Google, Apple, Path Roil Data-Privacy Waters
Google Tracks iPhone Users
Apple iOS Enables Address Book Access
Apple's iOS developer policies have raised major concerns because these guidelines did not require developers to ask permission before leveraging user contact data, which is a common practice in social apps such as Path. After Congress wrote a letter expressing concerns to Apple CEO Tim Cook, Apple backtracked. "Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines," Apple claimed in a Feb 15 statement. "We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."
The Wrong Path
The Apple developer policy imbroglio started with social network service Path. iOS software developer Arun Thampi Feb. 8 disclosed that Path for iOS was uploading the entire address book from the user's iPhone to Path's servers without requesting permission from users. Path CEO Dave Morin apologized and announced the latest version would explicitly require the user to opt-in to upload the information. In an age where Apple's iOS developer policies are so stringent and tough, this was an anomaly, right? Wrong. Several iPhone apps did similar data collection unbeknownst to users.
Foursquare and Address Book Data for All
Developer Paul Haddad of Tapbots told The Next Web that many more iOS apps are transmitting personal data without users' knowledge. Before this Path discovery, Foursquare uploaded all the email addresses and phone numbers in iPhone users' address book without express consent. Now it provides an explicit warning and lets users choose not to allow their data to be sent to Foursquare's servers.
In another egregious example, VentureBeat said Foodspotting's iOS app was found to transmit user data over an unencrypted HTTP connection. Foodspotting acknowledged: "While your address book data is being sent to Foodspotting (which only takes seconds), there is a very slight chance that hackers could access your contacts' email addresses if they happen to be on the same WiFi network as you and monitoring your activity. ... It only applies to Foodspotting users' iPhone Contacts when and if you are logged in and use 'Find iPhone Contacts' before our next update." The company also said it does not store any data it collects and is working on a security update for its next iOS app update. "We'll also be requesting an additional permission after you tap "Find iPhone Contacts," the company said.
Facebook uploads users' address books and stores contacts for the "Find Friends" feature. However, it prompts the app user with this message: "Facebook will store imported contacts on your behalf and may use them to generate friend suggestions for you and others."
Twitter also uses a "Find Friends" feature. However, the company can store address book information for as long as 18 months. Wow! Twitter told The New York Times that it will update its iOS app to change how it tells users what it collects. Even so, the company claims "address book information is encrypted when we send it from the mobile phones to our servers. The data is secured within Twitter in the same way that we secure other account information."
Instagram's iPhone photo-sharing app uploads first names, last names, email addresses and phone numbers. However, the company recently introduced a permission screen that explains: "In order to find your friends, we need to send address book information to Instagram's servers using a secure connection."
Yelp said it does not store user data and requests user permission when accessing the address book. However, the prompt only appears the first time a user launches the app. The company told VentureBeat its next update, pending approval by Apple, "provides a persistent permission request each time you seek to utilize the Find Friends feature."
Back to Apple
At the end of the day, some experts blame Apple, not the third-party app developers, for these inconsistent alerts to users. Developer Dustin Curtis wrote in a blog post: "I fully believe this issue is a failure of Apple and a breach of trust by Apple, not by app developers." A huge section of the Settings app is dedicated to giving people fine control over which apps have access to location information. That Apple provides no protections on the Address Book is, at best, perplexing. Again, for a company known for its fairly mercurial App Store policies, it's not surprising.