Path settles with FTC for $800K … and steps into another privacy storm with images

Just as Path was beginning to put last year’s controversy over its access to user address books behind it, the social networking app is in hot water again over location data within images.

The Federal Trade Commission announced today that it has reached a settlement with Path, wherein the company will create a comprehensive privacy policy and receive privacy assessments for the next 20 years. Path will also have to pay an $800,000 fine over collecting information from children without parental consent.

But yesterday another privacy issue reared its head: Security researcher Jeffrey Paul noticed that Path will still use the location data within an image to geotag your posts, even if you’ve disabled the app’s access to your location within your iPhone’s settings.

“I don’t think it’s malice. I think it’s just carelessness,” Paul said in an interview with CNet. “But the net effect is the same to me. They have published information about me personally that I have expressly attempted to prevent them from publishing.”

Path product manager Dylan Casey responded to Paul’s discovery on his blog this afternoon:

Hey, Jeffery, thanks for alerting us to this. We take user privacy very seriously here at Path. Here is what we have discovered and how we are responding:

1. We were unaware of this issue and have implemented a code change to ignore the EXIF tag location.
2. We have submitted a new version with this fix to the App Store for approval.
3. We have alerted Apple about the concerns you’ve outlined here and will be following up with them.

One note to clarify: If a Path user had location turned off and an image was taken with the Path camera, Path does not have the location data. This only affected photos taken with the Apple Camera and imported into Path.

It certainly doesn’t sound like Path was maliciously trying to publish location data, but it’s a shame that a company that’s already been under privacy scrutiny overlooked this issue. It’s likely that plenty of other iOS apps have a similar loophole when it comes to location data, so Apple will have to issue some sort of fix down the line as well.

In a blog post today, published after the FTC decision but before this image location data issue, Path’s explanation over its settlement seemed bittersweet:

We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.

Photo: Path founder Dave Morin via Robert Scoble/Flickr