Once again, Path steals your data without permission.

Path's iOS app (yes, that same Path that was caught stealing users' entire address books last February) will use the embedded EXIF tag location information from photos in the iOS Camera Roll to geotag your posts, even when you've explicitly disabled Location Services for the Path application. (The app knows, of course, that it's not getting location data via normal means from Location Services, yet behaves this way even in that case.) This is surely terrible form on Path's part (and, after the previous contact-stealing, a pretty clear indication that they don't give two fucks about four fucks about your personal privacy), but the real question here is shown to be:
Should Apple's iOS allow applications for which Location Services are explicitly disabled to access location information embedded (by the iOS Camera app) in photos stored in the Camera Roll (when access to photos is granted)?
I think the answer here is very clearly no. If you disable location services for an app, for example, a photo-sharing app or social network, yet take a photo every day (using the Camera app) and then later use that same application (which you have not granted access to your position) to upload that photo, the OS should prohibit the application from detecting your location via the EXIF information in that photo. Otherwise, the app will still have your location on a regular basis, despite the clear opposite intent being expressed by the user (through the disabling of location services for that particular app). This seems pretty clear to me. Last year it certainly seemed that, following their contact-stealing mess, Apple implemented per-app per-resource permissions (contacts, photos, location, etc) very quickly - perhaps even in response to Path's conduct. Now it's time for them to close the loophole created by EXIF location tags in photos. What are your thoughts? PS: This loophole has been reported to Apple as of today (rdar://13130249).

Update, 01FEB13:

Dylan Casey, the Product Manager at Path, writes the following in a comment (which you can see down in the comments section):
Hey Jeffery, thanks for alerting us to this. We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding: 1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location. 2. We have submitted a new version with this fix to the App Store for approval. 3. We have alerted Apple about the concerns you've outlined here and will be following up with them. One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path. Thanks, Dylan Casey
Additionally, I have word from Twitter user @Jason_Diaz that he tweeted the issue at them over six weeks ago. His conclusions are roughly the same as mine. Path's response includes everything except "we're sorry for violating the trust you've placed in us". It talks about how they're changing the behavior - but if it was wrong in the first place, their users deserve an apology for such carelessness when implementing sensitive privacy features such as this one.