This doesn't seem nearly as clear-cut to me as Path's earlier grabbing of users' address book data. In this case, Path is accessing metadata of photos which the user has expressly granted Path access to. This is different from real-time location data.
But the app knows it has been explicitly denied location data, and uses the photo location data to tag the post anyway. The location is then displayed to other users on Path.
This is unacceptable behavior. At best it's a terrible and potentially physically dangerous bug. At worst it's complete disregard for user privacy.
I'm not complaining on theoretical grounds. I am on a temporary remote assignment, the location of which I wish to keep private due to business considerations. Before I left, I disabled location services for Path.
Today I posted a picture that I'd taken yesterday (after cropping out location-identifying features). Underneath, Path posted the name of the city that I'm in, publishing my location to all of my contacts.
Yup, additionally, you don't have to geotag your photos. The issue, however, is basically that most people are not aware that because they provided location permissions to the Camera app, photos used by other applications are able to access that tagged location data.
Lets put it in human terms. You have an abusive ex who tries to stalk you and has threatened your kids. You turn off the ability of the app to see your location. Your location gets geotagged anyway. Your doorbell rings.
What a silly thing to feign being outraged about. If you don't want Path to have access to your photos, then do not explicitly give it access to your photos. If you give the Camera app access to Location Services, then EXIF data is as much a part of your photos as aspect ratio, resolution, and the content of your photo. This is no different than if you gave Twitter access to Location Services, then gave Path access to your Twitter account, and then were supposedly outraged at Path being able to read the location of your tweets.
Since most of the users of things like iPhones, Path, Twitter, etc. are non-technical users, most will not be aware of things like EXIF data.
They are relying on reputable companies to be good stewards of their data, and infer their intent from their actions. I would expect Twitter, Facebook, Apple, and even Path to know that unless the user has enabled geotagging, they don't want their location leaked via EXIF.
That some of these companies do not do that is not surprising, but it is disappointing.
It's not feigning - I did not wish to provide Path (or my Path contacts) with my current location. Yet, Path published my location without my consent (after I had turned off location services for the application).
There is nothing that suggests that granting applications access to the content of your photos also grants them access to your current location.
>This is no different than if you gave Twitter access to Location Services, then gave Path access to your Twitter account, and then were supposedly outraged at Path being able to read the location of your tweets.
Am I the only one that doesn't think this is wrong? Metadata seems like fair game to me and I hardly think that Path is deliberately trying to steal data. They are probably just trying to make their user experience better.
(That's not to say we shouldn't have a discussion about data ownership and privacy. Just that we should wait to be outraged at things that actually deserve our outrage.)
I agree about the outrage part. There may not be malicious intent from Path, but I do think that there's a better way of allowing users to control their data. A simple extra option of "include location data from photos" would mitigate this entire scenario.
If this was a normal app, I'd be much more likely to agree with you.
Coming from the people caused Apple to issue an OS update to prevent them from stealing contacts... it deserves outrage. But 90% of that should be pointed at Path.
I don't agree with the article's stance that Path found a way to be jerks again, so clearly Apple screwed up. Phonebook access should have been restricted, but for this one the user has to select the photo, Path can't just read every photo and steal that information, so it's not nearly as serious as last year.
So I think the problem they have with this is that it makes Path look duplicitous.
On the one hand, you've indicated to Path that you're not interested in them making your location public. Maybe from an API standpoint maybe that just means location data off your phone, but from the user's standpoint, in a "use case" sense, it means your location, in any form.
And then Path adheres to that-- because they have too in an API sense-- but then goes right ahead and works out your location differently and uses that.
It reminds me of Airlines who advertise unreasonably cheap tickets and then have a bunch of extra fees and forced insurance which makes the total you have to pay right back up with everyone else. They aren't lying, in a vacuum their tickets are cheaper, but in the real world they aren't.
Path aren't lying either: they are not using your phone's location data off your phone, just like you asked. In the real world though, they're still doing it.
