Path privacy gaffe highlights gold rush for mobile users’ data

Apple on Wednesday moved to quell the rising furor over disclosures that social network Path and several other makers of iOS apps collect and store users address books without asking their permission.

The tech giant said it would require third-party suppliers of applications in its App Store to secure user approval to use address book data, including full names, phone numbers, and e-mail addresses.

However, that development is not likely to do much to slow a gold rush in the nascent mobile advertising market. Many of the key players hustling to shape this potentially vast mother lode of ad revenue are pursuing business models which hinge on 3rd party apps developers extending controversial behavior profiling techniques from the PC to smartphones, tablet PCs and e-readers. This involves snooping on how people use their mobile devices, then correlating and sharing an individual consumer’s contacts and preferences.

VentureBeat reports that Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp, and Gowalla are among just some of the Apple apps that routinely collect and store on their servers names, e-mail addresses and phone numbers from your iPhone or iPad internal address book.

And a USA TODAY cover story last August revealed how 842 Android apps took the unusual step of asking users’ permission to access the handset’s International Mobile Equipment Identity number, the unique code assigned to each cellphone. The IMEI was then employed as the user ID for the given app. In a number of instances, the app subsequently forwarded the user’s IMEI on to an online advertising network.

‘We made a mistake’


“The Path disclosure is another step in the public’s finally understanding how much their data are being used and exploited,” says Michael Fertik, CEO of privacy and reputation consultancy

Path CEO Dave Morin in a blog post confirmed that the company uploads sensitive address book data to its servers. The reason: to help users quickly connect to family and friends and automatically alert them when acquaintances join Path.

“We made a mistake,” says Morin. “Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.”

Morin indicated an upgrade is forthcoming that requires users to opt-in to share their address book with Path. He also said Path has deleted all of the address book user data it has previously collected.

Open season on user info


Michael Sutton, VP of Security Research at Zscaler ThreatLabZ, says it has been “open season on address book contents” for some time, as suppliers of popular free apps scramble for ways to monetize user data.

“What many don’t realize is that this is just the tip off the iceberg,” says Sutton. “Many mobile apps either intentionally, or due to poor coding practices, place end-user data at risk, either while transmitting it or storing it locally. As a gate-keeper of the App store, Apple is unfortunately doing very little to address this. There have been many stories over the past few years discussing this issue and yet Apple has still not stepped up to the plate to vet apps for security issues before adding the to the app store. They seem content to focus on the ‘user experience’, not security.”

Apple stayed silent on the Path disclosure for several days – until hearing from Congress. Rep. Henry Waxman, D-Calif., and Rep. G. K. Butterfield, D-NC, sent a letter to Apple CEO Tim Cook requesting more information about the company’s privacy policies.

“There have been claims that the practice of collecting consumers address book contacts without their permission is common and accepted among iOS app developers,” the letter says. “This raises questions ofwhether Apple’s iOS app developer policies and practices adequately protect consumer privacy.”

The lawmakers asked Cook to describe all iOS app criteria relating to the privacy and security of data accessed by third-party apps, and for an explanation as to how Apple determines whether an app meets those criteria.

Apple on Wednesday issued a statement saying it will require applications in its App Store that want to collect and store users’ address book data to get explicit user approval.

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” the statement says. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone