iOS Address Book Privacy to be Protected by Explicit Permission, Apple Says

Tweet

The iOS address book privacy scandal continues with a new update today as Apple has finally issued a brief statement in response to the increased coverage this particular story is getting. The fact that the U.S. Congress is interested in the whole matter and wants to learn exactly how and why it’s possible for developers to covertly access personal user data surely helped convince Apple to react, although you won’t necessarily like the nature of the response.

Apple reached AllThingsD with the following comment on the contacts privacy breach:

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

In other words, Apple kind of says it’s not its fault for what is happening, or what can happen to personal data such as the address book stored on an iPhone, since it has guidelines in place for developers in order to prevent such issues. Here are the guidelines mentioned by Neumayr:

17.1: Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used

PLA
3.3.9 You and Your Applications may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising. You may not use analytics software in Your Application to collect and send device data to a third party.

The question that still remains is why didn’t Apple specifically block access to such data with actual layers of added security – especially as it appears that in addition to contacts, developers could also access the calendar and photo app – instead of providing guidelines that can be ignored and/or circumvented. Some of the apps that access the users’ address book inform them that the app will do some kind of contacts-related trickery to perform a specific action, without specifically describing what’s happening to users – address book gets uploaded to developer’s server – and without asking for their explicit permission.

And since Apple has just said that those developers accessing private data without requesting permission are basically in violation of the available guidelines, it means they will be punished for their wrongdoing, doesn’t it? Is Apple capable of checking all the apps in the App Store to see whether developers have accessed such data in the past? What will happen to popular applications, such as social networking apps that did collect such data? Will Apple exclude them from the App Store? And what will happen to such data that has been already collected by developers without proper permission?

Sure, maybe we’re making too big a case out of this issue, but nonetheless it appears to be a serious oversight from Apple, and something certain developers with potentially malicious intent could have taken advantage of in the past. At least we know now that an upcoming iOS update will stop developers from collecting such data, although we have no idea when that update will be available.