What started out as an inside-baseball squabble over the data that third-party applications pull from iPhones has turned into a federal case. Literally. Two lawmakers have sent Apple a letter demanding answers after news emerged that several popular applications for the company’s iOS platform pull a user’s entire address book without their permission. As if on cue, Apple released a statement saying that users will soon have to explicitly give their consent for such data collection.
The brouhaha started last week when blogger Arun Thampi wrote a post describing how he discovered that unbeknownst to him, Path, a popular social networking application, was uploading his entire address book to its servers, including names, phone numbers, and email addresses. Path CEO Dave Morin apologized and said the data it collected would be destroyed, but the controversy continued to escalate after New York Times blogger Nick Bilton wrote a column declaring that “privacy and security is not a big deal in Silicon Valley.” (Bilton, in turn, was upbraided by some of Path’s investors for being too harsh on the company. The whole issue quickly degenerated into an ugly name-calling match between various tech bloggers.)
But the acrid back-and-forth served to obscure the larger issue: As smartphones become increasingly sophisticated and powerful, consumers are using them for a rapidly growing variety of tasks. As a result, the privacy issues surrounding mobile computing are becoming ever-more complex. For example, Google had to fix a bug in its Wallet mobile-phone payment system that exposed a security flaw that could have given thieves access to a user’s funds.
In Path’s case, the episode revealed what was apparently common knowledge among Silicon Valley developers: Many iOS applications, including Twitter, pull a user’s complete address book — without their permission. Among the other apps that also collect this data? Facebook, Instagram, Foursquare, Foodspotting, Yelp, and Gowalla, according to an in-depth post at VentureBeat.
In response, Rep. Henry A. Waxman, a California Democrat, and G.K. Butterfield, a North Carolina Democrat, penned a letter to Apple’s CEO asking for an explanation. “This incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts,” the lawmakers wrote. (Read the letter here.)
Just a few hours later, Apple offered a statement to AllThingsD addressing the matter: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”
The two lawmakers asked Apple to address the following issues:
– Please describe all iOS App Guidelines that concern criteria related to the privacy and security of data that will be accessed or transmitted by an app.
– Please describe how you determine whether an app meets those criteria.
– What data do you consider to be “data about a user” that is subject to the requirement that the app obtain the user’s consent before it is transmitted?
– To the extent not addressed in the response to question 2, please describe how you determine whether an app will transmit “data about a user” and whether the consent requirement has been met.
– How many iOS apps in the U.S. iTunes Store transmit “data about a user”?
– Do you consider the contents of the address book to be “data about a user”?
– Do you consider the contents of the address book to be data of the contact? If not, please explain why not. Please explain how you protect the privacy and security interests of that contact in his or her information.
– How many iOS apps in the U.S. iTunes Store transmit information from the address book? How many of those ask for the user’s consent before transmitting their contacts’ information?
– You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.