Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Path app revised in light of new 'location tracking' issue

Path app revised in light of new 'location tracking' issue
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Feb 1, 2013, 09:05 PM
 
On the same day as the social and photo-sharing app Path agreed to an $800,000 settlement with the Federal Trade Commission over its surreptitious uploading of users' contacts without their knowledge last year, a security researcher discovered a "backdoor" way of obtaining the same data by reading the EXIF location embedded in digital photos even if "location sharing" is explicitly turned off. Path says it was previously unaware of the issue and has already updated its iOS app to close the loophole.

By all accounts, Path was not using the EXIF data and was unaware that the workaround existed until it was pointed out. After facing a widespread public backlash when it was originally discovered to be helping itself to contact data from users' address books without user permission, Path rebuilt its base with an aggressive action plan to disavow and destroy all location data it had previously collected, along with an apology to users. It explained that it had previously copied user contact data to allow the service to automatically connect people who already know each other together on the social network as a user's friends joined the service, similar to the way Facebook performs the same service (though Facebook uses a less-invasive method, and requires user interaction to make any changes). The data-mining was and remains off-limits according to Apple developer guidelines, and CEO Tim Cook allegedly "grilled" Path co-founder and CEO Dave Morin in a face-to-face meeting when the contact-scraping was discovered and made public. Apple subsequently strengthened enforcement of the ban by forcing applications to explicitly ask for permission to access contacts or photos or other personal info, even if access to that information is an obvious part of the purpose of the app (for example, the "Find My iPhone" app still asks for permission to access a user's location data). Having been burned by the overzealous privacy breach once, Path was quick to react when informed about the bug this time. It became obvious in the investigation that Path's original code had used EXIF data as a "fallback" when location data was not found, and that this backdoor had simply never been closed when the company began obeying Location Services settings. Path Product Manager Dylan Casey reported back to researcher Jeffrey Paul and told him the company had changed the code to ignore EXIF tag location, and submitted a new version of the app with the change. Apple approved the new version in record time, and the update is already available on the App Store. The company later clarified that if a photo were taking using the Path app, the photo has no location data at all if Location Services is turned off or location data permission has been denied. It was only photos taken with the Apple camera app or brought in from other sources that may have EXIF location data preserved. As part of its agreement with the FTC, Path has already said that it will not collect such info for users who are known to be under the age of 13, even if Location Services and location data permission has been granted.
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 04:38 AM.
All contents of these forums © 1995-2014 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2014, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2