This doesn't seem nearly as clear-cut to me as Path's earlier grabbing of users' address book data. In this case, Path is accessing metadata of photos which the user has expressly granted Path access to. This is different from real-time location data.
But the app knows it has been explicitly denied location data, and uses the photo location data to tag the post anyway. The location is then displayed to other users on Path.
This is unacceptable behavior. At best it's a terrible and potentially physically dangerous bug. At worst it's complete disregard for user privacy.
I'm not complaining on theoretical grounds. I am on a temporary remote assignment, the location of which I wish to keep private due to business considerations. Before I left, I disabled location services for Path.
Today I posted a picture that I'd taken yesterday (after cropping out location-identifying features). Underneath, Path posted the name of the city that I'm in, publishing my location to all of my contacts.
> Today I posted a picture that I'd taken yesterday (after cropping out location-identifying features).
Well this is clearly part of the real problem. Anyone who saw the photo could have seen where they were taken from the EXIF data because you didn't clear it. Most users don't know that the data is there and don't know that they need to, it's a weird thing privacy wise and a lot of people get put in weird situations because of it. (McAfee comes to mind.)
You're still telling the Internet where you were even if Path doesn't go ahead and tag it and make it visible to you. If anything, what they've done is actually saved you some embarrassment and made you realize that data was there so you could take action about it (like taking down the photos and posted ones with cleared EXIF data) if you want.
But 90% of the time for 90% of users, this EXIF data is pretty useful. It's kind of a pickle and really to solve it properly what you're asking iOS to do is give files with completely different metadata out based on the user's privacy preferences, which aren't always spelled out entirely clearly, especially the way iOS works with kind of an all or nothing location privacy selection. You can't really tell the OS "Hey, for the next five days, let's not be explicit about where I am." or "Hey, keep my privacy for me when I'm in a certain geofence".
This is stuff they could add, but doing it right isn't trivial.
This is stuff they could add, but doing it right isn't trivial.
I'll never understand this mindset.
When I tell my smartphone "Don't give this app location data" then that is pretty damn unambiguous. It's not like there are countless ways for an app to obtain such data. It can request it via API, or it can read it from images. At the least, if the images were taken on this phone (which a computer can very well determine), then I would expect the data to be stripped. If the phone stores location data in other file-types then I'd expect those to be stripped in the same way.
The technocrat stance "but we meant only one kind of location data" doesn't fly when the user intent is about as clear as it can get. It's exactly the kind of "smart" that I expect from a "smart" phone.
Sure, that case is somewhat more simple, but that's rarely what most people actually want. What most people actually want is to sometimes hide their location from most things when it's sensitive and leave the phone and most apps free to know when it's not.
I think they need to actually support the types of location privacy preferences users are going to want if they want to do location privacy correctly.
What you describe is an advanced feature (geo-fencing).
What I describe is a simple bug; a defective on/off-switch.
When I ask you to not give anyone my address, yet you give everyone access to a drawer full of documents that you annotated with my address, then you can hardly claim to have taken my request seriously.
Do you want the system to edit out an address in a photo if someone takes a picture of a building that has an address on it? Do you want the system to remove EXIF data from images that didn't come from the camera? Do you want the system to remove location information from other files? Do you want the system to remove access to the IP and wifi information so that apps can't trace using that? Do you want the system to proxy requests from those apps so that other people can't trace your location from web requests submitted by those apps?
The on/off switch was originally designed for whether or not you wanted to give the app access to GPS information. Some people say no simply to save power. EXIF data and other types of data which can be used to identify your location are different.
If you want controls over location privacy you should build real controls over location privacy, not pretend that a control that's displayed only once the first time you use an app and only for apps that access GPS-like information is a location privacy control.
It's not.
You can identify a location from a bunch of different types of data. If you want to fix the bug you need an actual fix and that requires a better location privacy control.
(Also if you answered no to all of those questions at the beginning of my post, I'd bet you'd change your tune in an instant if someone at Path simply reprogrammed their stuff to geotag based on a geoip lookup from your submission. Then you and others would probably say that this control is supposed to prevent that type of location data too.)
That's why I disable geotagging in general. I don't trust apps enough not to leak data unless absolutely necessary. On my device only Yelp and Maps have access and that's it.
What about apps like Mail or another photo uploading service which never even ask for location information? How are they supposed to know when to strip out EXIF data?
If you want the system to manage that metadata properly you need to give the users better controls than the existing coarse grained per app location preferences. I think they should, but the suggestions most people are making to fix this on HN are very narrow.
My issue was not with Path knowing where I am, but with Path publishing where I am to my contacts.
Path, of course, knows where I am due to the geolocation of the IP from which I post.
