Never miss an update Follow AppleInsider
Friday, February 01, 2013, 05:59 pm
Path found to geotag uploaded photos without user consent [Update: iOS update now in App Store]
On the day of Path's $800,000 settlement with the U.S. Federal Trade Commission, a new security issue has been discovered in which a user's location may be posted alongside uploaded photos even when Location Services has been disabled.Update: Path has informed AppleInsider that an updated version of the app is now available on the App Store after having been pushed to and accepted by Apple.
The apparent flaw was found by security researcher Jeffrey Paul, who detailed the backend problem that allows Path's iOS app to geotag a user's photos without permission. Paul's discovery is of particularly poor timing for Path, as the popular social network is once again in the news for settling with the FTC over similar privacy concerns.
Path’s iOS app will use the embedded EXIF tag location information from photos in the iOS Camera Roll to geotag your posts, even when you’ve explicitly disabled Location Services for the Path application. (The app knows, of course, that it’s not getting location data via normal means from Location Services, yet behaves this way even in that case.)According to The Next Web, Path has been made aware of the discrepancy and is looking into how to correct it. In a follow-up post to Paul's blog, Path Product Manager Dylan Casey was careful to point out that the app was not recording the location information of its users, the reason for the company's settlement with the FTC.
We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:Path was at the center of a small controversy regarding the harvesting and uploading of contact data from users' address books. The system was supposedly in place to make it easier for friends to connect with one another.
1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store for approval.
3. We have alerted Apple about the concerns you’ve outlined here and will be following up with them.
One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path.
As per the settlement's arrangement, in addition to the $800,000 penalty, Path is prohibited from making misrepresentations about the extent to which it maintains the privacy and confidentiality of users' personal information. Information collected from children under age 13 will be deleted, but the company has said it already removed the previously collected data.
On Topic: apps
- Facebook for iOS adds privacy options and status icons in update
- Lack of Voice Memos app in iOS 7 beta could leave space for third-party alternatives
- The Atlantic magazine debuts first weekly publication as iOS-only app
- Office comes to iOS: Microsoft releases Office 365 app for iPhone
- Robotics and AI firm Anki wants to bring video games to the real world with Anki Drive
Previous Comments View All
1. We were unaware that this feature, by design, would be discovered and have implemented a code change to ignore the EXIF tag location.
2. We have halfheartedly submitted a new version with this change we are legally obligated to call a fix to the App Store for approval.
3. We have alerted Apple about the concerns you've outlined here because we know they read your site and we want to come off as "on top of it" and will be following up with them.
Does this sound more accurate?
Why would part of the settlement be that they are not allowed to make misrepresentations about anything?!? Shouldn't that not require a settlement?
Why would part of the settlement be that they are not allowed to make misrepresentations about anything?!? Shouldn't that not require a settlement?
It's their experience dealing with Google, where they learned that, especially for privacy violators, it does require a settlement, and even then it doesn't always stop them.
Why would part of the settlement be that they are not allowed to make misrepresentations about anything?!? Shouldn't that not require a settlement?
There's a long list of tech or mobile companies that have settled FTC complaints concerning consumer deception without requiring the companies themselves to admit they did anything wrong. Included are Amazon, Apple, Dell, Facebook, Google, Microsoft and lots of others. Some like Google, Facebook and Path are required to stay under FTC watch for several years to confirm they comply. It looks like it's pretty much standard when the FTC comes to agreement with companies, perhaps for expediency.
Update: Path has informed AppleInsider that an updated version of the app is now available on the App Store after having been pushed to and accepted by Apple.
Bet their downloads are out of control.
/s
In regard to the use of EXIF data within Path photos, read the Federal Class Action Complaint: Hernadez v. Path, Inc , California Northern District Court, case number: 4:2012cv01515, filed March 26, 2012
Attorney Joseph H Malley, Dallas,Texas, Plaintiff Counsel for Hernadez.
