Path, a mobile-only social network that bills itself as a more private alternative to Facebook, is facing new allegations that it breaches user privacy on the same day that it paid a fine for privacy-related violations discovered in February 2012.
The allegations come from Jeffrey Paul, a self-professed hacker and security researcher.
“Path’s iOS app … will use the embedded EXIF tag location information from photos in the iOS Camera Roll to geotag your posts, even when you’ve explicitly disabled Location Services for the Path application,” Paul wrote on his personal blog today.
The app knows the difference between the metadata and location information accesses directly through iOS’s location services, Paul said.
Path said the issue was a bug and that the company has already fixed it.
“We were unaware of this issue and have implemented a code change to ignore the EXIF tag location,” responded Path product manager Dylan Casey. An updated app is available in the App Store.
But Paul put some of the blame on Apple, as well. The iOS should block location data from photos from apps for which the user has opted to disable location services, he said.
Apple didn’t immediately respond to a request for comment. The company strengthened the privacy protections in its iOS after it was revealed last year that Path accessed contacts without users’ permission.
Path will also address the issues with Apple, according to Casey.
“One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path,” Casey said.