Path's iOS app (yes, that
same Path that was caught stealing users' entire address books last
) will use the embedded EXIF tag location information from
photos in the iOS Camera Roll to geotag your posts, even when you've
Location Services for the Path application.
(The app knows, of course, that it's not getting location data via normal
means from Location Services, yet behaves this way even in that
This is surely terrible form on Path's part (and, after the previous
contact-stealing, a pretty clear indication that they don't give two fucks
about four fucks about your personal privacy), but the real question here is
shown to be:
Should Apple's iOS allow applications for which Location
Services are explicitly disabled to access location information
embedded (by the iOS Camera app) in photos stored in the Camera Roll
(when access to photos is granted)?
I think the answer here is very clearly no
. If you disable
location services for an app, for example, a photo-sharing app or social
network, yet take a photo every day (using the Camera app) and then later
use that same application (which you have not granted access to your
position) to upload that photo, the OS should prohibit the application from
detecting your location via the EXIF information in that photo. Otherwise,
the app will still have your location on a regular basis, despite the clear
opposite intent being expressed by the user (through the disabling of
location services for that particular app). This seems pretty clear to me.
Last year it certainly seemed that, following their contact-stealing mess,
Apple implemented per-app per-resource permissions (contacts, photos,
location, etc) very quickly - perhaps even in response to Path's conduct.
Now it's time for them to close the loophole created by EXIF location tags
What are your thoughts?
PS: This loophole has been reported to Apple as of today (rdar://13130249
Dylan Casey, the Product Manager at Path, writes the following in a comment
(which you can see down in the comments section):
Hey Jeffery, thanks for alerting us to this. We take user privacy
very seriously here at Path. Here is what we have discovered and how
we are responding:
1. We were unaware of this issue and have implemented a code change
to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store
3. We have alerted Apple about the concerns you've outlined here and
will be following up with them.
One note to clarify: If a Path user had location turned off and an
image was taken with the Path camera, Path does not have the
location data. This only affected photos taken with the Apple
Camera and imported into Path.
Additionally, I have word from Twitter user @Jason_Diaz
that he tweeted
the issue at them
over six weeks ago. His conclusions are roughly
the same as mine.
Path's response includes everything except "we're sorry for violating the
trust you've placed in us". It talks about how they're changing the
behavior - but if it was wrong in the first place, their users deserve an
apology for such carelessness when implementing sensitive privacy features
such as this one.