In its settlement with the FTC announced today, Path closed the door on one privacy controversy, but it seems the company may soon find itself embroiled in yet another. According to security researcher Jeffrey Paul, Path will geotag your posts on the social network even after you've disabled location services for the app. How is it accomplishing this? By pulling EXIF data — which contains GPS coordinates — from any images you've attached via the iOS camera roll, Path is able to uncover the location where each shot was taken.
We're not sure why the company would blatantly disregard user preferences in this way, so if Paul is correct it's most likely some sort of oversight on the part of Path's programmers. Thus far we've been unable to replicate the issue, but have reached out to Path for clarification. In the meantime, you can work around this privacy hole either by refraining from attaching photos to Path posts, or by disabling your iPhone's camera from geotagging photos in the first place.
Update: We were able to replicate the geotagging issue when attaching photos taken with Apple's Camera app. Path has confirmed the bug in a response posted directly to Jeffrey Paul's blog:
Jeffery, thanks for alerting us to this. We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:
1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store for approval.
3. We have alerted Apple about the concerns you've outlined here and will be following up with them.
One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path.
Dylan Casey, Product Manager, Path