We develop software for Windows and Macs. On the Mac the address book files are certainly available to read, and also available through an API. We don't read these files, we don't upload them, and we don't analyze them. We don't touch them at all. We also don't touch anything else on our customer's system that they wouldn't normally be expecting, and we don't send any information back to our server without the user explicitly saying it's OK when it happens.
Here's one reason why we don't scan people's system for interesting private files and secretly upload it for our economic benefit:
1. It violates the user's trust, expectations and privacy.
Here's a second reason:
2. It is a criminal act to do so.
I don't buy these discussions about how it is Apple's fault. It's not. It's illegal to steal private data like this. The companies doing this should be raided and shut down by the FBI immediately. All of them. Whether or not they issued a tearful apology.
I voted you up because you bringing a great point. didnt think this way. but now going this hm path :) if there will be any FCC or other inquiry, wonder if longterm this will help Path or not.
They do fall in the same category, because of the Data Protection Directive. This is not a law, but all EU states interpreted the directive, and enacted it into law, and the law in each country is now basically the same.
Unfortunately, no company really gives a shit about this law (unless it suits them, e.g. when you complain about something, often they hide behind it as an excuse for not telling you something).
These are all fine and valid points, but the fact remains that a free game app might be very tempted to complement its lousy revenue by stealing and reselling users' address books and anything else their app can get its hands on. I as an iPhone user want a protection against that.
And it's criminal to do so. Software that steals data is malware. Prosecute these companies severely, put their president and the engineers who were in on it in prison for data theft and conspiracy. It's not like there isn't overwhelming evidence proving the case in these situations.
I'm not sure what your point is. Whether or not it's illegal, it should also be protected against by Apple, since it can be prevented entirely that way rather than waiting for someone to get caught and prosecuted for stealing data.
I guess you're saying don't blame Apple, blame the criminals. Okay, I blame the criminals. Crime is always the criminal's fault.
But I'd also like Apple to protect me from them. Especially since the App Store is advertised as a safe place and this view is reinforced by protecting access to other types of private data in the system.
I'm not blaming Apple for the behavior of criminals, but I am blaming Apple for failing to deliver a product that will protect me from them.
There are valid legal reasons to integrate with the address book. The argument that it's apple's fault is like saying WalMart is to blame for shoplifting because they don't put everything behind the counter. It would be very inconvenient to do so and overall things work better when we prosecute crime rather than create a police state environment where crime is not possible, while also making many reasonable actions difficult to do. I don't want to live in the Soviet Union and wait in line for bread.
> There are valid legal reasons to integrate with the address book.
Nobody is suggesting it should be impossible to integrate with contacts. The suggestion is it should be impossible to do so without asking my permission, as is the case with other private data. Requiring that apps ask approval before accessing my private data is not at all like waiting in line for bread in the USSR.
> The argument that it's apple's fault
Is one that nobody is making, so you don't need to debunk it. Or at the very least, I'm not making it, in fact, I very explicitly stated I wasn't making that argument in the post you replied to.
Alternatively, Apple could spend a few thousand dollars and properly secure their MULTI billion dollar platform so the problem couldn't occur in the first place.
It doesn't cost millions to prosecute such a case. Ever if it did, so what. These criminal syndicates engaging in these illegal conspiracies and crimes are well funded, so all costs of prosecution can easily be paid for with fines and seizures.
It's important to keep in mind that where Path went wrong is they did not ask permission to upload the address book. Many, Many applications have a valid reason to move your contact list into the cloud - and as long as they ask my permission first, that's fine.
Agreed with your outrage on a company taking files off of my system (address book or otherwise) and uploading them. And, from reading the dcurt.is entry - it sounds like 85%+ of social apps do this as common practice.
I never thought about this before. But it seems like there are very different expectations for PC developers and smart phone developers. Companies developing software for a PC would never consider sending personal data to their servers.
Maybe its because mobile developers mostly come from web development where it is normal for the server to store such data. For a lot of web applications (web-mail, Facebook) it is part of the service.
> I don't buy these discussions about how it is Apple's fault. It's not.
Does Apple provide application level permissions system where users can see what permission application require, and where users can choose if they will grant application permission the right to read address book or choose not to install it?
If Apple doesn't do this, than it's Apples fault that it didn't sandbox applications enough in order to protect its users.
The biggest problem with all of this, and which I'm surprised no one else has mentioned, is that my Address Book isn't principally "personal data about me, which I wish to keep safe." It is "personal data about other, often more important people, who have entrusted me with the security of that data"!
If you pull my CEO's private contact info off my phone, or pull a high-level contact from some company we've been privately looking to acquire, you best pray that theft doesn't result in a leak of privileged business information.
Excellent point that most people have missed (I've actually brought it up in a few threads now). They are taking data that others have entrusted you with which is the worst part of this. If there servers were compromised not only would my data be stolen but the data of all my friends, family, and colleagues.
Who I keep in my phonebook is absolutely about me – it is also about other people and perhaps there's increased risk for them, but who I keep in my address book is still personal and private information.
My social/business network, particularly as contained in my address book is absolutely private data and it should be my choice whether or not it's shared.
> or pull a high-level contact from some company we've been privately looking to acquire, you best pray that theft doesn't result in a leak of privileged business information.
Right, because the presence of some contacts at company B immediately implies "oh, we're going to acquire them."
What people really aren't mentioning is that people give out the information likely stored in your address book to pretty much any service that even looks to be interesting based on a screencast, or even a splash page. Do you read the terms of service and privacy policies of all random websites you sign up for? Do the people whose contact information you are protecting do so?
> It is possible that the internet has gotten so public that we should all just stop worrying about privacy.
It's notable that the core of Facebook's pitch, to users as well as investors, is "we should all just stop worrying about privacy", or perhaps "everyone you know has stopped worrying about privacy, so you should too."
So rather than a radical view, it's actually become an authoritative statement driving the fact that "the internet has gotten so public"! An elegant hack, really.
It's interesting that one side effect of the Apple 'walled-garden' and the perceive strictness of the app approval process has led to the idea that:
> ...this issue is a failure of Apple and a breach of trust by Apple, not by app developers.
That's a cop-out, of course. There is no lesser responsibility on the part of an app developer to "do no evil" if you've simply bent your definition of evil to "whatever Apple DOESN'T let me do to their users".
Let's look at this statement:
> ...there's a quiet understanding among many iOS app developers that it is acceptable to...
That should be a big red flag to the writer. Quiet understandings have led to all sorts of problems - certain financial collapses come to mind.
Ultimately, this is something Apple needs to confront. Consistency is far more important that any specific moral position - for users and app developers. But that's not a get out of jail free card for the developer.
> That's a cop-out, of course. There is no lesser responsibility on the part of an app developer to "do no evil" if you've simply bent your definition of evil to "whatever Apple DOESN'T let me do to their users".
That's arguable. Privacy is all about "expectation of privacy," which means there's really no predictable, testable methodology other than implementing a feature and finding out if people are outraged. In fact, it's almost certainly different for apps with different target audiences. Path probably gets a lot of tech-savvy 20- and 30-something users who are outraged by address book sharing, but the average Facebook user probably wouldn't care even if they found out it was happening.
Obviously, this just means that developers should err on the side of openness (e.g. in your privacy policy) and explicitness (e.g. popup dialog asking for permission). But that's often only apparent in hindsight, since a developer may never think that something could even be interpreted as a privacy issue, since the developer knows he or she will never misuse the data or even use it all in any personally-identifiable way.
Presumably, for better or for worse, many developers either consciously or subconsciously trust Apple to have a pulse on the community of users when it comes to privacy. It would be nice to be able to do so, but apparently that can't be trusted. Of course, from the user's perspective, it means they can't trust any app to not be abusive (according to their own definition of "abuse").
"the Apple 'walled-garden' and the perceive strictness of the app approval process"
I wonder if Apple's tight control over app approval has made them actually legally responsible for this kind of thing. Not that it would absolve the app seller/author, but it seems Apple might share significantly in responsibility.
I find the whole thing really rather curious. I too am baffled as to why Apple has allowed this functionality from day one. I am also surprised that there has not been considerably more malicious usages of this data.
Apple clearly does not enforce the the guidelines 17.1 strictly - but some developers are rejected for this. I can imagine it being possible (and I have no idea) that Apple turns a blind eye to developers that break this rule on the assumption they are doing it as a reputable company and doing it for "clear" value to the end user. (e.g.: not just acquiring all your contacts despite being a fart app.)
> 17.1: Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used.
Apple traditionally will happily leave functionality users or developers deem critical out of iOS until it is done right - push notifications, geo-location, background applications. It seems to make so much sense that "contacts" are part of something that Apple would want to do right - after all - it can create significant value for the user. (as discussed here: http://parislemon.com/post/11647475506/your-true-social-netw...)
But that doesn't explain why allow it in the first place in its current state? Its a really odd thing to simply offer developers on a whim (all their SDK blurb says is "Your application can create new Address Book contacts and get existing contact info.") Why can I import all of a users' contacts but it is not possible to populate an iMessage with a recipient and content?
