Apple to Ban Stealthy iPhone Contact Data Harvesting
Shortly after two U.S. Congressmen asked Apple to answer questions about iPhone and iPad apps that snatch users' contact lists without permission, the Cupertino, Calif. company promised it will address the issue with a future software update.
Earlier today, Reps. Henry Waxman (D-Calif.) and G.K. Butterfield (D-N.C.) sent a letter to Apple CEO Tim Cook asking him about iOS apps that have harvested users' address book information without permission.
Waxman and Butterfield cited reports that Path, which sells an iOS online journal app, was grabbing users' address books and uploading them to its servers. After the allegations went viral, Path's CEO apologized and said the company deleted the collected address books from its servers.
"We now understand that the way we had designed our 'Add Friends' feature was wrong," acknowledged Path CEO Dave Morin in a Feb. 8 mea culpa. "We are deeply sorry if you were uncomfortable with how our application used your phone contacts."
In the letter to Cook , Waxman and Butterfield, who are the top Democrats on two House committees, asked, "Whether Apple's iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts."
Waxman and Butterfield also sent a copy of the letter to Morin.
The legislators wanted answers to nine questions, including one about Apple's earlier decision to require developers to disclose use of location data in their iOS apps.
"You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis," their letter stated. "Please explain why you have not done the same for address book information."
In a statement issued to some media outlets, including the AllThingsD blog and the Reuters news service , Apple responded to that question.
"Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines," an Apple spokesman told AllThingsD and Reuters. "We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."
Apple did not immediately confirm the statement's accuracy.
In December, Apple reacted to controversy that third-party software was surreptitiously collecting a glut of information from iPhone users by promising it would provide an iOS update to remove the Carrier IQ code from all its smartphones.
At the time, a company spokeswoman said, "With any diagnostic data sent to Apple, customers must actively opt-in to share this information."
Apple's iOS App Store guidelines forbid programs from "transmit[ting] data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used."
Those rules also ban apps "that require users to share personal information, such as email address and date of birth, in order to function."
Apple has not updated those guidelines to specifically mention address books, although they have long prohibited apps that "do not notify and obtain user consent before collecting, transmitting, or using location data."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org .