Apple responds to iOS contact data sharing: ‘It’s a violation’

Apple officially responded to the mounting privacy concerns related to how third-party iOS apps access address book data on users’ devices. Tom Neumayr, a spokesperson for the Cupertino, Calif.-headquartered gadget giant told AllThingsD’s John Paczkowski:

Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.

So, there you have it. A forthcoming iOS software update will make sure no app can get access to iPhone contacts without your explicit approval. We are inclined to think Apple should not limit user approvals to just location data and contacts. While we are at it: Why not implement toggles for accessing the camera roll, photo library, and even your music library for that matter? This stuff is just waiting to be uploaded by rogue apps. By the time Apple discovers those violations and pulls misbehaving software from the App Store, it will already be too late and the damage will have been done. Any thoughts?

Read more

Lawmakers grill Apple’s Cook on iOS developer data access following Path address book privacy debacle

The Path debacle just took another turn for the worse with House Energy & Commerce Committee Ranking Member Henry Waxman and Commerce Manufacturing and Trade Subcommittee Chair G.K. Butterfield issuing a letter to Apple CEO Tim Cook (via The Next Web). In it, the legislators seek to find out whether Apple is doing enough to protect personal data on users’ iPhones, including their contacts. Specifically, the letter asserts there have been claims that the practice of collecting address book data without users’ consent is “common and accepted among iOS app developers.”

As a consequence, the legislators argue, “This raises questions of whether Apple’s iOS app developer policies and practices adequately protect consumer privacy.” They want Apple to respond to questions by Feb. 29. Apple is asked to detail its App Store review practices in respect to protecting users’ information. Whichever way you look at it, it is hard to escape the notion that everything on your iPhone is waiting to be uploaded.

As you know, with the exception of location services, iOS does not prompt users when apps tap APIs to access personal data stored in an iPhone’s address book, camera roll, music library and other places. This also includes little things such as geolocation information embedded in image files taken on the device. This is bothering the legislators and now they want to know why Apple has not implemented a simple toggle that lets users control access to their data other than location.

You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.

We included the letter in its entirety below the fold.

Read more

FYI: Path uploads your iPhone’s entire address book to their servers

 

Blogger Arun Thampi discovered something that may or may not sit right about the free social media app Path while packet sniffing the app last night. Upon first installing the app and registering for an account, Path sends each one of your contacts in your address book to their server via a. plist. The .plist includes full names, phone numbers, and e-mails.

Path makes the call “https://api.path.com/3/contacts/add” when you first create an account, and it uploads all your contacts to its server. In most people’s mind, this obviously makes them feel a little uncomfortable. Thampi details the technical aspects of this, and how you can recreate it yourself, in his blog post.

Path’s Cofounder and CEO Dave Morin commented on the situation and said iPhone users will soon be able to opt-out of the setting in an update that will roll out to the App Store shortly. Nevertheless, does that really change anything? He did not really explain why Path is doing this, and your entire address book is still on their servers. You can read Morin’s comment after the break:

Read more