Apple doesn't enforce its own Address Book policy

Apple doesn't enforce its own Address Book policy

Summary: Developers get free access to your iOS address book because Apple turns a blind eye to it and doesn't enforce its own TOS.

SHARE:
TOPICS: Security, Apple
49

Kik Messenger did it.

Dragon Dictation did it.

Path did it.

Why?

Because Apple turns a blind eye to the single largest privacy problem facing it today: Address Book uploads.

Fellow ZDNET blogger Charlie Osborne brings word (via Dustin Curtis) that Apple makes a standard practice of approving apps that upload the entire contents of your iOS address book (including names, address, phone numbers, emails -- everything!) to developer's servers.

In fact, Curtis notes that 13 of the 15 iOS developers he informally polled admitted that they copy their user's Address Books and have databases of "millions" of contacts. One company even bragged that it had "Mark Zuckerberg's cell phone number, Larry Ellison's home phone number and Bill Gates' cell phone number."

Set aside, for a moment, Apple's indiscretions.

Some assumptions I make about my private contact data:

  1. Developers won't sell, share or even view this information
  2. Developers take great care to protect the privacy of this information

The problems with the above assumptions are twofold:

  1. Developers are human (and often overworked)
  2. Developers can be hacked (Zappos, anyone?)

So why do developers risk the massive public backlash that address book uploads -- when discovered -- can (and do) cause?

The most interesting part of Curtis' post was about the risk/reward ratio to developers who engage in the practice:

Any app is an investment, and, like any investment, there are three outcomes -- success, failure, and mediocrity. The only one that matters on a market like the App Store is success, so fledgling app developers do everything they can to increase their chances. Because Apple provides extremely easy access to address book data, the pro -- that is, using the data to improve user experience, increase virality and growth, etc. -- outweighs the con.

But therein lies the rub. "Apple provides extremely easy access to address book data."

This is patently absurd and actually boggles my mind. Apple will refuse an app for any number of insane reasons, let it routinely approves apps that upload your Address Book wholesale? Something's wrong here. Very wrong.

Again, Curtis:

On iOS, every other seemingly private local data source, like location and the camera roll, have strong protections; apps can't even see photos in the Camera Roll unless the user explicitly selects them from the image picker. There is a huge section of the Settings app dedicated to giving people fine control over which apps have access to location information. That Apple provides no protections on the Address Book is, at best, perplexing.

What's more, AB uploads appear to be in direct violation of Apple's own rules for apps.

According to Apple's Developer TOS:

17.1: Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used

17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected

Assuming that you have information about yourself in your Address Book, (Siri, for example, requires you to have a "me" contact to help it interpret commands like "give me directions home"), surreptitious uploads of your AB file would be a direct violation of section 17.1 of Apple's iOS TOS.

And even if you didn't have a "me" contact in your Address Book, contact information would almost certainly qualify as "personal information" and thus be forbidden for developers to upload under section 17.2.

Right?

Apple hasn't replied to a request for comment. I will update this story when it does.

Related Reading:

Follow me on Twitter for early access to my posts. Tweet me with the hashtah #ZDNET if you'd like to be considered for inclusion.

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • RE: Apple doesn't enforce its own Address Book policy

    I suspect that this issue will define Tim Cook's leadership ability.
    kenosha77a
    • RE: Apple doesn't enforce its own Address Book policy

      Jason, A list of Apps (especially the popular ones) that upload your address book would be very helpful. It will at the very least give users an opportunity to avoid those apps. Any way to two that?
      Masari.Jones
      • RE: Apple doesn't enforce its own Address Book policy

        @Jason D. O'Grady
        Yes, how about a list?!
        sjobs84
  • RE: Apple doesn't enforce its own Address Book policy

    Please explain: Developers can be hacked (Zappos, anyone?)
    daikon
    • RE: Apple doesn't enforce its own Address Book policy

      @daikon

      In other words, I'm not worried about that developers will abuse the data, but what if their server gets hacked and someone steals their db of "millions" of contacts. