After the whole mess with social networking app, Path, uploading Contact data from iPhone users without asking, the U.S. Congress has started to get involved. Energy and Commerce Committee member Henry Waxman and Commerce, Manufacturing, and Trade Subcommittee member G. K. Butterfield issued an open letter to Apple CEO Tim Cook asking some probing questions regarding the iOS developer agreement. Most of them center around the agreement's reference to transmitting "data about a user". Some of the juicier questions include:
- "Do you consider the contents of the address book to be 'data about a user'?"
- "Do you consider the contents of the address book to be data of the contact? If not, please explain why not. Please explain how you protect the privacy and security interests of that contact in his or her information."
- "How many iOS apps in the U.S. iTunes Store transmit information from the address book? How many of those ask for the user’s consent before transmitting their contacts’ information?"
In response, Apple's Tom Neumayr said in a statement that they intend on requiring explicit permission to access address book data in a future release, much like how location data is handled now.
"Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."
There's no mention of whether or not that will be in iOS 5.1, which Apple has been testing for some time, and may release alongside the iPad 3 in March.
The letter from Congress sought a formal reply by the end of the month, though I doubt we'll get to read that response. Apple has had some hiccups with location privacy in the past, but their corporate line has consistently been to treat private data with the utmost respect. While it's tricky holding Apple accountable for the snakey stuff that developers do in the App Store, it is their job to curate and approve submissions, and if a bad app slip through the cracks and reaches the public, it's the iPhone's reputation on the line.
At first glance, Android seems to have a better privacy system in place, as it ensures that you provide explicit permission for an app to access different types of data, but I definitely worry that the folks at Google don't look as closely at submissions as Apple does.
iMore put up a concept piece on how we'd like to see contacts, and permissions in general, handled in iOS 6. Would a popup make you feel more secure about your iPhone's personal data? Will it legitimately change a user's behaviour, or will they approve it as absent-mindedly as they do location permission now?
Source: Congressional letter, via The Next Web, AllThingsD
Reader comments
Congress asks Apple to clean up their address book privacy policy, Apple promises tighter control in future iOS update
It is not that tricky holding Apple accountable for the stuff developers do in the App Store. Their entire public justification for the App Store model is to protect their customers. The developers are not blameless, of course, but Apple set up a fixed location for private data, and provided a public, supported way to access that data. That is permission. Jobs may have said in the past "You ask. EVERY TIME," but Apple's actions (under Jobs and today) clearly have not lived up to their own words.
I doubt Apple had any malicious intent here, but the most favorable thing you can say here is that Apple is guilty of trusting their developers too much. However, Apple has a mechanism in place for vetting apps, and they either chose not to check for use of Address Book APIs or they checked and ignored it. Either way, they failed.
"if congress thinks that the Address Book is the only thing devs have access to, they'll have hernia when they read the dev documantation"
Most of congress can't spell sdk, much less read its documentation.
But they can readily understand that people like their address books and calendars kept private, unless they say otherwise.
One thing that always bugged me about android is that you couldn't (without rooting AFAIK) deny apps permissions because for example if you denied games full internet access you could block ads.
Not natively, but there's an app called LBE that lets you revoke individual permissions from apps. https://market.android.com/details?id=com.lbe.security.lite
Android at least showed them from the start. Everyone with iOS thinks all apps in the app store are OK when you still need to use your head. Bad stuff gets by Apple.
I assume Congress asked Path for this same letter? Or does the Fed just go after the biggest fi$h and not care about equal accountability?