Did Path Screw Up and Steal Your Data Again?

By Casey Chan on at

Yikes. Path, which got in trouble around this time last year for stealing your entire address book without your permission, might have another privacy issue on its hands. The app will automatically geotag your photos even when you've completely disabled Location Services for the Path app. It's basically doing something you explicitly told it not to do.

The bug or privacy loophole, depending on your perspective, was brought to light when Jeffrey Paul, hacker and security researcher, published a photo from his Camera Roll to Path. He had switched off location services yet Path used the existing embedded EXIF data on the photo and geotagged the post. That should not be how it works. Even if the photo had EXIF data, when location services are off, Path should never just add a geotag.

This issue isn't exactly the biggest deal in the world, Path is a social network where many folks tag their location, but it's another careless misstep for the promising app. In order to not have your location pop up in Path, you'd either have to solely use the Path camera for Path posts or turn off location service for the stock iPhone camera app. Both are inelegant solutions. Path responded to Paul on his blog, saying:

We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:
1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store for approval.
3. We have alerted Apple about the concerns you've outlined here and will be following up with them.
One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path.

Yeah, when you turn something off, it should stay off. [EEQJ via CNET]