Path, a social media start-up company, has to pay $800,000 in damages for privacy violations, the Federal Trade Commission said on Friday. But this may not be the end of Path’s troubles with privacy. A security researcher has pointed out a loophole that allows Path to share location data even when a user has turned off location sharing.
Jeffrey Paul, a data security consultant, on Friday published a blog post pointing out a security flaw in Path for iPhone users. If a user posts a photo inside Path and writes a caption, the app can still share the city or other general location where the photo was taken â€" even if a user has turned off location sharing for Path in the iPhone’s privacy settings.
A quick test confirmed this loophole. The location information is shared through a photo caption if a user has decided to allow the iPhone camera to tag photos with location information.Mr. Paul said in an interview that if a user has asked that his location data not be shared through Path, Path should remove the photo’s location information before publishing it so the location is not shared. Twitter does this when a user requests that his location not be shared, Mr. Paul said.
Mr. Paul said he discovered this privacy leak unintentionally when he posted a photo on Path.
“It painted a picture to me of the company as being people that aren’t interested in taking the correct steps to safeguard their user information,†he said in an interview.
Path did not immediately respond to multiple requests for comment. When reached, Apple’s public relations department had not yet prepared a comment.
Path came under scrutiny last February when a programmer discovered that its app was surreptitiously copying address book information from users’ iPhones without notifying them. The F.T.C. later filed a complaint that said Path’s app was misleading and did not give consumers a choice regarding the collection of their personal information.
