[MBCook]

> There may not be malicious intent from Path

Malicious implies they're trying to do harm, which I don't think is the case. But geotagging posts when the user clearly didn't authorize you to access that information is dubious and underhanded at a minimum.

After last year's incident, they've lost all benefit of doubt.

[thedufer]

I agree based on a dictionary definition of malicious, but I think people are using it here to mean "things that they know users explicitly don't want and are doing anyway". Having privacy settings and then completely ignoring them might not be malicious - you don't intend to harm your customers, only to increase your profits in some way - but I think that common usage of the word "malicious" would include that case.