A week after mobile social network Path found itself in the tech industry spotlight for uploading iOS contacts without explicit permission, it’s becoming clear that the problem is more widespread. And while companies who sneak things past their users deserve scorn when caught, it’s also clear that Apple (NSDQ: AAPL) has failed to treat address book data with the same safeguards it employs for other personal data.
Several reports confirm that other mobile app companies that depend on social connections–most prominently Twitter and Foursquare–also deserve scrutiny for their policies around the handling of address book data. Companies want this data to make it easier for their users to find other friends on the service, as users with wider social networks tend to be more active on those services and to share more data with others.
The problem, as demonstrated by Path’s debacle, is that they haven’t always done a very good job telling their users that they are accessing this data. Path now explicitly asks its users for permission to access their address books and has deleted data it obtained before tweaking its app, but it wasn’t alone: Foursquare also uploaded address book data without telling its users (although it didn’t store the data) upon the creation of an account, according to The Verge, and it has since apologized and inserted a clear notification. (The Verge identifies several other mobile apps with differing policies on how they handle such information.)
Twitter drops hints that it is accessing address book data, but doesn’t tell users that it is actually uploading that data and that the company reserves the right to store that information on its servers for 18 months, according to The Los Angeles Times. It plans to tweak the language involved in the “Find Friends” feature to make it clear the data is being sent to Twitter and that it is being stored.
In the end, it’s Apple’s fault. Apple has always said that its very strict app review policy is in place to prevent iOS users from being taken advantage of by unscrupulous developers, and in fact it prohibits this kind of activity in the guidelines that govern iOS development. But Apple doesn’t force the application to ask the user to grant permission for access to address book data, something it does each and every time when an app wants access to location information, for example.
So these apps should have been rejected for violating Apple’s guidelines, but the company also needs to treat address book data with the same degree of sensitivity that it does other personal data. This probably isn’t too complicated a fix on Apple’s part, but it’s still an oversight.
Two members of Congress sent a letter to Apple CEO Tim Cook Wednesday asking for more information on how this was allowed to happen, so expect an iOS update with a fix sooner rather than later.
And perhaps it’s time to see exactly how Android apps treat this kind of data.
Updated: Apple has responded to inquiries regarding this issue, telling AllThingsD: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”