifications (sending out an e-mail for every minor thing, and whenever a new feature is added opting in the user to receive notifications by default), using spammy techniques means that your service will skew toward the bottom of the market that actually "falls" for these techniques (poor and illiterate) early on and actually scare away early adapters for multiple reasons.
5) In the short term, Path's metrics will look really good, but in the long term it could result in serious problems, least of which will be another news story with FTC settlement in it.
[+] [-] evan_|13 years ago|reply
[+] [-] forgingahead|13 years ago|reply
[+] [-] andrewaylett|13 years ago|reply
[+] [-] quarterto|13 years ago|reply
[+] [-] nwh|13 years ago|reply
[+] [-] bochoh|13 years ago|reply
[+] [-] nikolakirev|13 years ago|reply
[+] [-] ajanuary|13 years ago|reply
Obviously such an action should be more clearly labelled. If it was, could they whitelist the times it sends out text messages to not do it at 6am? How easy is it to lookup an approximate region for a mobile number?
[+] [-] ysapir|13 years ago|reply
"Do not send SMS, email, or other messages on behalf of the user without providing the user with the ability to confirm content and intended recipient."
https://play.google.com/about/developer-content-policy.html
[+] [-] amirmc|13 years ago|reply
[+] [-] msantos|13 years ago|reply
[+] [-] DanI-S|13 years ago|reply
[+] [-] clauretano|13 years ago|reply
Contact them via their Desk service portal here http://service.path.com/customer/portal/emails/new and ask them to remove your data after deactivating.
[+] [-] taude|13 years ago|reply
Not deleting your content, though. I hate that.
[+] [-] haraball|13 years ago|reply
[+] [-] smickie|13 years ago|reply
[+] [-] pmarca|13 years ago|reply
But more generally: one of the most interesting parts of startups is the tension between "Don't Be Evil" and "Don't Fail". It would be good to be able to discuss this more openly -- "Don't Be Evil" by itself is too utopian. Many of the most successful companies in the world did things in their early days -- or later -- that new entrepreneurs would never even consider -- until of course their own backs are up against the wall.
[+] [-] sailfast|13 years ago|reply
[+] [-] lucahammer|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]