My intent was communicated to the app through the disabling of location services. Posting my location uncovered through parsing EXIF is the opposite of my configured intent.
When I post pictures to Twitter, Twitter receives the EXIF-tagged photos, too. They, however, don't serve them with the geotags, as I have disabled geotagging for my account. I haven't tested if they just strip all photo EXIF, or only for accounts that disabled geotagged tweets.
Exactly. When a user denies location data they don't mean "don't use location data from this source" they mean "don't track my location". It's not unlike them having a flag in their options menu called "Don't track my location" which, when enabled, does nothing.
That's not really clear cut. Many times location services are disabled because of the battery impact.
On iOS in particular it's possible to receive location updates only when changing cell towers, wifi, etc, basically it doesn't use any extra battery.
A few days ago I turned this behaviour off on an app and replaced it with a behaviour where instead it polls for location for a few seconds on start and then shuts off all location services because users disable location services because they believe it is negatively impacting their battery life.
The complaints weren't your tracking my location, the complaints were you're killing my battery life.
This user obviously had location services enabled in the camera app that took the photo that he gave to Path. If location services were actually off, there would be no leak.
The point is^ that users don't (and couldn't be expected to) understand that location service permissions aren't transitive. They have gone to the options menu and said "No path, you may not use my location". The result is that path has still used their location. The steps from A to B and the technical steps taken are-- from a user's perspective-- irrelevant.
^I'm not an iOS user, so maybe the UI makes this all blindingly obvious, in which case I apologise and you can ignore my entire response.
I recall testing Google+ to see if it would pull location data out a picture I'd take previously at the time of posting even though I'd set the app not provide location with the post - for fear of exactly this.
In the G+ case, it won't go and tag the photo, but it doesn't strip the location data out either.
The app also knows that you have given the Camera app location data, and then explicitly given Path access to your photos which were taken with the Camera app. Removing Location Services permission from Path simply means that the Path app cannot directly access your phone's location sensors—nothing more, nothing less. It doesn't mean that Path has to go to every imaginable length to ensure that you don't manage to share your location through other means, like photos or status updates.
>It doesn't mean that Path has to go to every imaginable length to ensure that you don't manage to share your location through other means, like photos or status updates.
Not sure what you mean here. If my app loaded a user's picture, and they said they don't want location data to be used in my app, a simple if check will decide whether or not EXIF data should be read. This is hardly "every imaginable length".
Of course, this may just be a bug, so I don't think we can jump to any conclusions about Path's intentions.
What if someone posts a status update saying "I'm in San Francisco."? What if they post a picture of themselves with the Golden Gate Bridge in the background? Is it reasonable for them to assume that Path will filter these things out, simply because they turned off Location Services?
I think it's ludicrous. iOS is quite clear in its explanation of Location Services, and their explanation is not at all "technical" or intimidating to non-technical users. Also, the permission to access your photos is completely separate from the Location Services permission. Maybe you the author would have a point if iOS automatically gave apps access to your camera roll, but that's not the case.
I don't doubt that some users will be surprised by the photo's geotag, but I suspect it would be an extremely low number of users (the fact that this if just now being blogged about seems to corroborate this, unless Path have just recently added this behavior).
I think you're conflating two very different scenarios. Someone saying "I'm in San Francisco" or posting a picture of them at the Golden Gate Bridge is clearly aware that their location can be determined. EXIF data hidden within a JPEG file is not so clear cut and most users are unlikely to be aware of it.
As you said, Location Services and Photo access are different permissions. Users are therefore likely to assume that location data is not being retrieved if they deny permission to it. If I deny location data to an app, it's because I don't want that app to have my location data. It seems somewhat underhanded, to me at least, to assume that the user wouldn't mind me accessing location data from their photos, knowing full well that the majority of users will not know what EXIF data is. I'd go so far as to say that I would explicitly ask the user if EXIF data should be read alongside the standard location services.
But really, you're the one speculating that a user's intent is different than what their explicit actions on the phone indicate. You're guessing that a user is not aware that photos are geotagged, despite that fact that the Location Services permission is optional on the Camera app as well.
Judging by the post we're commenting on, it's not exactly a shot in the dark guess. Technically, Path has done nothing wrong. They've been given permission to the photos and that's what they're accessing with all the information it brings.
But, to me, if I was told that my app can't access location information, I would assume that it's because the user doesn't want my app to access location information and have my app run with that mindset.
You want your iPhone's camera to access location for one app, but not for another. What would you do? What you're saying is that the user has no choice and it's all or nothing. Give location data to all apps requiring photos or disable it completely.
