Yesterday, developer Arun Thampi noticed that the Path iPhone app uploads a user’s address book to their server without asking the user first. And by address book, I mean all the phone numbers and addresses and email addresses of everyone in your phone’s address book just gets sent off to Path. And not only that, Path stored that information on its server. To their credit, Path apologized and deleted the data from their server.
But this is a larger problem than just Path. In a post from earlier today, Dustin Curtis reveals the dirty little secret of iPhone developers everywhere.
It’s not really a secret, per se, but there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database. Obviously, there are lots of awesome things apps can do with this data to vastly improve user experience. But it is also a breach of trust and an invasion of privacy.
I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millons of records. One company’s database has Mark Zuckerberg’s cell phone number, Larry Ellison’s home phone number and Bill Gates’ cell phone number. This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.
13 out of 15! Zuckerberg’s cell phone number! Maybe I’m being old-fashioned here, but this seems unequivocally wrong. Any app, from Angry Birds to Fart App 3000, can just grab the information in your address book without asking? Hell. No. And Curtis is right in calling Apple out about this…apps should not have access to address book information without explicitly asking. But now that the horse is out of the barn, this “quiet understanding” needs to be met with some noisy investigation. What happened to Path needs to happen to all the other apps that are storing our data. There’s an opportunity here for some enterprising data journalist to follow Thampi’s lead: investigate what other apps are grabbing address book data and then ask the responsible developers the same questions that were put to Path.
Update: I am aware of this very confusing display of data from the Wall Street Journal. It indicates that of the ~50 iPhone apps surveyed, only three (Angry Birds, Facebook, and TextPlus 4) transmit address book data to a server. That’s not exactly the widespread problem that Curtis describes (the data sets are likely different)…it would be nice to see the net cast a bit wider.