I don't see any stealing taking place here. Path doesn't access your location data as you instructed it. It accesses your photos' exif data which is a completely different thing.
Even if path didn't process and show in html these data, since you uploaded an image file which contains them, they would be available to anyone with access to this -now public- image through other means, like a simple browser plugin.
Let's go over this again: you set path to not access your phone's location api, you didn't set path to strip your exif data from your photos. If this feature is missing, you can ask for it.
Since you are a security researcher I would expect you to understand the real issue and warn your readers. Instead you act as you discovered a security flaw. What security issue you'll discover next? That credit cards have interest?
I'm a little bit in line with the other folks - if you grant access to a photo, the entirety of that Photo (exif data et al) should be available to the app.
I have another question (and I really don't mean it as snarkly as it'll sound) - if you are trying to keep yourself hidden - why are you posting to a social network (Path) and an aggregation site (hn)?
Should my desire for my personal location to remain private (for whatever reason: safety, professional courtesy, contractual obligations under NDA, et c) mean that I should not want to maintain any other type of digitally-mediated social communication with my colleagues, friends, and family?
>I'm a little bit in line with the other folks - if you grant access to a photo, the entirety of that Photo (exif data et al) should be available to the app.
Seems to me there are two different questions here.
1) Access.
2) Sharing.
I expect most people would be fine with an app accessing location data in order to present sharing options (Tag?) or respect previously expressed intent (Always tag! / Never tag!).
The problem comes from the app automatically sharing what it has accessed without prompt, seemingly against the expressed intent of the user.
I think the question here is pretty important, even if this particular case seems trivial.
It's not clear in the post: Is Path taking location information from photos and geotagging posts that do not include these pictures? Or are they just publishing the picture that you gotagged yourself and asked path to publish?
The former is outrageously slimy and the latter is clearly absolutely reasonable.
As far as I can tell from testing the app, it only posts the location of a photo when you explicitly post it to your Path. With Location Services turned off, I posted a photo that lacked a geotag and it contained no location information. I then posted a photo that had a geotag, and it posted the city the photo was taken in. Also, curiously, if you post a geotagged photo without any description text, it seems to omit the location data.
as little as this adds to the discussion, i think the title of the article is a huge exaggeration - uploading a geotagged image to a photosharing site that then displays the geotag in a user friendly format is hardly "stealing your data"
Clearly this guy doesn't know the legal grounds for libel. You can't throw unfounded accusations of malicious intent around. He deserves to be sued for publishing this BS.
iOS 5 used to require that you prompt the user for location data in order to have access to photos camera roll in a non standard user interface.
iOS 6 introduced the 'Access to Photos' privacy settings/prompting that separated photos from location.
This 'location' embedded in photos is different than user location, and I guess should really be considered a third case. I think 'photo metadata' might be an acceptable third option with an explanation of all that contains. Some photographers don't want their non-location EXIF data known too.
[+] [-] Bud|13 years ago|reply
[+] [-] sneak|13 years ago|reply
This is unacceptable behavior. At best it's a terrible and potentially physically dangerous bug. At worst it's complete disregard for user privacy.
I'm not complaining on theoretical grounds. I am on a temporary remote assignment, the location of which I wish to keep private due to business considerations. Before I left, I disabled location services for Path.
Today I posted a picture that I'd taken yesterday (after cropping out location-identifying features). Underneath, Path posted the name of the city that I'm in, publishing my location to all of my contacts.
Again: This is unacceptable behavior.
[+] [-] radicaldreamer|13 years ago|reply
[+] [-] JulianMorrison|13 years ago|reply
[+] [-] joeblossom|13 years ago|reply
If I disable location data for an app, Apple shouldn't allow any form of my location to be passed to that app.
[+] [-] baddox|13 years ago|reply
[+] [-] kennywinker|13 years ago|reply
They are relying on reputable companies to be good stewards of their data, and infer their intent from their actions. I would expect Twitter, Facebook, Apple, and even Path to know that unless the user has enabled geotagging, they don't want their location leaked via EXIF.