I think the point is, if you pick "don't read my location data" and then every day post a message "Today I'm at the SF Library", "Today I'm at the NYC Stock Exchange". "Today I'm at DC checking out the White House"
Is Path supposed to censor those image?
You choose to tag your photo. You chose to share the photo. How is that different than posting a text that says where you location is?
>I think the point is, if you pick "don't read my location data" and then every day post a message "Today I'm at the SF Library", "Today I'm at the NYC Stock Exchange". "Today I'm at DC checking out the White House"
That's not the point at all. Your example is of someone explicitly announcing their location. The issue at hand, which may or may not be a bug, is that the metadata is being used to publish the user's location even after they've said that they don't want the app accessing the Location Services.
Technically, there's nothing wrong in that because the app isn't accessing the Location Services. However, I'm pretty sure most users would assume the app won't use any location data by turning that setting off. If you denied an app location data, would you be happy that they still managed to get location data via a means that's not necessarily obvious?
Yup, additionally, you don't have to geotag your photos. The issue, however, is basically that most people are not aware that because they provided location permissions to the Camera app, photos used by other applications are able to access that tagged location data.
The issue on the Path end is that they are circumventing the user's clear intent to not provide locational data to their application. Whether or not that is malicious or just ignorant is unknown.
Either way, they are publishing user data that users have taken steps to explicitly avoid publishing.
Lets put it in human terms. You have an abusive ex who tries to stalk you and has threatened your kids. You turn off the ability of the app to see your location. Your location gets geotagged anyway. Your doorbell rings.
So you should take location access away from the Camera app. The exif data is going to be in the photo even if Path only posts it and doesn't use it in any way.
I think the solution should lie with Apple as well since it's higher up the stream. Otherwise you'd need to have every app do this check - seems more efficient for Apple to just handle it.
I agree that Apple should do this. Malicious developers will exploit what they can. But this is just silly:
> Otherwise you'd need to have every app do this check
Do what check? When you ask for location data, all you have to do is say "you won't give me that? Okay." This app seems to have asked for location data, but instead said "you won't give me that? I'll go out of my way to get it anyway." There is no need for an explicit check. It is less work to do the right thing.
I meant that every app would have to do this location data stripping. It's unlikely that apps would bother to do this - more out of an oversight than maliciousness. Having Apple do this would avoid the problem of apps forgetting to implement these types of checks.
Path managed to screw up so bad last time they forced a change in the OS. A year later and they're caught again uploading some of the user's data that weren't explicitly granted access too. At least they can't scan the pictures without you choosing one in the photo picker.
At this point, I think Apple needs to pull the app and revoke their developers license.
I seriously doubt they'll do that. It's more likely some new law will be passed because of this than Apple will take such a big step.
I _want_ geotagged photos. I take tons of photos and use the timestamp+geotag to archive lots of other datestamped data according to my travels, not just photos.
I just don't want every sketch-ass third-party app that I want to post some scenery into to know exactly where I am.
Thousands of apps were using the same method for their Find Friends features, and I don't recall any instance where any of those devs were deliberately malicious in their efforts to build better features, or with users' data after the fact. Path was just one of the most popular targets for it at the time.
Totally agree with you here. In fact, would any iOS developer like to speculate as to whether an application can even determine if it's authorized to get your location? Or does it just attempt, and then get a failure?
Impossible? I don't think so. Since Path (and every other iOS app) uses a system API for things like photos it's trivial for the OS to strip the exif location data from photos if the user has turned off location data for an application, then provide that geo-less photo to the application.
Clearly Apple, like Path, never saw this issue (until now).
What a silly thing to feign being outraged about. If you don't want Path to have access to your photos, then do not explicitly give it access to your photos. If you give the Camera app access to Location Services, then EXIF data is as much a part of your photos as aspect ratio, resolution, and the content of your photo. This is no different than if you gave Twitter access to Location Services, then gave Path access to your Twitter account, and then were supposedly outraged at Path being able to read the location of your tweets.
Since most of the users of things like iPhones, Path, Twitter, etc. are non-technical users, most will not be aware of things like EXIF data.
They are relying on reputable companies to be good stewards of their data, and infer their intent from their actions. I would expect Twitter, Facebook, Apple, and even Path to know that unless the user has enabled geotagging, they don't want their location leaked via EXIF.
That some of these companies do not do that is not surprising, but it is disappointing.
> They are relying on reputable companies to be good stewards of their data, and infer their intent from their actions.
Perhaps, but without a proper study of their users (and potential future users), how can they infer their intent, and why should they assume that all or even most users will have the same intent? It's certainly conceivable that a user might deny Path access to Location Services (for example, to prevent the automatic location updates due to annoyance rather than personal privacy concerns, or even to save battery life), while still having no problem with including location information from explicitly posted photos.
