Apple doesn't enforce its own Address Book policy

Summary:Developers get free access to your iOS address book because Apple turns a blind eye to it and doesn't enforce its own TOS.

Kik Messenger did it.

Dragon Dictation did it.

Path did it.

Why?

Because Apple turns a blind eye to the single largest privacy problem facing it today: Address Book uploads.

Fellow ZDNET blogger Charlie Osborne brings word (via Dustin Curtis) that Apple makes a standard practice of approving apps that upload the entire contents of your iOS address book (including names, address, phone numbers, emails -- everything!) to developer's servers.

In fact, Curtis notes that 13 of the 15 iOS developers he informally polled admitted that they copy their user's Address Books and have databases of "millions" of contacts. One company even bragged that it had "Mark Zuckerberg's cell phone number, Larry Ellison's home phone number and Bill Gates' cell phone number."

Set aside, for a moment, Apple's indiscretions.

Some assumptions I make about my private contact data:

  1. Developers won't sell, share or even view this information
  2. Developers take great care to protect the privacy of this information

The problems with the above assumptions are twofold:

  1. Developers are human (and often overworked)
  2. Developers can be hacked (Zappos, anyone?)

So why do developers risk the massive public backlash that address book uploads -- when discovered -- can (and do) cause?

The most interesting part of Curtis' post was about the risk/reward ratio to developers who engage in the practice:

Any app is an investment, and, like any investment, there are three outcomes -- success, failure, and mediocrity. The only one that matters on a market like the App Store is success, so fledgling app developers do everything they can to increase their chances. Because Apple provides extremely easy access to address book data, the pro -- that is, using the data to improve user experience, increase virality and growth, etc. -- outweighs the con.

But therein lies the rub. "Apple provides extremely easy access to address book data."

This is patently absurd and actually boggles my mind. Apple will refuse an app for any number of insane reasons, let it routinely approves apps that upload your Address Book wholesale? Something's wrong here. Very wrong.

Again, Curtis:

On iOS, every other seemingly private local data source, like location and the camera roll, have strong protections; apps can't even see photos in the Camera Roll unless the user explicitly selects them from the image picker. There is a huge section of the Settings app dedicated to giving people fine control over which apps have access to location information. That Apple provides no protections on the Address Book is, at best, perplexing.

What's more, AB uploads appear to be in direct violation of Apple's own rules for apps.

According to Apple's Developer TOS:

17.1: Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used

17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected

Assuming that you have information about yourself in your Address Book, (Siri, for example, requires you to have a "me" contact to help it interpret commands like "give me directions home"), surreptitious uploads of your AB file would be a direct violation of section 17.1 of Apple's iOS TOS.

And even if you didn't have a "me" contact in your Address Book, contact information would almost certainly qualify as "personal information" and thus be forbidden for developers to upload under section 17.2.

Right?

Apple hasn't replied to a request for comment. I will update this story when it does.

Related Reading:

Follow me on Twitter for early access to my posts. Tweet me with the hashtah #ZDNET if you'd like to be considered for inclusion.

Topics: Security, Apple

About

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.