The address book in smartphones — where some of the user’s most personal data is carried — is free for app developers to take at will, often without the phone owner’s knowledge.
Companies that make many of the most popular smartphone apps for Apple and Android devices — Twitter, Foursquare and Instagram among them — routinely gather the information in personal address books on the phone and in some cases store it on their own computers. The practice came under scrutiny Wednesday by members of Congress who saw news reports that taking such data was an “industry best practice.”
Apple, which approves all apps that appear in its iTunes retailer, deal withed the debate on Wednesday after lawmakers sent the corporate a letter asking how approved apps have been allowed to take address guide knowledge without users’ permission. Apple’s printed regulations on apps expressly limit that apply.
But in its statement about the issue, Apple did not address why those apps that collect address book data had been approved.
In that observation, Tom Neumayr, an Apple spokesman, mentioned: “Apps that gather or transmit a consumer’s touch knowledge without their previous permission are in violation of our tips. We’re operating to make this even higher for our customers, and as we have now done with area services and products, any app wishing to get entry to contact data would require specific person approval in a long run tool liberate.”
The Federal Trade Commission regulates the use of consumers’ data on the Internet, and in the past it has sanctioned big companies like Facebook and Google over privacy issues. It said Wednesday that it would make no comment about the app makers’ practices.
While Apple says it prohibits and rejects any app that collects or transmits users’ non-public information without their permission, that has no longer stopped some of the most popular applications for the iPhone, iPad and iPod — like Yelp, Gowalla, Hipster and Foodspotting — from taking customers’ contacts and transmitting it without their wisdom.
Google, which makes the Android operating system software, forces developers to ask users for permission to access any personal data up front.
The app makers collect the data to help quickly expand the network of people using their program. The practice of taking address book information without permission first came to light last week, when a developer noticed that Path, a mobile social network, was uploading entire address books to its servers without users’ knowledge. The company has since said it will stop the practice and destroy the data it has collected.
But trail is infrequently the only mobile software that collects address books. last February, Lookout, a cell safety company, discovered that eleven p.c of unfastened applications in Apple’s iTunes store had the facility to access customers’ contacts. And on Tuesday, VentureBeat, a technology weblog, mentioned that dozens of utilitys for Apple gadgets have been taking customers’ cope with books with out permission.
The findings shed more light on how technology companies sift through people’s personal and private information without their knowledge. Last year, users were shocked to find out that Color, a mobile application, could activate users’ microphones on their phones without their permission. And in December, Carrier IQ, a mobile intelligence company, was accused of privacy violations when a programmer discovered that its tracking software was recording keystrokes made, phone numbers dialed, text messages sent and even encrypted Internet searches, on some 140 million smartphones.
“It’s time for app builders to take accountability for making sure that users recognize what they’re doing, quite than leaving it to the structures to play a sport of Whac-A-Mole,” said Jules Polonetsky, director of the way forward for privacy forum, in an interview Wednesday.
Some developers are following that advice and changing their apps before Apple and Congress step in. Path and Hipster updated their apps late last week so that they warn users about the information collected. The updates also give users the ability to stop sharing address book information. After Path and Hipster drew scrutiny, Instagram, another popular photo-sharing app that gathers users’ contacts, added a prompt asking users for permission to do so.
Within the Twitter app, when users choose to “Find Friends,” the company can store their address books for as long as 18 months. The company said Tuesday that it planned to update its app to change how it tells users what it collects. “In our subsequent app updates, that are coming soon, we are making the language related to to find friends extra particular,” Carolyn Penner, a spokeswoman for Twitter, stated in an electronic mail. “We ship and retailer data safely. address e book information is encrypted once we ship it from the mobile phones to our servers. the knowledge is protectedd inside Twitter in the same way that we protected different account data.”
On Tuesday, a developer discovered that when a user signs up for a Foursquare account, the company transmits their address book without warning. In response, Foursquare said it was adding an update to its app that warned users that it accessed their contacts. In an e-mail, Erin Gleason, the company’s director of communications, said that the company did not store users’ contact information. “When a person searches for friends on Foursquare, we transmit the address book information over a secure connection and do not store it beyond that point,” she wrote.
VentureBeat reported that the worst offenders seemed to take shortcuts and did not properly protect the data they were collecting from smartphones. It reported that Foodspotting, a mobile app that allows users to share photos of their meals, transmitted users’ address books over an unencrypted connection where it could be easily intercepted. In an e-mail, Alexa Andrzejewski, the chief executive of Foodspotting, said the risk of not encrypting users’ contact information “has always seemed relatively low, especially for a site that doesn’t deal with credit card or other sensitive information.” Ms. Andrzejewski also said Foodspotting would be updating its app to include additional security features.
Google has tools built into the Android platform that forces developers to notify people what data, if any, they plan to access. Once they have users’ permission, Android developers can access everything from a phone owner’s call logs to their text messages. But users of many apps — including Hipster, Locale, Uber, Yelp, Taxi Magic, Picplz, Scrabble and Waze — are often not told how the information will be used or how the company plans to store it.
“What separates malicious use from legitimate use is the element of surprise. If a user is surprised, that’s a problem,” said Kevin Mahaffey, Lookout’s chief technology officer, who said that in many ways, standards and rules for data on smartphones were still being debated. “It’s a new industry and it’s still in many ways the Wild West out there. The iron is still hot.”