(I mean, Game Centre, the nearest thing to an Apple "social network" uses contacts to find your friends but in a truly terrible - albeit more ethical - manner. Which is both parts fascinating and infuriating as GameCentre is mostly crippled by being incapable of finding your friends.)
At a guess: internally Apple iOS development is under resourced and they have a todo list a mile long. This simply has not been a severe enough problem that it has warranted being fixed yet.
They didn't allow it from day one. GPS apps, for example, couldn't navigate to contact addresses. VOIP couldn't use your numbers.
It was relaxed later. I don't recall exactly when, but I'm thinking around 3.2 or so. Before whatever update, you had to have silos of contacts. After it, all apps could use your address book.
It is super curious why Apple decided to allow apps to access the Address Book freely. I'm releasing an app on the App Store next week and I definitely thought about all the evil things I could do to my users because Apple provides them no protection. And as a developer looking for success on the App Store, it is very tempting.
I once considered the possibility of uploading the entire address book to my servers, too. In fact, I even considered email/sms spamming everyone in those address books with "invitations" from the address book owner to download my app. Of course, I did not end up doing any of that nefarious stuff. Not even uploading the address book for innocent "Add Friends" features. But the fact remains that given the freedom to do so, almost every developer will be, at least, tempted to take advantage of it. Most will.
I honestly don't think Path did anything wrong and I'm sure they kept the information secure on their servers. It's Apple that somehow let this one slip through.
I think you misunderstand. I think Path did nothing wrong not because they "weren't caught". I'm sure they keep their data secure and they only use it to benefit the user's experience - ergo, nothing wrong. On the other hand, if say, they spammed people's address books, then I would think they are in the wrong. Or if they sold the data, then they are in the wrong. But as far as I can tell, they did nothing bad.
Oh and by "let it slip through," I didn't mean the app itself, but the fact that the SDK requires no authorization from the user for any app to access the address book. Like the author of the article said, it requires it for location. Why on earth doesn't it require it for your contacts? They're arguably much more valuable.
Perhaps, to Apple, it's really not your data. When you put data on an Apple device, they consider it to belong to Apple. So the appropriate permission was granted when they accepted Path into the App Store. Maybe this is the Apple way of thinking?
I think it's a bit conspiracy-theorist to say that companies do this because they want to use everything they can get. The relatively easy privacy maintaining alternative (hash address book contents and store the hash, and check against hashes when people join) is simply not as obvious as simply uploading what you get from the API.
Most app developers are just trying to get a job done as quickly as they can, and are in that hustle are choosing the path of least resistance, rather than thinking, "I really want to exploit this data as much as possible and invade as much privacy as possible."
Totally agree. I'm actually surprised at how many people assume this was done with malicious intent.
There are still plenty of sites storing plaintext passwords. I doubt there's a data mining conspiracy there (although I bet you could make some interesting guesses about people based on their password choice). It's just a poor design that accomplishes its task in the simplest way possible.
> I'm actually surprised at how many people assume this was done with malicious intent.
I don't care whether or not it was done with malicious intent. What bothers me is that copies of my address book are floating around out there without my permission.
Would hashing contact information placate those who are outraged at this practice? It would still enable the app to associate you with other users of the app without your explicit information.
It seems to me that the biggest complaints are that Apple doesn't popup a permission dialog before allowing an app to access your address book, and that Path's privacy policy seemed to omit that they were using your address book.
Keep in mind too, that the data involved is all small enough that rainbow tables could easily be used to reverse them. My cell phone number's unsalted MD5 hash is trivially reversable via a google search - and if you salted it, you couldn't then compare it to the hash out of someone else's address book.
I've seen rainbow tables claiming 100% coverage of all <14 lowercase characters. I'd bet reasonable money that there's a rainbow table specifically generated for email-address-like strings and another for name-like-strings. I'm pretty sure both names and email addresses have a lot less entropy than random lowercase letter for the same lengths.
Using hashes to obfuscate while still maintaining comparison ability of low entropy data really doesn't help security much…
Particularly because 85% of "average" people in north america keep their email in one of 5 mail domains (hotmail.com, aol.com, yahoo.com, gmail.com, Facebook.com) - that, plus the low entropy of names - means the rainbow tables would probably have a 95% hit rate at relatively small sizes.
Am I missing something? I'm not a iPhone/iOS user so please forgive me. Does iPhone/iOS not ask if you give permission for this App to view your Address Book?
If not, then I can see why this might be Apples fault for allowing developers to abuse this.