In regard to the use of EXIF data within Path photos, read the Federal Class Action Complaint: Hernadez v. Path, Inc , California Northern District Court, case number: 4:2012cv01515, filed March 26, 2012
Attorney Joseph H Malley, Dallas,Texas, Plaintiff Counsel for Hernadez.
And normal procedure is to provide a link.
And normal procedure is to provide a link.
A lot of times, detailed links would require the reader to have a paid subscription to the legal data.
For example, putting that case number into Google finds this entry with a couple of items...
http://dockets.justia.com/docket/california/candce/4:2012cv01515/253108/
But it also points out that "to access additional information about this case on the US Court's PACER system. A subscription to PACER is required."
However, Google also finds plenty of free news reports on the topic.
Latest Apple Headlines
-
Steve Jobs discusses his legacy in rare 1994 video interview
~2 hours ago -
Briefly: Sprint LTE service expands to 22 more areas
~4 hours ago -
Facebook for iOS adds privacy options and status icons in update
~4 hours ago -
Google's Nexus 7 tablets dying early, possibly due to cheap memory
~4 hours ago -
Rumor: Russian video shows iPad version of iOS 7 beta
~4 hours ago - more...
Want to write for AppleInsider? Submit your application now!
| Model | White | Black | |
|---|---|---|---|
| iPad mini (WiFi only) | |||
| 16GB WiFi |  |
$329.00 | $329.00 |
| 32GB WiFi | |
$429.00 | $429.00 |
| 64GB WiFi | |
$529.00 | $529.00 |
| iPad mini (WiFi + 4G) | |||
 |
 |
 |
|
| 16GB 4G White | $459.00 | $459.00 | $459.00 |
| 32GB 4G White | $559.00 | $539.99 | $559.00 |
| 64GB 4G White | $659.00 | $659.00 | $629.99 |
| 16GB 4G Black | $459.00 | $459.00 | $459.00 |
| 32GB 4G Black | $559.00 | $539.99 | $539.99 |
| 64GB 4G Black | $659.00 | $659.00 | $629.99 |
Lowest Prices Anywhere!
| Model | Price | You Save |
|---|---|---|
| 11"1.3GHz/4GB/128GB | $964.18* | $34.82 |
| 11" 1.3GHz/8GB/128GB | $1,061.18* | $37.82 |
| 11" 1.3GHz/8GB/256GB | $1,255.18* | $43.82 |
| 11"1.7GHz/8GB/128GB | $1,206.68* | $42.32 |
| 11"1.7GHz/8GB/256GB | $1,400.68* | $48.32 |
| 11" 1.7GHz/8GB/512GB | $1,691.68* | $57.32 |
| 13" 1.3GHz/4GB/128GB | $1,061.18* | $37.82 |
| 13" 1.3GHz/4GB/256GB | $1,255.18* | $43.82 |
| 13" 1.3GHz/8GB/256GB | $1,352.18* | $46.82 |
| 13" 1.3GHz/8GB/512GB | $1,643.18* | $46.82 |
| 13" 1.7GHz/8GB/256GB | $1,497.00* | $52.00 |
| 13" 1.7GHz/8GB/512GB | $1,788.68* | $60.32 |
* price with Promo Code:
APPLEINSIDER01
|
||
| Click for even more configurations | ||
Ars has an article up on this too. Apparently it's also an iOS issue that Apple can probably fix without too much effort.
"Paul said his discovery also underscored the need for Apple to build safeguards into iOS that prevent EXIF or Exchangeable Image File format data embedded in photos from being detected by individual apps unless users explicitly approve. Apple added similar fine-grained protections last year preventing apps from accessing contacts, photos, and location data. The changes followed revelations that Path's iOS app uploaded users' entire address books to its servers, a controversy that touched off the FTC investigation resulting in Friday's settlement.
Path said it has alerted Apple to Paul's concerns."
http://arstechnica.com/apple/2013/02/path-promises-fix-for-new-privacy-liberties-taken-by-ios-app/