Honestly, I think any attempts at preempting all supposed outrage like this are futile. You're always going to have someone who will complain about something in your app that works differently than they expected or intended. If Path did ignore geotagged photos, they might have someone just as outraged as this author, but for the opposite reason.
The argument that Apple should be more clear is more valid, since for them there is little downside to being as explicit as possible. This is the same position I took in the Great Address Book Debate. I don't think app developers have a responsibility to second guess the options provided by their platform (especially when their platform is as huge as iOS). In fact, I don't even think it's wise in general.
This might be true about most other features of most apps, however your location is actually fairly sensitive information for LOTS of people, and I think you're underestimating that.
The outrage of a user who disabled location services, but wanted their location uploaded is NOTHING compared to the implications of sharing someone's location without permission. We are talking about life-and-death, in some rare cases (e.g. http://www.petapixel.com/2012/12/03/exif-data-may-have-revea...).
> Perhaps, but without a proper study of their users (and potential future users), how can they infer their intent,
In this case, they don't need to infer my intent. My intent is clear: I have not gone into the app settings and configured it differently. I disabled location services at the OS level for the entire application.
Maybe you are afraid Path is using location services in the background or have some other reason to fear that Path is improperly requesting your current location. This does NOT imply that you don't want Path to have EXIF location data from photos you provide it.
A much better option would simply be to provide a simple interface to allow users to exclude this information each time they post a photo and/or in the application settings.
The only clear intent that can be gathered from turning off Location Services is that you do not want Path to access your phone's location sensors. This is pretty explicit in iOS Settings. It is not at all clear that you do not intend for Path to use other sources of location information that you explicitly choose to share, like photos or status updates.
> It is not at all clear that you do not intend for Path to use other sources of location information that you explicitly choose to share, like photos or status updates.
You're right, it's not clear. So, it should explicitly ask when you do so.
(I don't use Path so I don't know if it in fact asks this or at least makes clear that it will be sharing your photo locations before doing so. The article implies it does not.)
It's not feigning - I did not wish to provide Path (or my Path contacts) with my current location. Yet, Path published my location without my consent (after I had turned off location services for the application).
There is nothing that suggests that granting applications access to the content of your photos also grants them access to your current location.
You are not granting them access to your current location...you are granting them access to the photo's location.
Facebook and Twitter also makes available the location of your photos. Is there a particular reason you are singling out Path? I hope it's not a stretch to assume this is a page view grabbing technique.
I don't use Facebook because of their privacy track record, and I have all geolocation disabled for Twitter.
Twitter respects the geolocation setting, and strips the exif location data from photos when serving them. Whether or not they do this before upload is unknown, but pictures posted to Twitter from the iOS app do not include location data when geotagging of tweets is disabled.
The reason I'm not picking on them is because neither of them (Twitter due to Doing The Right Thing, Facebook due to lack of opportunity) have published my private data in express violation of my wishes. Path did so today.
The fact that you have Location Services enabled for the Camera app suggests that granting applications access to your photos grants them access to the location information in those photos. Note that it's not necessarily your current location, or at least I'm assuming it is only using the geotags of the specific photo you're posting.
Actually, I am wrong. As was pointed out to me in a blog comment, three screens in on Settings.app, in Settings->Privacy->Photos, there is a warning in grey text that says that photos contain location information of where they were taken.
Regardless, despite missing this warning, I'm a technical user and know about EXIF data. The real issue is Path ignoring my explicit demand that it not track my location.
>This is no different than if you gave Twitter access to Location Services, then gave Path access to your Twitter account, and then were supposedly outraged at Path being able to read the location of your tweets.
To expand, a tweet will show the location right next to the text if that's data it contains. Its pretty clear that the information is there. On the other hand, I guarantee the average iPhone owner doesn't know that a picture contains your location.
Am I the only one that doesn't think this is wrong? Metadata seems like fair game to me and I hardly think that Path is deliberately trying to steal data. They are probably just trying to make their user experience better.
(That's not to say we shouldn't have a discussion about data ownership and privacy. Just that we should wait to be outraged at things that actually deserve our outrage.)
I agree about the outrage part. There may not be malicious intent from Path, but I do think that there's a better way of allowing users to control their data. A simple extra option of "include location data from photos" would mitigate this entire scenario.
Malicious implies they're trying to do harm, which I don't think is the case. But geotagging posts when the user clearly didn't authorize you to access that information is dubious and underhanded at a minimum.
After last year's incident, they've lost all benefit of doubt.