If yes, then how can this possibly be Apple's fault? It seems almost absurd to blame them. The buck stops with the end user for not protecting their Address Book. If you allow some weather app to download your Address Book, why should Apple care? You cannot trust every developer (turns out we are all data hungry), and they even asked to peak in there too.. You explicitly gave them permission!
Here are a list of things that iOS apps can't access by default:
- location (only accessible via permissions dialog)
- existing photos and videos (only accessible via apple-provided picker dialog)
- reading email or SMS (never accessible)
- sending email or SMS (only accessible via apple-provided compose dialog)
- any data or settings for other apps (never accessible)
- push notifications (only allowed after permissions dialog)
- Safari history, cache, cookies, etc (never accessible)
In fact, the only thing apps can access without permission that's really problematic are the contacts. And yes, I expect Apple will be closing this very soon.
You could maybe argue that accessing the live camera and microphone feed are an issue?
existing photos and videos (only accessible via apple-provided picker dialog)
Are you sure about that? I was under the impression that the Asset Library framework (https://developer.apple.com/library/ios/#documentation/Asset...) would allow one to build their own picker and thus access the existing photos and videos. But I didn't go far enough into iOS yet to try it and see what it really does…
That being said, I can't find an app that allows me to select multiple pictures at once. (you'd think the Facebook app would let you do that) Which is weird because I'm fairly certain that Picasa Web Albums allowed that at some point. (http://itunes.apple.com/us/app/web-albums-a-picasa-photo/id3...) I remember because I specifically bought the app to upload a couple of folders at a time and I don't see myself choosing them one by one… In any case, while the description implies it can, the current version won't let me.
I wonder how they'd go about making the Address Book stuff require permission without breaking existing apps. They could insert a permission dialog, but there'd be no way for existing apps to handle the rejection gracefully as it would likely be a new method in a new SDK.
I guess they could just make all the "get" functions return empty data sets if the user doesn't agree for apps using the current functions.
They'll need to maintain backward compatibility to at minimum iOS 4, there's not many new apps that are iOS 5 only at the moment.
I really thought iOS did ask for permission. I know I have had to grant it before, but perhaps it was just some nice app developers doing the moral thing.
(It's possible they're scraping Twitter handles/photos in some way that doesn't link the 'email addresses and phone numbers' to the requester's Twitter handle... but almost any straightforward way of implementing this has the de facto effect of informing Twitter of all your contacts' emails and phone numbers.)
Apple avoids the Vista like "ask for permission" on access design like android by requiring you to justify your needs to the app reviewer as an app developer. Not having an untrusted source of apps that can install on the device that is allowed on the iPhone means Apple can, in theory, improve user experience by not having as many of these dialogs bugging the user.
Apps, should just work.®
Constant permission prompts just train users in to muscle memory to accept these dialogs without thinking. Instead Apple sees it better make developers justify their needs to the APIs when they submit. Then Apple tests the app and looks for anything fishy. In the end, they reserve the right to pull them when they violate their terms.
One of the issues Android had up until recently was that you couldn't update all apps in one shot. The reason is that app update may have required permission changes from a pervious version. You would have to acknowledge each of these before installing the update. This was a crappy user experience and it's still the current experience when you install 3rd party APKs and update them.
The problems with these "list of permissions wanted" screens is they don't let the developers justify to the user why they need access to these different features inline with the request. The users see it at install or update often.
There are often very simple reasons why I need access to data on the device on Android in my app. I had people not install my app because I asked to send SMSs (which tells the user I can charge them money that way) in my music app, but it's only because I had a share button that is user invoked and clearly is sending a text message to user.
Sure, be clear with your intent with your users, but these permission models don't always scale for the everyday users.
Your complaints can be addressed by waiting to ask for permission the first time the app needs it, as opposed to a list of permissions to give at install time, and making the 'yes' answer sticky as opposed to prompting constantly.
Why can I not lock down my phone information and describe, at the device level, what I'm willing to share? The present alternative (on Android) is to allow/deny applications on a case-by-case basis. Fuck up once and I've let slip data I don't want to share. Some apps cannot be deleted (on an unrooted, phone -- only with difficulty on a rooted one).
Why can I not query each and every application vendor for all data held on me, and either modify or correct this as I see fit?
I've enjoyed playing with my Android phone for the past while, but I'm increasingly very unhappy carrying a persistent snitch in my pocket.
I'm waiting for the Perl Harbor / 9/11 day for this stuff. It's going to happen, it's a matter of when.
