iOS 6 wants: Granular privacy control
Like with Notification Center, Apple should look to and improve on what Google's done with Android to better keep our Contacts safe.
Earlier this week the internet got itself into a kerfuffle over Path, a small-circle social networking app for the iPhone, which took Contact information without asking and openly transmitted it to Path's servers. It's an important issue to be sure, one worth getting into a kerfuffle over, and Path eventually apologized and vowed to make changes. But Path was only one of many, many apps to act this way.
A couple of years ago there was a similar kerfuffle over Dragon Dictation when Nuance was transmitting Contact information to their servers as well. Nuance did this, it turns out, so that its server-side voice recognition services could better understand the names of your friends and family.
Path, it turns out, did this so it could notify you if your friends and family were already using, or started using, their service and offer to connect you in the app as well. (Though the "open transmission" part was concerning -- hashing or otherwise encrypting the data between iPhone and server would have been a good idea.)
It could have been any of a number of other apps in Path's place, however, if they'd been discovered first. Many of them are now updating, adding security if they weren't already, and custom-making request popups for user permission before transmitting Contact information. And that's a good thing. But it exposes a problem with the way Apple currently handles user privacy on the iPhone.
If an app, any app, even a built-in Apple app, wants to know your location, it has to ask for permission. If it wants to send you Push Notifications, it has to ask for permission. If it wants to access Twitter integration, it has to ask for permission. If it wants access to any of your personal information, however, like Contacts, it doesn't have to ask at all.
Apple should change that, of course. They should require that apps ask permission to access Contacts -- and Calendars, and any other personal data -- and insist any information be transferred in a secure manner, and never be stored permanently on a developer's servers.
Just like with Push Notifications back before iOS 5, however, their popup requester system doesn't scale. Right now, if you launch a new Twitter app for the first time and you get popup after popup, asking you to tap to approve Twitter account access, location, and Push Notification. Imagine when Contact access, Calendar access, and conceivably other information is added to the list. As the number of popups grow, the likelihood that a user will read and consider each one falls precipitously. They'll just start tapping through to get to their app.(opens in new tab)
There's a school of thought that says inattentive users deserve what they get -- if they don't read, they abdicate their right to complain later. Apple doesn't usually subscribe to that school of thought, however. That's probably why they've kept permission requesters to a minimum for now.
Just like with Push Notifications, however, a better solution exists outside popups, and Android could once again be drawn upon for inspiration.(opens in new tab)
When you browse an app on the Android Market, whether via the web or in the Market app proper, there's a clearly defined place see what permissions that app will require. Arguably, Android presents way too many permissions and users might not bother to read them any more than they would a popup, but having them there as a permanent reference is invaluable.(opens in new tab)
for iOS 6, Apple could do what they did with Notification Center in iOS 5, remove the cumbersome nature of popups, simplify Android's implementation, and, when an app launches, present a simple sheet of toggles allowing a user to pick and choose which ones they're willing to grant access to.(opens in new tab)
Things like storage access are more noise than information, but Contacts and other areas that touch on personal information should absolutely be there.
Likewise, the permissions sheet could be kept available in the settings for the app (or in the general Settings.app), so users could easily change them at any time. Under special circumstances, if a service is absolutely required for an app to work -- for example, location is required for a photo editing app to access potentially geo-tagged photos in the Camera Roll -- then a popup could be generated explaining the situation.(opens in new tab)
Adding a list of permissions each app requires to the App Store, on device, in iTunes, and on the web would be a nice-to-have as well.
Path deserved the push-back they got for doing what they did with Contacts, but Apple deserves push-back for letting them do it in the first place.
Apple has shown a relentless drive to tackle the rough edges of iOS in recent releases, and as iPhones and iPads become more powerful and apps more sophisticated, privacy becomes one of the rough edges they need to get a handle on quickly.
They've used Privacy as a differentiator from the competition in the past, and Notifications and Location Services in iOS 5 are a huge leap forward when it comes to granularity and usability. Hopefully Apple brings it all together, and gathers up the loose ends like Contacts, in iOS 6.
Get the best of iMore in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
Overall, though, I think that iOS 6 will probably feature a bit of a change in this regard. Whether or not it's like your mockup, time will tell, though I do think that the mockup presents a very elegant, iOS-like solution.
The mockup I made, with the toggled, is what I'd like to see.
On Android, it's an all or none deal. If you want to use an app, you must accept ALL permission. This means developers simply have to worry about requesting the specific permissions needed and develop with the assumption that they will have access.
With the toggle, a developer has the additional chore of making sure the app is functional and only disabling functionality for which the user refuses to grant permission. Of course a lazy developer will simply disable everything if the app is not granted all permissions, but my guess is the market will punish those developers in the long run.
I can't count the number of times I've seen the "why does app X need permission Y?" in the Android Market. It would be a great thing be able to simply turn that specific permission off.
It's nice that Android shows you the permissions, but there are so many apps right now with invasive permissions you really can't avoid them if you want to use your phone's full capabilities. Of course, most of those apps are free on the Android Market. Probably a connection there.
After every app you install, you get a popup asking if you want to view the permissions or not. If you choose to view, you can see exactly what it has access to. You can also choose to ignore them and leave them at default.
The bottom line though is that no matter how permissions are presented to the user, it is up to the user to actually look at them and change them if necessary. It's like the adware that gets bundled in with freeware applications on PC. The user has the option to uncheck the box for its installation but most people don't pay attention and then they wonder how weather bug got installed.
You have 2 options over and above Android's default.
1) Some popular custom ROMs, such as CyanogenMod, have the option (disabled by default) to interactively prompt you for permissions while an app is running.
2) There are apps in the Market, for free, that can be used to restrict permissions on both a system level or a per-app level.
Any permissions denied by either of these methods could possibly cause an app to crash, but in my experience (for example, I deny most apps any location privileges unless the app really needs it, not for ads), most apps handle the loss gracefully, for example, by simply saying "Location not available".
For either of these methods, there are no "off-limits" permissions. I'm free to deny whatever to any app, including system apps. Of course with this level of control, it possible to muck things up - So most permissions apps support some method of backup and restore.
In my personal opinion, Android should patent this permissions system, and make Apple or any other company pay a fair rate (that Google gets to determine) to license it. If the company disagrees with Google's rates, they are free to develop their own alternate system. Why? Because Google put a lot of thought into this, and it shows.
Try this app for restricting permissions, and explore related apps (such as LBE Privacy Guard). https://market.android.com/details?id=com.stericson.permissions&feature=.....
There is no special case scenario.
In addition to applying lossless compression and AES encryption to all data coming and going to the phone, BB assigns permissions for all phone features for every app. Not just location and contacts, but also GPS, cellular data, wifi, phone, SMS, bluetooth, camera, microphone, the combined inbox "Messages" app, etc. If the app has specific permission requirements to function, you are presented the preferences screen during the install, generally with required permissions pre-selected (and some rationale for those selections) but you can still un-select permissions and continue the install.