Mobile Apps Take Data Without Permission
New York TIMES > Technology > Bits Blog
By NICOLE PERLROTH and NICK BILTON
Published: February 15, 2012
10:09 p.m. | Updated
SAN FRANCISCO – The address book in smartphones – where some of the user’s most personal data is carried – is free for app developers to take at will, often without the phone owner’s knowledge.
Companies that make many of the most popular smartphone apps for Apple and Android devices – Twitter, Foursquare and Instagram among them – routinely gather the information in personal address books on the phone and in some cases store it on their own computers. The practice came under scrutiny Wednesday by members of Congress who saw news reports that taking such data was an “industry best practice.”
Apple, which approves all apps that appear in its iTunes store, addressed the controversy on Wednesday after lawmakers sent the company a letter asking how approved apps were allowed to take address book data without users’ permission. Apple’s published rules on apps expressly prohibit that practice.
But in its statement about the issue, Apple did not address why those apps that collect address book data had been approved.
In that statement, Tom Neumayr, an Apple spokesman, said: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”
The Federal Trade Commission regulates the use of consumers’ data on the Internet, and in the past it has sanctioned big companies like Facebook and Google over privacy issues. It said Wednesday that it would make no comment about the app makers’ practices.
While Apple says it prohibits and rejects any app that collects or transmits users’ personal data without their permission, that has not stopped some of the most popular applications for the iPhone, iPad and iPod – like Yelp, Gowalla, Hipster and Foodspotting – from taking users’ contacts and transmitting it without their knowledge.
Google, which makes the Android operating system software, forces developers to ask users for permission to access any personal data up front.
The app makers collect the data to help quickly expand the network of people using their program. The practice of taking address book information without permission first came to light last week, when a developer noticed that Path, a mobile social network, was uploading entire address books to its servers without users’ knowledge. The company has since said it will stop the practice and destroy the data it has collected.
But Path is hardly the only mobile application that collects address books. Last February, Lookout, a mobile security company, found that 11 percent of free applications in Apple’s iTunes Store had the ability to access users’ contacts. And on Tuesday, VentureBeat, a technology blog, reported that dozens of applications for Apple devices were taking users’ address books without permission.
The findings shed more light on how technology companies sift through people’s personal and private information without their knowledge. Last year, users were shocked to find out that Color, a mobile application, could activate users’ microphones on their phones without their permission. And in December, Carrier IQ, a mobile intelligence company, was accused of privacy violations when a programmer discovered that its tracking software was recording keystrokes made, phone numbers dialed, text messages sent and even encrypted Internet searches, on some 140 million smartphones.
“It’s time for app developers to take responsibility for ensuring that users know what they’re doing, rather than leaving it to the platforms to play a game of Whac-A-Mole,” saidJules Polonetsky, director of the Future of Privacy Forum, in an interview Wednesday.
Some developers are following that advice and changing their apps before Apple and Congress step in. Path and Hipster updated their apps late last week so that they warn users about the information collected. The updates also give users the ability to stop sharing address book information. After Path and Hipster drew scrutiny, Instagram, another popular photo-sharing app that gathers users’ contacts, added a prompt asking users for permission to do so.
Within the Twitter app, when users choose to “Find Friends,” the company can store their address books for as long as 18 months. The company said Tuesday that it planned to update its app to change how it tells users what it collects. “In our next app updates, which are coming soon, we are making the language associated with Find Friends more explicit,” Carolyn Penner, a spokeswoman for Twitter, said in an e-mail. “We send and store data securely. Address book information is encrypted when we send it from the mobile phones to our servers. The data is secured within Twitter in the same way that we secure other account information.”
On Tuesday, a developer discovered that when a user signs up for a Foursquare account, the company transmits their address book without warning. In response, Foursquare said it was adding an update to its app that warned users that it accessed their contacts. In an e-mail, Erin Gleason, the company’s director of communications, said that the company did not store users’ contact information. “When a person searches for friends on Foursquare, we transmit the address book information over a secure connection and do not store it beyond that point,” she wrote.
VentureBeat reported that the worst offenders seemed to take shortcuts and did not properly protect the data they were collecting from smartphones. It reported that Foodspotting, a mobile app that allows users to share photos of their meals, transmitted users’ address books over an unencrypted connection where it could be easily intercepted. In an e-mail, Alexa Andrzejewski, the chief executive of Foodspotting, said the risk of not encrypting users’ contact information “has always seemed relatively low, especially for a site that doesn’t deal with credit card or other sensitive information.” Ms. Andrzejewski also said Foodspotting would be updating its app to include additional security features.
Google has tools built into the Android platform that forces developers to notify people what data, if any, they plan to access. Once they have users’ permission, Android developers can access everything from a phone owner’s call logs to their text messages. But users of many apps – including Hipster, Locale, Uber, Yelp, Taxi Magic, Picplz, Scrabble and Waze – are often not told how the information will be used or how the company plans to store it.
“What separates malicious use from legitimate use is the element of surprise. If a user is surprised, that’s a problem,” said Kevin Mahaffey, Lookout’s chief technology officer, who said that in many ways, standards and rules for data on smartphones were still being debated. “It’s a new industry and it’s still in many ways the Wild West out there. The iron is still hot.”