iOS Contacts Privacy Breach Prompts the U.S. Congress to Investigate

Tweet

Apple has been hit with a new iOS-based scandal after the media learned that developers can access and download the entire address book of the iPhone via their apps without users being told that’s happening.

The issue has been found thanks to a social networking application, Path, that used this practice to let users connect faster with their contacts using the same service. Since it was discovered, Path updated the application to include a new notification for users, that prompts them to approve the actual uploading of contacts to its servers. At the same time Path also wiped its servers clean of the existing address books that have been already uploaded to its servers.

It was also found that other similar applications, and virtually any other apps, are not completely upfront when it comes to accessing contacts, with users not being clearly told that their entire address book will be stored on the servers of these developers. There are various questions that come to mind when looking at the issue, with the most important one being why is Apple allowing such practices in the first place? And once the developers get the contacts, what are they actually doing with the data they collect? And once they start downloading such data, how secure is the transfer and then the storage of our data?

Apparently the U.S. Congress is also interested in finding out from Apple more details about the way this whole trick works. House Energy and Commerce Committee Chairman Henry Waxman and Commerce Manufacturing and Trade Subcommittee Chair G.K. Butterfield sent a letter to Apple, asking Tim Cook & Co. to answer a bunch of questions including:

•  Please describe all iOS App Guidelines that concern criteria related to the privacy and security of data that will be accessed or transmitted by an app.
•  Please describe how you determine whether an app meets those criteria.
•  What data do you consider to be “data about a user” that is subject to the requirement that the app obtain the user’s consent before it is transmitted?
•  To the extent not addressed in the response to question 2, please describe how you determine whether an app will transmit “data about a user” and whether the consent requirement has been met.
•  How many iOS apps in the U.S. iTunes Store transmit “data about a user”?
•  Do you consider the contents of the address book to be “data about a user”?
•  Do you consider the contents of the address book to be data of the contact? If not, please explain why not. Please explain how you protect the privacy and security interests of that contact in his or her information.
•  How many iOS apps in the U.S. iTunes Store transmit information from the address book? How many of those ask for the user’s consent before transmitting their contacts’ information?
•  You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.

Apple has until February 29 to respond, and it will certainly be interesting to hear more about this iOS contacts issue from the creators of iOS themselves.