This is unacceptable behavior. At best it's a terrible and potentially physically dangerous bug. At worst it's complete disregard for user privacy.
I'm not complaining on theoretical grounds. I am on a temporary remote assignment, the location of which I wish to keep private due to business considerations. Before I left, I disabled location services for Path.
Today I posted a picture that I'd taken yesterday (after cropping out location-identifying features). Underneath, Path posted the name of the city that I'm in, publishing my location to all of my contacts.
Again: This is unacceptable behavior.
Well this is clearly part of the real problem. Anyone who saw the photo could have seen where they were taken from the EXIF data because you didn't clear it. Most users don't know that the data is there and don't know that they need to, it's a weird thing privacy wise and a lot of people get put in weird situations because of it. (McAfee comes to mind.)
You're still telling the Internet where you were even if Path doesn't go ahead and tag it and make it visible to you. If anything, what they've done is actually saved you some embarrassment and made you realize that data was there so you could take action about it (like taking down the photos and posted ones with cleared EXIF data) if you want.
But 90% of the time for 90% of users, this EXIF data is pretty useful. It's kind of a pickle and really to solve it properly what you're asking iOS to do is give files with completely different metadata out based on the user's privacy preferences, which aren't always spelled out entirely clearly, especially the way iOS works with kind of an all or nothing location privacy selection. You can't really tell the OS "Hey, for the next five days, let's not be explicit about where I am." or "Hey, keep my privacy for me when I'm in a certain geofence".
This is stuff they could add, but doing it right isn't trivial.
I'll never understand this mindset.
When I tell my smartphone "Don't give this app location data" then that is pretty damn unambiguous. It's not like there are countless ways for an app to obtain such data. It can request it via API, or it can read it from images. At the least, if the images were taken on this phone (which a computer can very well determine), then I would expect the data to be stripped. If the phone stores location data in other file-types then I'd expect those to be stripped in the same way.
The technocrat stance "but we meant only one kind of location data" doesn't fly when the user intent is about as clear as it can get. It's exactly the kind of "smart" that I expect from a "smart" phone.
Sure, that case is somewhat more simple, but that's rarely what most people actually want. What most people actually want is to sometimes hide their location from most things when it's sensitive and leave the phone and most apps free to know when it's not.
I think they need to actually support the types of location privacy preferences users are going to want if they want to do location privacy correctly.
What I describe is a simple bug; a defective on/off-switch.
When I ask you to not give anyone my address, yet you give everyone access to a drawer full of documents that you annotated with my address, then you can hardly claim to have taken my request seriously.
The on/off switch was originally designed for whether or not you wanted to give the app access to GPS information. Some people say no simply to save power. EXIF data and other types of data which can be used to identify your location are different.
If you want controls over location privacy you should build real controls over location privacy, not pretend that a control that's displayed only once the first time you use an app and only for apps that access GPS-like information is a location privacy control.
You can identify a location from a bunch of different types of data. If you want to fix the bug you need an actual fix and that requires a better location privacy control.
(Also if you answered no to all of those questions at the beginning of my post, I'd bet you'd change your tune in an instant if someone at Path simply reprogrammed their stuff to geotag based on a geoip lookup from your submission. Then you and others would probably say that this control is supposed to prevent that type of location data too.)
No. I have stated explicitly what I want and only one of your points (strip location data from files that the phone created) was part of it.
Btw GeoIP is not equivalent to a GPS tag and rather useless on mobile IPs. Try looking up your own if you don't believe.
It's not hard to get this right. They just chose not to, either through neglect or malice.
If you want the system to manage that metadata properly you need to give the users better controls than the existing coarse grained per app location preferences. I think they should, but the suggestions most people are making to fix this on HN are very narrow.
Path, of course, knows where I am due to the geolocation of the IP from which I post.
My intent was communicated to the app through the disabling of location services. Posting my location uncovered through parsing EXIF is the opposite of my configured intent.
When I post pictures to Twitter, Twitter receives the EXIF-tagged photos, too. They, however, don't serve them with the geotags, as I have disabled geotagging for my account. I haven't tested if they just strip all photo EXIF, or only for accounts that disabled geotagged tweets.
On iOS in particular it's possible to receive location updates only when changing cell towers, wifi, etc, basically it doesn't use any extra battery.
A few days ago I turned this behaviour off on an app and replaced it with a behaviour where instead it polls for location for a few seconds on start and then shuts off all location services because users disable location services because they believe it is negatively impacting their battery life.
The complaints weren't your tracking my location, the complaints were you're killing my battery life.
The point is^ that users don't (and couldn't be expected to) understand that location service permissions aren't transitive. They have gone to the options menu and said "No path, you may not use my location". The result is that path has still used their location. The steps from A to B and the technical steps taken are-- from a user's perspective-- irrelevant.
^I'm not an iOS user, so maybe the UI makes this all blindingly obvious, in which case I apologise and you can ignore my entire response.
That's what I was thinking.
I recall testing Google+ to see if it would pull location data out a picture I'd take previously at the time of posting even though I'd set the app not provide location with the post - for fear of exactly this.
In the G+ case, it won't go and tag the photo, but it doesn't strip the location data out either.
Not sure what you mean here. If my app loaded a user's picture, and they said they don't want location data to be used in my app, a simple if check will decide whether or not EXIF data should be read. This is hardly "every imaginable length".
Of course, this may just be a bug, so I don't think we can jump to any conclusions about Path's intentions.
I think it's ludicrous. iOS is quite clear in its explanation of Location Services, and their explanation is not at all "technical" or intimidating to non-technical users. Also, the permission to access your photos is completely separate from the Location Services permission. Maybe you the author would have a point if iOS automatically gave apps access to your camera roll, but that's not the case.
I don't doubt that some users will be surprised by the photo's geotag, but I suspect it would be an extremely low number of users (the fact that this if just now being blogged about seems to corroborate this, unless Path have just recently added this behavior).
As you said, Location Services and Photo access are different permissions. Users are therefore likely to assume that location data is not being retrieved if they deny permission to it. If I deny location data to an app, it's because I don't want that app to have my location data. It seems somewhat underhanded, to me at least, to assume that the user wouldn't mind me accessing location data from their photos, knowing full well that the majority of users will not know what EXIF data is. I'd go so far as to say that I would explicitly ask the user if EXIF data should be read alongside the standard location services.
But, to me, if I was told that my app can't access location information, I would assume that it's because the user doesn't want my app to access location information and have my app run with that mindset.
You want your iPhone's camera to access location for one app, but not for another. What would you do? What you're saying is that the user has no choice and it's all or nothing. Give location data to all apps requiring photos or disable it completely.
Is Path supposed to censor those image?
You choose to tag your photo. You chose to share the photo. How is that different than posting a text that says where you location is?
That's not the point at all. Your example is of someone explicitly announcing their location. The issue at hand, which may or may not be a bug, is that the metadata is being used to publish the user's location even after they've said that they don't want the app accessing the Location Services.
Technically, there's nothing wrong in that because the app isn't accessing the Location Services. However, I'm pretty sure most users would assume the app won't use any location data by turning that setting off. If you denied an app location data, would you be happy that they still managed to get location data via a means that's not necessarily obvious?