Last week, an iOS developer discovered that Path, an iPhone app social network, uploaded users’ entire contact lists to their servers without the user’s permission.
Following an outcry in the media, Path’s founder Dave Morin deleted all the contact data his company had collected and issued this apology.
The discovery nonetheless blew the top off a standard practice with iPhone apps that all users ought to be aware of.
Yesterday, for example, the LA Times reported that Twitter did much the same thing when a user taps the “find friends” button on its iPhone app. In fact, popular apps such as Instagram, Gowalla, Yelp, Foursquare and others all tap into your iPhone’s contact list to upload users’ actual names, emails and phone numbers.
The bottom line is this: iPhone apps have access to a wide-range of information you store on your device. According to the Verge, this even includes access to your personal calendar.
In practice, the companies all say they access this data in order to find other friends who may be using their social networks. But many users see this as a violation of privacy, since the applications are tapping into intimate data and storing them on their own servers.
One issue is that such data is transported into the cloud, making it vulnerable to hacking exploits.
Another issue, pointed out by Venture Beat, is the fact that these companies could easily mask the personally identifying data but have instead elected not to do so.
Venture Beat’s Jennifer Van Grove elaborates on this concern, writing:
This is your address book we’re talking about, arguably the most private of all entities. It’s the digital repository of the personal and professional relationships you’ve amassed in your lifetime, and a simple click of a button could expose those relationships to strangers with malicious intents. Also, as many have pointed out, much of the data in your address book belongs to other people (their cell phone numbers, for instance), and has been entrusted to you with the understanding that you will keep it private.
Another concern is the lack of transparency the apps have shown in alerting the users to this process.
Twitter, for instance, simply says it will “scan your contacts for people you already know on Twitter.” In reality, it does not just scan your contacts, but uploads them and stores them on servers for 18 months. To say it merely “scans your contacts” does not in any way imply that it actually uploads and stores.
Luckily, the fix in this issue is simple. In upcoming updates app developers need to fix the language to be more transparent. The apps could say, for example, that says: “Clicking here will upload your contact info to our servers so that we can better assist you in finding friends.”
In addition, the applications should provide a way for people to wipe their data off their servers, much like Twitter does here.
And finally, the companies will need to encrypt the data as it flows over their networks, as well as store it in encrypted form–this, to protect users from possible hackers.
All of these steps should be taken and then explained in privacy statements.