In February last year, social networking app Path found itself mired by privacy controversy after it allegedly stole users’ address books. Exactly a year later, Path has found itself embroiled in yet another privacy related mess after it has been revealed that the app has been geo-tagging images even after users have disabled location services.
According to security researcher Jeffrey Paul, Path’s iOS app will use the embedded EXIF tag location information – which contains GPS coordinates – from photos in your phone’s iOS Camera Roll to geo-tag the posts you put up. What is worse is that the app will continue to do so even after you have explicitly disabled Location services for the Path app. “The app knows, of course, that it’s not getting location data via normal means from Location Services, yet behaves this way even in that case,” a disgruntled Paul wrote.
Paul revealed in an interview that he found out about Path’s security lapse while trying to post an image after disabling the app’s access to his location. "I wasn't necessarily doing research to find this issue with Path," Paul said in an interview. "I was just using it in the course of my normal, day-to-day use. They ended up publishing data that I had expressly intended not to publish."
First the address book, then the location
The loophole here is that Path is being able to access Location Services data, despite being explicitly denied permission to, because an image taken by the normal camera app is storing it. Paul says that Apple should prohibit any application from detecting user location via the EXIF information in photos. It might look like you have stopped an app from determining your location, but you may end up innocently revealing your position because another app knows where you are.
Dylan Casey, Product Manager, Path, replied to Paul thanking him for alerting them about this issue. He said that they were making following changes to the App: “We were unaware of this issue and have implemented a code change to ignore the EXIF tag location. We have submitted a new version with this fix to the App Store for approval. We have alerted Apple about the concerns you’ve outlined here and will be following up with them.”
Casey also went on to clarify that Path would not have access to location data if it was turned off and the app within the camera was used to take pictures. The only affected images were the ones clicked with the Apple Camera app and imported to Path.
What makes this issue more awkward for Path is that it comes at a time when the company had only just settled charges with the Federal Trade Commission for deceiving users by improperly collecting and storing personal information from their mobile devices’ address books without their knowledge or content last year.
The company also had to settle allegations that said that it had violated Children’s Online Privacy Protections Act for not automatically preventing users who showed that they were under 13 years of age from signing up for the application.
Path ended up paying $800,00 fine and deleting around 3.000 accounts. In addition to this, Path has agreed to submit to independent privacy audits for the next 20 years.