updated 01:35 pm EST, Wed February 15, 2012
Path scandal raises data collection worries
US House Energy & Commerce Committee Chairman Henry Waxman and Commerce Manufacturing and Trade Subcommittee Chair G.K. Butterfield have together sent a letter to Apple, asking whether "iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts," notes The Next Web. The letter quotes sections of the iOS Developer Center site, where Apple says it provides a collection of tools and frameworks for storing, accessing, and sharing data, and questions whether Apple requires apps to ask permission before sending personal data. Also quoted is the Dustin Curtis article Stealing Your Address Book -- which says that "there's a quiet understanding among many iOS app developers that it is acceptable to send a user's entire address book, without their permission" -- and a report that suggests developers may have the contact details of people like Bill Gates, Larry Ellison, and Mark Zuckerberg.
The letter stems from a scandal involving the Path iOS app. Until recently, the app would save and upload all of a person's contacts without permission. Waxman and Butterfield argue that if an app like Path was able to get approval to the App Store, there may be truth to accusations of improper address book access and data storage.
Apple and/or CEO Tim Cook are asked to answer several specific points:
- Please describe all iOS App Guidelines that concern criteria related to the privacy and security of data that will be accessed or transmitted by an app.
- Please describe how you determine whether an app meets those criteria.
- What data do you consider to be "data about a user" that is subject to the requirement that the app obtain the user's consent before it is transmitted?
- To the extent not addressed in the response to question 2, please describe how you determine whether an app will transmit "data about a user" and whether the consent requirement has been met.
- How many iOS apps in the US iTunes Store transmit "data about a user"?
- Do you consider the contents of the address book to be "data about a user"?
- Do you consider the contents of the address book to be data of the contact? If not, please explain why not. Please explain how you protect the privacy and security interests of that contact in his or her information.
- How many iOS apps in the US iTunes Store transmit information from the address book? How many of those ask for the user's consent before transmitting their contacts' information?
- You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.
A February 29th deadline has been set for an answer. As with similar letters, the date is likely not binding, but rather just a goal.