Congress Weighs in on iOS Apps Collecting Address Book and Other Personal Data

[gnasher729]

There is nothing wrong with what they did. Their business is to run a social network. A part of which is to connect users.

So why does that make it necessary to upload my complete address book? Take a salesman who puts all his customers into his address book. Competitors would kill for that information. Do you have friends or relatives with an ex-directory phone number that they gave only to a few people, including you? If that's in my phone book, it's none of their ********** business.

A don't give a **** what their business is. My address book is none of their business.

 

[samcraig]

After a week of silence, Apple has finally responded to reports that iOS apps like Path and Twitter access user contact data without permission.
“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

Do you get it? It'll become even better (i.e. implying that you already have it so good )

Translation: "OOops. Now you know. We don't really audit the Apps sent in very well. We'll now scan a few hundred and if they violate them - we'll throw them out and let you know so it looks like we've handled it completely. We'll also add another step so when we do neglect to enforce our TOS - you can opt out. We hope."

 

[lilo777]

I think it is PERFECTLY reasonable to have the same system for personal information that iOS has for accessing location.

"This app is requesting access to your ___________"
Allow or Deny?

that blank can be replaced with:
1. Address Book
2. Photos
3. Music Library
4. Location
5. Personal information (includes Notes, Reminders, email and SMS conversations, calendar events, etc.)

If you deny, it can be:

"this app requires you enter __________ or create an account to work, please manually enter your email address in the field below"


So, it's totally feasible. And you can have toggles for it, just like you do for location.

At least apple has an approval process for apps. On Android, this issue is totally rampant... It's disturbing to see it here, too.


EDIT: Regarding this: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

I'm GLAD. Good job, Apple. I fully expect this in 5.1

In this case, all Apple do is copying Android though.

 

[calderone]

Read section 17.1 of the iOS guidelines:


"Warning" users is the current solution by obtaining permission before obtaining data to some extent. In Path's case, they were in breech of the guidelines by not doing it.

Had path added a popup with what they intended to do with your contacts with an accept/deny button, things would be fine.

Sure it is in violation, but what is Apple doing here? They are granting the entitlement thus providing access to the data. Access permission requests should be implemented just as it is for location information.

It seems silly for Apple to grant you the access at the API level but then ask the developer to ensure the user is granting permission. In the case of Path, their terms could simply say by signing up you are giving us permission to this data.

----------

So why does that make it necessary to upload my complete address book? Take a salesman who puts all his customers into his address book. Competitors would kill for that information. Do you have friends or relatives with an ex-directory phone number that they gave only to a few people, including you? If that's in my phone book, it's none of their ********** business.

A don't give a **** what their business is. My address book is none of their business.

Read the article I linked.

 

[samcraig]

In this case, all Apple do is copying Android though.

Actually - Apple's TOS prohibits any app in the marketplace that REQUIRES you to enter an email address for the App to work.

Which is funny - because there are MANY that violate this - whether it's inherent for the App to need the email address or not.

Again - if Apple puts these things in their TOS and doesn't enforce them - it's meaningless.

 

[lilo777]

Translation: "OOops. Now you know. We don't really audit the Apps sent in very well. We'll now scan a few hundred and if they violate them - we'll throw them out and let you know so it looks like we've handled it completely. We'll also add another step so when we do neglect to enforce our TOS - you can opt out. We hope."

I am not sure they even have the capability to scan for that. Do they require app developers to submit the source code? If they don't, permissions is all they have and this is exactly how Android does it. Apple need to adopt Android's approach as a hole and no do it piece by piece after the next scandal.

 

[0dev]

EDIT: Regarding this: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

I'm GLAD. Good job, Apple. I fully expect this in 5.1

That suggests they're only doing this for contacts. Does that mean apps can get into my notes and photos and whatnot without my permission or that they already need permission to do that?

 

[ChazUK]

Most every app is going to ask for some access to some kind of resource on your phone, so this "warning" route is ridiculously stupid.

