
Once again, Path steals your data without permission - sneak
https://eeqj.com/20130201/path-privacy/
======
Bud
This doesn't seem nearly as clear-cut to me as Path's earlier grabbing of
users' address book data. In this case, Path is accessing metadata of photos
which the user has expressly granted Path access to. This is different from
real-time location data.

~~~
joeblossom
I agree -- I think this is more Apple's problem than anything.

If I disable location data for an app, Apple shouldn't allow any form of my
location to be passed to that app.

~~~
MBCook
Path managed to screw up so bad last time they forced a _change in the OS_. A
year later and they're caught again uploading some of the user's data that
weren't explicitly granted access too. At least they can't scan the pictures
without you choosing one in the photo picker.

At this point, I think Apple needs to pull the app and revoke their developers
license.

I seriously doubt they'll do that. It's more likely some new law will be
passed because of this than Apple will take such a big step.

And I don't think a new law is likely at all.

~~~
Raphael
At this point, Apple should change their camera app to make it clear when it's
geo-tagging.

~~~
sneak
I _want_ geotagged photos. I take tons of photos and use the timestamp+geotag
to archive lots of other datestamped data according to my travels, not just
photos.

I just don't want every sketch-ass third-party app that I want to post some
scenery into to know exactly where I am.

Too much to ask?

------
baddox
What a silly thing to feign being outraged about. If you don't want Path to
have access to your photos, then do not explicitly give it access to your
photos. If you give the Camera app access to Location Services, then EXIF data
is as much a part of your photos as aspect ratio, resolution, and the content
of your photo. This is no different than if you gave Twitter access to
Location Services, then gave Path access to your Twitter account, and then
were supposedly outraged at Path being able to read the location of your
tweets.

~~~
sneak
It's not feigning - I did not wish to provide Path (or my Path contacts) with
my current location. Yet, Path published my location without my consent (after
I had turned off location services for the application).

There is nothing that suggests that granting applications access to the
content of your photos also grants them access to your current location.

~~~
bjtitus
You are not granting them access to your current location...you are granting
them access to the photo's location.

Facebook and Twitter also makes available the location of your photos. Is
there a particular reason you are singling out Path? I hope it's not a stretch
to assume this is a page view grabbing technique.

~~~
sneak
I don't use Facebook because of their privacy track record, and I have all
geolocation disabled for Twitter.

Twitter respects the geolocation setting, and strips the exif location data
from photos when serving them. Whether or not they do this before upload is
unknown, but pictures posted to Twitter from the iOS app do not include
location data when geotagging of tweets is disabled.

The reason I'm not picking on them is because neither of them (Twitter due to
Doing The Right Thing, Facebook due to lack of opportunity) have published my
private data in express violation of my wishes. Path did so today.

------
dfield
Am I the only one that doesn't think this is wrong? Metadata seems like fair
game to me and I hardly think that Path is deliberately trying to steal data.
They are probably just trying to make their user experience better.

(That's not to say we shouldn't have a discussion about data ownership and
privacy. Just that we should wait to be outraged at things that actually
deserve our outrage.)

~~~
keyboardP
I agree about the outrage part. There may not be malicious intent from Path,
but I do think that there's a better way of allowing users to control their
data. A simple extra option of "include location data from photos" would
mitigate this entire scenario.

~~~
MBCook
> There may not be malicious intent from Path

Malicious implies they're trying to do harm, which I don't think is the case.
But geotagging posts when the user clearly didn't authorize you to access that
information is dubious and underhanded at a minimum.

After last year's incident, they've lost all benefit of doubt.

~~~
thedufer
I agree based on a dictionary definition of malicious, but I think people are
using it here to mean "things that they know users explicitly don't want and
are doing anyway". Having privacy settings and then completely ignoring them
might not be malicious - you don't intend to harm your customers, only to
increase your profits in some way - but I think that common usage of the word
"malicious" would include that case.

------
SCdF
So I think the problem they have with this is that it makes Path look
duplicitous.

