On Tuesday, social networking app Path took a fireball of heat after a developer discovered that the latest version of its app automatically uploads users’ entire address book every time they logged into the network. Path co-founder and CEO Dave Morin quickly swooped in to do damage control, saying an update to the Android version of the app already requires users to opt-in, and the same change is coming soon for the iOS version.
Today, Hipster, a social photo app, got thrown into the grinder, after another developer discover that it, too, uploads portions of users’ address books in order to connect users with their friends. While Hipster doesn’t do this every time a user fires up the app, as Path does, it instead sends this information in a text file in an unsecured HTTP GET request. (Path uses the more secure HTTPS.)
So, why isn’t this post about Hipster also nabbing users’ contact lists without permission? Because it’s Apple — not Path or Hipster — that is allowing this to happen. The question is, was this simply a slip-up, or is the uploading of users’ contacts a practice allowed by Apple?
As any iOS app developer knows, Apple’s API for iOS lets any app access users’ address books and photos. This includes adding addresses to contact lists, and photos to the library, or importing this data into the app.
From the “Data Management” section of Apple’s iOS Technology Overview: “Data and media from iPhone are available to your application via safe, easy-to-use APIs. Your application can create new Address Book contacts and get existing contact info. Similarly, your app can load, display, and edit photos from the Photo Library, as well as use the built-in camera to take new photos.”
In many cases, the photo library portion of this is no big deal. The popular Camera+, for example, accesses the photo library to save new photos, or edit previously-taken ones. As does Instagram, and any other app that lets users take and save photos through the app.
Now, Apple states explicitly in section 17.1 of its iOS app guidelines that, “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.”
It would appear, at first glance, that Path and Hipster both violated Apple’s guidelines. But a closer look shows that there may be a crack in Apple’s walled garden.
Basically, it all comes down to what Apple considers “data about a user.” Obviously, location data falls firmly into this category. But what about contacts? Do they qualify as “data about a user? We don’t know. But we have contacted Apple to clarify this matter, and will update this piece as soon as they respond.
All that said, blame still sits on the shoulders of the app developers who access users’ information without their consent — they are, after all, the ones who chose to add this feature without explicit user permission. But Apple is still at least partially responsible, either through negligence to properly vet these apps (and possibly many others), or by simply allowing this practice in the first place. Which one it is will determine how much burden Apple carries in this matter.