Seems like Apple is going to take the "ridiculously stupid" solution to contact access.

https://www.macrumors.com/2012/02/1...ion-for-ios-apps-accessing-address-book-data/

Sounds like the perfect solution to me.

 

[calderone]

Seems like Apple is going to take the "ridiculously stupid" solution to contact access.

https://www.macrumors.com/2012/02/1...ion-for-ios-apps-accessing-address-book-data/

Sounds like the perfect solution to me.

I think the real issue is implementing these systems. When you have a single grant, it is easy.

When you have apps they start asking for Contacts, Location, etc. You run the risk of overloading. A dialogue for each grant is silly. So you maybe get a single dialogue listing all grants.

Are all the options required? Can you opt out of some? How do you tell the user that by not enabling these functions severely limits the usefulness of the app?

All of this without just prompting the default "affirmative" response people have been conditioned to give due to cumbersome difficult to understand notifications.

The point is, it isn't easy to get these systems right which I am sure what Apple is trying to do.

 

[Furrybeagle]

Granted, the majority of people here on MR are able to protect themselves. But there are a whole lot of folks out there who are not as knowledgeable, and some kind of warning, toggle, opt-out, etc. would help protect the less sophisticated.

I know it's a horrible bother to us know-it-alls, but any privacy protections that can be put in place are welcome, as far as I'm concerned.

And how are you going to protect yourself from an app that is peeking at your address book in the background? You can’t possibly analyze every packet coming out of your iPhone.

I realize that most of “us know-it-alls” can tell the difference between a shady app and a reputable app, but all these “reputable” apps were uploading my contact information without my permission: Facebook, Twitter, Instagram, Foursquare, Foodspotting and Yelp (Source: first result I found on Google)

Even if I trust these companies, or they already have my information (I’m sure Facebook does), this blatant disregard for data privacy on my device has to stop.

 

[calderone]

And how are you going to protect yourself from an app that is peeking at your address book in the background? You can’t possibly analyze every packet coming out of your iPhone.

I realize that most of “us know-it-alls” can tell the difference between a shady app and a reputable app, but all these “reputable” apps were uploading my contact information without my permission: Facebook, Twitter, Instagram, Foursquare, Foodspotting and Yelp (Source: first result I found on Google)

Even if I trust these companies, or they already have my information (I’m sure Facebook does), this blatant disregard for data privacy on my device has to stop.

Apple was letting them. The protection should be at the API level, which is what Apple is working on.

In addition, these companies need to make sure they are securing this data. I link again to a good read for those less familiar with data protection.

http://mattgemmell.com/2012/02/11/hashing-for-privacy-in-social-apps/

 

[sk1wbw]

Hey Senate, it's been three years since a budget resolution. How about that instead of an address book on an iPhone, huh?

 

[Shrink]

And how are you going to protect yourself from an app that is peeking at your address book in the background? You can’t possibly analyze every packet coming out of your iPhone.

I realize that most of “us know-it-alls” can tell the difference between a shady app and a reputable app, but all these “reputable” apps were uploading my contact information without my permission: Facebook, Twitter, Instagram, Foursquare, Foodspotting and Yelp (Source: first result I found on Google)

Even if I trust these companies, or they already have my information (I’m sure Facebook does), this blatant disregard for data privacy on my device has to stop.

I'm not clear on how we disagree.

I'm not defending any apps (reputable or shady) that compromise privacy.

I'm supporting the idea that all and any procedures that protect our privacy are welcome.

If I missed something in your post that indicates disagreement...sorry.

 

[0dev]

Loads of details and an extensive list of offenders here.

 

[MXSkier62]

I don't know if my thinking on this subject is because I'm younger (in my early 20s) than most people using technology in the modern era, but I have essentially grown up with the various waves of the internet. And I don't think there is any illusion that all of my data is owned by several companies, and I'm find with it. Those companies that have info on me are social networks, and I think I just assumed that being part of a social network allow the company to know who my connections are. It's their business, and I'm signing into it. This is analogous to google using your past search history to help with advertisements. It was personal data when you searched, but they saved it.

