San Francisco: On acknowledgement that Twitter is in fact downloading and storing mobile users’ contact lists and address books, the web is, well, a twitter. Nothing in Twitter’s privacy policies prepared the tech universe for this. And it comes on the heels of congressional inquiry into Path and Apple’s handling of user data.
Twitter’s acknowledgement came on the heels of news that two US congressmen are looking into Apple’s enabling iOS developers to collect iPhone and iPad user contact information. This came as a result of recent news that the mini social mobile network Path had collected such data and its CEO had apologized.
Apple, pundit Dan Lyons points out, has reacted in an unexpected way. Lyons just posted:
In the wake of the Path privacy fiasco, and after receiving a letter from meddlesome Congress dorks, an Apple spokesman tells John Paczhczhzkowski of AllThingsD that any iOS apps that are uploading user address book information are in violation of Apple guidelines and that from now on any app that wants to use your contact info will have to ask for explicit permission. Perfect response! Even better than the one from Path
Let us all take a breath.
First, here is the full text of the letter Congressmen Henry A. Waxman and G. K. Butterfield sent Apple CEO Tim Cook.
February 15, 2012
Mr. Tim Cook
Chief Executive Officer, Apple Inc.
1 Infinite Loop
Cupertino, CA 95014
Dear Mr. Cook:
Last week, independent iOS app developer Arun Thampi blogged about his discovery that the social networking app “Path” was accessing and collecting the contents of his iPhone address book without ever having asked for his consent.[1] The information taken without his permission – or that of the individual contacts who own that information – included full names, phone numbers, and email addresses.[2] Following media coverage of Mr. Thampi’s discovery, Path’s Co-Founder and CEO Dave Morin quickly apologized, promised to delete from Path’s servers all data it had taken from its users’ address books, and announced the release of a new version of Path that would prompt users to opt in to sharing their address book contacts.[3]
This incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts.
The data management section of your iOS developer website states: “iOS has a comprehensive collection of tools and frameworks for storing, accessing, and sharing data. . . . iOS apps even have access to a device’s global data such as contacts in the Address Book, and photos in the Photo Library.”[4]The app store review guidelines section states: “We review every app on the App Store based on a set of technical, content, and design criteria. This review criteria is now available to you in the App Store Review Guidelines.”[5] This same section indicates that the guidelines are available only to registered members of the iOS Developer Program.[6] However, tech blogs following the Path controversy indicate that the iOS App Guidelines require apps to get a user’s permission before “transmit[ting] data about a user”.[7]
In spite of this guidance, claims have been made that “there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database.”[8] One blogger claims to have conducted a survey of developers of popular iOS apps and found that 13 of 15 had a “contacts database with millions of records” – with one claiming to have a database containing “Mark Zuckerberg’s cell phone number, Larry Ellison’s home phone number and Bill Gates’ cell phone number.”[9]
The fact that the previous version of Path was able to gain approval for distribution through the Apple iTunes Store despite taking the contents of users’ address books without their permission suggests that there could be some truth to these claims. To more fully understand and assess these claims, we are requesting that you respond to the following questions:
Please describe all iOS App Guidelines that concern criteria related to the privacy and security of data that will be accessed or transmitted by an app.
Please describe how you determine whether an app meets those criteria.
What data do you consider to be “data about a user” that is subject to the requirement that the app obtain the user’s consent before it is transmitted?
To the extent not addressed in the response to question 2, please describe how you determine whether an app will transmit “data about a user” and whether the consent requirement has been met.
How many iOS apps in the U.S. iTunes Store transmit “data about a user”?
Do you consider the contents of the address book to be “data about a user”?
Do you consider the contents of the address book to be data of the contact? If not, please explain why not. Please explain how you protect the privacy and security interests of that contact in his or her information.
How many iOS apps in the U.S. iTunes Store transmit information from the address book? How many of those ask for the user’s consent before transmitting their contacts’ information?
You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.Please provide the information requested no later than February 29, 2012. If you have any questions regarding this request, you can contact Felipe Mendoza with the Energy and Commerce Committee Staff at 202-226-3400 .
Sincerely,
Henry A. Waxman
Ranking Member
G.K. Butterfield
Ranking Member
Subcommittee on Commerce, Manufacturing, and Trade
cc: Dave Morin
Path, Co-Founder and CEO
Regarding the latest news on Twitter, Dave Sarno at The Los Angeles Times broke the story. He wrote:
Twitter Inc. has acknowledged that after mobile users tap the “Find friends” feature on its smartphone app, the company downloads users’ entire address book, including names, email addresses and phone numbers, and keeps the data on its servers for 18 months. The company also said it plans to update its apps to clarify that user contacts are being transmitted and stored.The company’s current privacy policy does not explicitly disclose that Twitter downloads and stores user address books.It does say that Twitter users “may customize your account with information such as a cellphone number for the delivery of SMS messages or your address book so that we can help you find Twitter users you know.”
Adds Charles Arthur at The Guardian UK
The only clue that the app gives to its aims are that it says it will “scan your contacts for people you already know on Twitter.”
Responding to the LA Times, a Twitter spokeswoman said that a forthcoming version of the app would use clearer language: “In place of ‘scan your contacts’, we will use ‘Upload your contacts’,” she told the paper.
The Android Twitter app does the same thing, the spokeswoman pointed out.