I agree based on a dictionary definition of malicious, but I think people are using it here to mean "things that they know users explicitly don't want and are doing anyway". Having privacy settings and then completely ignoring them might not be malicious - you don't intend to harm your customers, only to increase your profits in some way - but I think that common usage of the word "malicious" would include that case.
I think you'll see an update shortly that will fix this issue; which is clearly just an overlooked bug. I think you'll also see iOS patching the issue soon too.
If this was a normal app, I'd be much more likely to agree with you.
Coming from the people caused Apple to issue an OS update to prevent them from stealing contacts... it deserves outrage. But 90% of that should be pointed at Path.
I don't agree with the article's stance that Path found a way to be jerks again, so clearly Apple screwed up. Phonebook access should have been restricted, but for this one the user has to select the photo, Path can't just read every photo and steal that information, so it's not nearly as serious as last year.
Again, they didn't "cause" Apple to issue an update alone. The same method for building Find Friends features was used by thousands of social apps, and Path was just a hot target for the media at the time. It was certainly a privacy concern, but obviously not malicious intent.
So I think the problem they have with this is that it makes Path look duplicitous.
On the one hand, you've indicated to Path that you're not interested in them making your location public. Maybe from an API standpoint maybe that just means location data off your phone, but from the user's standpoint, in a "use case" sense, it means your location, in any form.
And then Path adheres to that-- because they have too in an API sense-- but then goes right ahead and works out your location differently and uses that.
It reminds me of Airlines who advertise unreasonably cheap tickets and then have a bunch of extra fees and forced insurance which makes the total you have to pay right back up with everyone else. They aren't lying, in a vacuum their tickets are cheaper, but in the real world they aren't.
Path aren't lying either: they are not using your phone's location data off your phone, just like you asked. In the real world though, they're still doing it.
I don't see any stealing taking place here. Path doesn't access your location data as you instructed it. It accesses your photos' exif data which is a completely different thing.
Even if path didn't process and show in html these data, since you uploaded an image file which contains them, they would be available to anyone with access to this -now public- image through other means, like a simple browser plugin.
Let's go over this again: you set path to not access your phone's location api, you didn't set path to strip your exif data from your photos. If this feature is missing, you can ask for it.
Since you are a security researcher I would expect you to understand the real issue and warn your readers. Instead you act as you discovered a security flaw. What security issue you'll discover next? That credit cards have interest?
I'm a little bit in line with the other folks - if you grant access to a photo, the entirety of that Photo (exif data et al) should be available to the app.
I have another question (and I really don't mean it as snarkly as it'll sound) - if you are trying to keep yourself hidden - why are you posting to a social network (Path) and an aggregation site (hn)?
Should my desire for my personal location to remain private (for whatever reason: safety, professional courtesy, contractual obligations under NDA, et c) mean that I should not want to maintain any other type of digitally-mediated social communication with my colleagues, friends, and family?
>I'm a little bit in line with the other folks - if you grant access to a photo, the entirety of that Photo (exif data et al) should be available to the app.
Seems to me there are two different questions here.
1) Access.
2) Sharing.
I expect most people would be fine with an app accessing location data in order to present sharing options (Tag?) or respect previously expressed intent (Always tag! / Never tag!).
The problem comes from the app automatically sharing what it has accessed without prompt, seemingly against the expressed intent of the user.
I think the question here is pretty important, even if this particular case seems trivial.
It's not clear in the post: Is Path taking location information from photos and geotagging posts that do not include these pictures? Or are they just publishing the picture that you gotagged yourself and asked path to publish?
The former is outrageously slimy and the latter is clearly absolutely reasonable.
As far as I can tell from testing the app, it only posts the location of a photo when you explicitly post it to your Path. With Location Services turned off, I posted a photo that lacked a geotag and it contained no location information. I then posted a photo that had a geotag, and it posted the city the photo was taken in. Also, curiously, if you post a geotagged photo without any description text, it seems to omit the location data.
as little as this adds to the discussion, i think the title of the article is a huge exaggeration - uploading a geotagged image to a photosharing site that then displays the geotag in a user friendly format is hardly "stealing your data"
Clearly this guy doesn't know the legal grounds for libel. You can't throw unfounded accusations of malicious intent around. He deserves to be sued for publishing this BS.
iOS 5 used to require that you prompt the user for location data in order to have access to photos camera roll in a non standard user interface.
iOS 6 introduced the 'Access to Photos' privacy settings/prompting that separated photos from location.
This 'location' embedded in photos is different than user location, and I guess should really be considered a third case. I think 'photo metadata' might be an acceptable third option with an explanation of all that contains. Some photographers don't want their non-location EXIF data known too.
