Path found to geotag uploaded photos without user consent [Update: iOS update now in App Store]On the day of Path's $800,000 settlement with the U.S. Federal Trade Commission, a new security issue has been discovered in which a user's location may be posted alongside uploaded photos even when Location Services has been disabled.
Update: Path has informed AppleInsider that an updated version of the app is now available on the App Store after having been pushed to and accepted by Apple.
The apparent flaw was found by security researcher Jeffrey Paul, who detailed the backend problem that allows Path's iOS app to geotag a user's photos without permission. Paul's discovery is of particularly poor timing for Path, as the popular social network is once again in the news for settling with the FTC over similar privacy concerns.
Paths iOS app will use the embedded EXIF tag location information from photos in the iOS Camera Roll to geotag your posts, even when youve explicitly disabled Location Services for the Path application. (The app knows, of course, that its not getting location data via normal means from Location Services, yet behaves this way even in that case.)According to The Next Web, Path has been made aware of the discrepancy and is looking into how to correct it. In a follow-up post to Paul's blog, Path Product Manager Dylan Casey was careful to point out that the app was not recording the location information of its users, the reason for the company's settlement with the FTC.
We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:Path was at the center of a small controversy regarding the harvesting and uploading of contact data from users' address books. The system was supposedly in place to make it easier for friends to connect with one another.
1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store for approval.
3. We have alerted Apple about the concerns youve outlined here and will be following up with them.
One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path.
As per the settlement's arrangement, in addition to the $800,000 penalty, Path is prohibited from making misrepresentations about the extent to which it maintains the privacy and confidentiality of users' personal information. Information collected from children under age 13 will be deleted, but the company has said it already removed the previously collected data.