On the one hand, you've indicated to Path that you're not interested in them
making your location public. Maybe from an API standpoint maybe that just
means location data off your phone, but from the user's standpoint, in a "use
case" sense, it means your location, in any form.

And then Path adheres to that-- because they have too in an API sense-- but
then goes right ahead and works out your location _differently_ and uses that.

It reminds me of Airlines who advertise unreasonably cheap tickets and then
have a bunch of extra fees and forced insurance which makes the total you have
to pay right back up with everyone else. They aren't lying, in a vacuum their
tickets are cheaper, but in the real world they aren't.

Path aren't lying either: they are not using your phone's location data off
your phone, just like you asked. In the real world though, they're still doing
it.

------
andmarios
I don't see any stealing taking place here. Path doesn't access your location
data as you instructed it. It accesses your photos' exif data which is a
completely different thing.

Even if path didn't process and show in html these data, since you uploaded an
image file which contains them, they would be available to anyone with access
to this -now public- image through other means, like a simple browser plugin.

Let's go over this again: you set path to not access your phone's location
api, you didn't set path to strip your exif data from your photos. If this
feature is missing, you can ask for it.

Since you are a security researcher I would expect you to understand the real
issue and warn your readers. Instead you act as you discovered a security
flaw. What security issue you'll discover next? That credit cards have
interest?

------
cykod
I'm a little bit in line with the other folks - if you grant access to a
photo, the entirety of that Photo (exif data et al) should be available to the
app.

I have another question (and I really don't mean it as snarkly as it'll sound)
- if you are trying to keep yourself hidden - why are you posting to a social
network (Path) and an aggregation site (hn)?

~~~
sneak
Should my desire for my personal location to remain private (for whatever
reason: safety, professional courtesy, contractual obligations under NDA, et
c) mean that I should not want to maintain any other type of digitally-
mediated social communication with my colleagues, friends, and family?

That doesn't really make sense now, does it?

------
freshhawk
It's not clear in the post: Is Path taking location information from photos
and geotagging posts that do not include these pictures? Or are they just
publishing the picture that you gotagged yourself and asked path to publish?

The former is outrageously slimy and the latter is clearly absolutely
reasonable.

~~~
baddox
As far as I can tell from testing the app, it only posts the location of a
photo when you explicitly post it to your Path. With Location Services turned
off, I posted a photo that lacked a geotag and it contained no location
information. I then posted a photo that had a geotag, and it posted the city
the photo was taken in. Also, curiously, if you post a geotagged photo without
any description text, it seems to omit the location data.

------
zacaltman
This post annoyed me. I have a solution: don't use Path. Also, don't share
your photos. Problem solved.

------
onethree
as little as this adds to the discussion, i think the title of the article is
a huge exaggeration - uploading a geotagged image to a photosharing site that
then displays the geotag in a user friendly format is hardly "stealing your
data"

~~~
faultbot
Clearly this guy doesn't know the legal grounds for libel. You can't throw
unfounded accusations of malicious intent around. He deserves to be sued for
publishing this BS.

------
kingnight
iOS 5 used to require that you prompt the user for location data in order to
have access to photos camera roll in a non standard user interface.

iOS 6 introduced the 'Access to Photos' privacy settings/prompting that
separated photos from location.

This 'location' embedded in photos is different than user location, and I
guess should really be considered a third case. I think 'photo metadata' might
be an acceptable third option with an explanation of all that contains. Some
photographers don't want their non-location EXIF data known too.

------
tlrobinson
I happen to like this feature. If I don't get a chance to post a photo at the
time I take it Path will know where it was taken if I post it later.

------
faultbot
This is a completely irresponsible headline. If loose claims of "theft" like
this were directed at my company, I'd sue for libel.

------
tolmark12
I have a very hard time believing Path is doing anything underhanded or
malicious here. Link bait?

~~~
faultbot
His whole twitter feed is link bait. And he's deleting all disagreements in
the comments on his blog. We have fed the troll.

------
minm
Once the data leaves your device, it is all business. There is nothing much
you can do about it.