I understand right of privacy arguments, and things such as where I am I think is is higher level of privacy. I dont want someone tracking me. But if I use something like foursquare, I know that I am telling them where I am, and that they are saving it. Same thing with social networks.

Fundamentally, I think that people in my generation are a lot more relaxed about what companies know. If the know who my contacts are, fine. Its not really valuable information for them. Just don't track my movements. That's just too Orwellian. (btw if someone can tell me why it is valuable information for a company who I know, then props to you, because I've been thinking about it for day's, and there are absolutely zero real world applications I can think of that makes my contact list a commodity)

 

[ncaissie]

Thanks congress, forgot I wasn't capable of protecting myself.

Wow, you can stop applications from sending your contacts to a server without your permission? Please tell us how.

 

[Furrybeagle]

I'm not clear on how we disagree.

I'm not defending any apps (reputable or shady) that compromise privacy.

I'm supporting the idea that all and any procedures that protect our privacy are welcome.

If I missed something in your post that indicates disagreement...sorry.

I got the impression that you thought more knowledgable users were somehow unaffected by all this because we could protect ourselves. I’m just not sure how even power users can protect themselves. Sorry for coming across as confrontational, I haven’t eaten all day, and privacy issues get me riled up.

Loads of details and an extensive list of offenders here.

Thanks for this.

 

[i.mac]

The do.notin' congress wants to do something involving apple. Go figure...

 

[Shrink]

I got the impression that you thought more knowledgable users were somehow unaffected by all this because we could protect ourselves. I’m just not sure how even power users can protect themselves. Sorry for coming across as confrontational, I haven’t eaten all day, and privacy issues get me riled up.

First, no problem. I, too, am extremely, perhaps obsessively, concerned about privacy issues.

I did suggest, foolishly, that more sophisticated users might be better able to protect themselves. But you are, indeed, correct that all users are potentially subject to subtle (read: sneaky) forms of invasion of privacy.

Thanks for the reply. And, for goodness sake, have something to eat!

 

[Glideslope]

I bet Waxman and Butterfield have mistresses whose addresses they want to keep private.

Maybe Butterfield? Definitely not a "Mistress" for Harvey.

 

[racer1441]

Wow, you can stop applications from sending your contacts to a server without your permission? Please tell us how.

I'm not dumb enough to put private information on a device connected to the internet, that can be lost, etc.

None of these things are an issue if you apply some common sense.

 

[nokuchikushi]

Read section 17.1 of the iOS guidelines:


"Warning" users is the current solution by obtaining permission before obtaining data to some extent. In Path's case, they were in breech of the guidelines by not doing it.

Had path added a popup with what they intended to do with your contacts with an accept/deny button, things would be fine.

Path's real "crime" was that they uploaded the data to their servers. Had a person clicked "okay" for the app to access their address book (which does not seem that unreasonable to me for a social networking app) they still wouldn't expect it to be uploaded to someone else's server. But they did, and that is the real problem. Unfortunately, the Android fan base can't help but fall all over themselves to prove this is why Android is superior to iOS. Jeez, give it a break. Shove something else down someone else's throat, will ya? I'm tired of you shoving that crap down mine.

 

[0dev]

I reckon there needs to be a Little Snitch for iOS app to better monitor this sort of thing. I've wanted that for ages. Of course I'd have to jailbreak to get it, but I think it'd be worth it.

 

[twilson]

Every application you install on Android gives a full list of permissions before installing it (as does Windows Phone 7).

If you don't want to give a third party access to that info, you simply cancel the installation.

Unless you're using HTC sense and possibly TouchWiz which on occasion (or still?) completely ignore the permissions thing and an app can do anything it wants despite never having asked for that permission. Android's not as perfect as proponents like to make out.

 

[0dev]

Unless you're using HTC sense and possibly TouchWiz which on occasion (or still?) completely ignore the permissions thing and an app can do anything it wants despite never having asked for that permission. Android's not as perfect as proponents like to make out.

Never heard of that before. Source?