It's a lazy mistake. The tools are provided by way of a command or two on just about any platform available to any programmer. Hashing information and matching against said hash are problems that have been solved and simplified in as many languages as asking for the bathroom.
It's easier to send the raw data. It's foolish to send the raw data. It's a lazy mistake. We all know it happens. We all know WHY it happens. Stop fucking with our data. Pay attention because sometimes you should not be quite so lazy.
Path gets off easy because they're Path. I'm ok with that. But I would fire your ass if you did this under my watch because I know for a fact that this is a stupidly easy problem to resolve. Don't be so damned lazy when it matters.
It seems to me that all of these applications would be in trouble under Australia's fairly strict privacy laws. In particular, you are allowed only to collect details reasonably useful to your business and you must give a great deal of notice that this is happening[1].
Persons wishing to bring this issue to Apple's attention might wish to engage an Australian lawyer or bring the matter to the attention of the Attorney-General's department.
I don't have an iPhone, so I'd have no standing. Fellow Australians, call your lawyers and start raising a stink.
So, let's see if I can turn this into a positive ...
A while back I casually nuked my iPhone 3G back to factory to give to a friend. I did so without realizing there were some contacts on there that failed to backup to my Mac.
What are the odds some startup or other company out there has my contacts? Do any of them offer personal data dumps? Sadly, these contacts never made it to Google, where I can dump the data.
There are many legitimate uses and I know I've downloaded many apps that uploaded my phone book for backup purposes, syncing purposes so on. Anything can be abused if used wrongly however, that's my philosophy.
I suspect your address book is just names and phone numbers?
I use my address book for everything. I have my contacts' names, phone numbers, email addresses, addresses, IM usernames, birthdays, anniversaries, websites, workplace and other info stored in mine (not to mention some personal info jotted in the notes section).
Until today, I believed that information was secure. I had no idea an app could upload all of that information to their server WITHOUT MY KNOWLEDGE, much less consent.
Because of Google's approval process (or lack thereof), Android users have always been paranoid of the apps they install and what permissions they give them. As an iOS user, I never thought I had to worry about that because of Apple's approval process.
Does it make a little more sense why some of us are furious about this now?
Exactly. I was always under the (apparently totally mistaken) assumption that Apple's approval process was there to catch exactly this kind of behaviour. It's supposed one of the reasons why an Android-style permissions system is not necessary on iOS devices.
Recently it seems it's been coming to light that their curation process is not nearly as thorough as they would have us believe.
Are you sure all the people in your address book are as careless about that data? The friend with the restraining out against their ex? The minor celebrity with the unlisted phone number?
Are you happy with the possibility that a connection between you and someone else might be implied without being true? What if a known drug dealer* had your phone number in their address book? (Perhaps via a room mate or child using the landline to have called them once? Or through reuse of an expired disposable cellphone number?)
* or child pornographer, or political dissident, or terrorist, or…
Unacceptable. What craven view of ethics puts any concept of "user experience" above treating others truthfully and respecting their privacy, property and personal domain?
This is not a "mistake". Why would anyone want to have anything to do with such people, much less be their customer?
Not really related to the content of the article, but my pointer wandered over some dot on the page. Suddenly it started animating, with the caption "DON'T MOVE." So I didn't. Then it changed to a checkmark, with the caption "SENT." What the hell did I just do?
You sent an HTTP POST to http://dcurt.is/stealing-your-address-book/add_kudos. This results in incrementing the "# KUDOS" number under the dot. He seems to have built his own "like this" button, essentially, with a like counter.
I'm curious why Apple allows this also, but making this an excuse to render a blame and bash Apple article is misguided.
I say misguided because there are many ways that your personal information, behaviours, interests and usage history can be fettered away from you all outside of Apple's control, this is a privacy and transparency issue.
Not only should there be some level of respect for the information you possess (especially information you possess on others), but many countries already have legislation that address these privacy concerns specifically.
This means that there are real legal consequences to this address book saga, but contrary to the article's spin this is again not directed at Apple.
In short: Apple can do more to protect users, but shovelling them with the full blame over apps that are deliberately designed to gather and produce results from your contact information to provide is misguided.
The people who built your house also "allow" thieves to break in your house rather trivially. Would you hold them responsible in the event of a robbery?
Here's one reason why we don't scan people's system for interesting private files and secretly upload it for our economic benefit:
1. It violates the user's trust, expectations and privacy.
Here's a second reason:
2. It is a criminal act to do so.
I don't buy these discussions about how it is Apple's fault. It's not. It's illegal to steal private data like this. The companies doing this should be raided and shut down by the FBI immediately. All of them. Whether or not they issued a tearful apology.