That some of these companies do not do that is not surprising, but it is disappointing.
[+] [-] sneak|13 years ago|reply
There is nothing that suggests that granting applications access to the content of your photos also grants them access to your current location.
[+] [-] incision|13 years ago|reply
That's a pretty bad analogy.
[+] [-] dfield|13 years ago|reply
(That's not to say we shouldn't have a discussion about data ownership and privacy. Just that we should wait to be outraged at things that actually deserve our outrage.)
[+] [-] keyboardP|13 years ago|reply
[+] [-] MBCook|13 years ago|reply
Coming from the people caused Apple to issue an OS update to prevent them from stealing contacts... it deserves outrage. But 90% of that should be pointed at Path.
I don't agree with the article's stance that Path found a way to be jerks again, so clearly Apple screwed up. Phonebook access should have been restricted, but for this one the user has to select the photo, Path can't just read every photo and steal that information, so it's not nearly as serious as last year.
[+] [-] SCdF|13 years ago|reply
On the one hand, you've indicated to Path that you're not interested in them making your location public. Maybe from an API standpoint maybe that just means location data off your phone, but from the user's standpoint, in a "use case" sense, it means your location, in any form.
And then Path adheres to that-- because they have too in an API sense-- but then goes right ahead and works out your location differently and uses that.
It reminds me of Airlines who advertise unreasonably cheap tickets and then have a bunch of extra fees and forced insurance which makes the total you have to pay right back up with everyone else. They aren't lying, in a vacuum their tickets are cheaper, but in the real world they aren't.
Path aren't lying either: they are not using your phone's location data off your phone, just like you asked. In the real world though, they're still doing it.
[+] [-] andmarios|13 years ago|reply
Even if path didn't process and show in html these data, since you uploaded an image file which contains them, they would be available to anyone with access to this -now public- image through other means, like a simple browser plugin.
Let's go over this again: you set path to not access your phone's location api, you didn't set path to strip your exif data from your photos. If this feature is missing, you can ask for it.
Since you are a security researcher I would expect you to understand the real issue and warn your readers. Instead you act as you discovered a security flaw. What security issue you'll discover next? That credit cards have interest?
[+] [-] cykod|13 years ago|reply
I have another question (and I really don't mean it as snarkly as it'll sound) - if you are trying to keep yourself hidden - why are you posting to a social network (Path) and an aggregation site (hn)?
[+] [-] sneak|13 years ago|reply
That doesn't really make sense now, does it?
[+] [-] incision|13 years ago|reply
Seems to me there are two different questions here.
1) Access. 2) Sharing.
I expect most people would be fine with an app accessing location data in order to present sharing options (Tag?) or respect previously expressed intent (Always tag! / Never tag!).
The problem comes from the app automatically sharing what it has accessed without prompt, seemingly against the expressed intent of the user.
I think the question here is pretty important, even if this particular case seems trivial.
[+] [-] freshhawk|13 years ago|reply
The former is outrageously slimy and the latter is clearly absolutely reasonable.
[+] [-] baddox|13 years ago|reply
[+] [-] zacaltman|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] onethree|13 years ago|reply
[+] [-] faultbot|13 years ago|reply
[+] [-] kingnight|13 years ago|reply
iOS 6 introduced the 'Access to Photos' privacy settings/prompting that separated photos from location.
This 'location' embedded in photos is different than user location, and I guess should really be considered a third case. I think 'photo metadata' might be an acceptable third option with an explanation of all that contains. Some photographers don't want their non-location EXIF data known too.
[+] [-] tlrobinson|13 years ago|reply
[+] [-] faultbot|13 years ago|reply
[+] [-] tolmark12|13 years ago|reply
[+] [-] faultbot|13 years ago|reply
[+] [-] minm|13 years ago|reply