While on assignment for business recently, Jeffrey Paul posted a photo to the social network Path.
For business reasons, he didn't want to tell his contacts where he was at the time. He had already disabled Path's access to his location in iOS settings. After he took his photo, he had carefully cropped it to obscure anything that might have identified his location.
But when he hit publish, there it was: the name of the city he was in. He deleted the post immediately, but the disclosure shook him. In a subsequent post on his company's blog, he identified the cause of the privacy breach: Path used metadata contained in the photo to find his location and publish it inside the app. Even though Path wasn't supposed to know where it was, it did, thanks to information tagged inside the picture.
Paul, a self-described hacker and security researcher, posted his findings yesterday on his personal website.
"I wasn't necessarily doing research to find this issue with Path," Paul said in an interview. "I was just using it in the course of my normal, day-to-day use. They ended up publishing data that I had expressly intended not to publish."
Paul grants that he is an edge case -- most people use Path with location services turned on, and the service is designed for sharing with a small, intimate group of friends with whom the user feels comfortable sharing intimate details.
At the same time, the case illustrates the fiendish complexity of managing one's privacy in the digital era. An average user who disables location services for a given app likely expects that app would not be able to see where the user is. In the Privacy area of the Settings app, a note says "Photos stored on your iPhone may contain other information, such as when and where the photo was taken." Most users will have trouble determining whether and when their pictures include that information.
One work-around is to disable location services for the camera itself, as described here.
But the larger issue remains. When even software programmers can't navigate their smartphones' privacy settings, what hope does a non-programmer have?
Paul said the issue is one Apple should consider addressing. When users disable location services for a particular app, they might assume the app can't ever know where they are. But the setting is effectively undone as soon as the user grants access to the camera roll, which may come as a surprise.
CNET has contacted Apple for comment and will update this post if we hear back.
"I don't think it's malice, I think it's just carelessness," Paul said. "But the net effect is the same to me. They have published information about me personally that I have expressly attempted to prevent them from publishing."
A Path spokeswoman said the company was looking into the matter.
The issue became the subject of a lively Hacker News thread yesterday, with some participants saying that solving the issue is more difficult than it appears. User D J Capelis wrote that "90% of the time for 90% of users, this EXIF data is pretty useful."
"It's kind of a pickle and really to solve it properly what you're asking iOS to do is give files with completely different metadata out based on the user's privacy preferences, which aren't always spelled out entirely clearly, especially the way iOS works with kind of an all-or-nothing location privacy selection," she wrote. "You can't really tell the OS 'Hey, for the next five days, let's not be explicit about where I am.' or 'Hey, keep my privacy for me when I'm in a certain geofence'.
"This is stuff they could add, but doing it right isn't trivial."
Paul's post comes at an awkward time for Path. The San Francisco startup on Friday settled charges with the Federal Trade Commission that it deceived users by improperly collecting and storing personal information from their mobile devices' address books without their knowledge or consent. The company also settled allegations that it violated the Children's Online Privacy Protections Act by not automatically preventing users who indicated they were under 13 years old from creating accounts.
Path paid an $800,000 fine and purged 3,000 accounts from its network. The company also has to submit to independent privacy audits for the next 20 years.
In the meantime, Path has lost a user.
"The amount of care I would expect from a developer was not exercised when thinking through the privacy implications of their application," Paul said.
Update, 1:36 p.m.: Path product manager Dylan Casey has posted the following response to Paul's blog.
We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:
1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store for approval.
3. We have alerted Apple about the concerns you've outlined here and will be following up with them.
One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path.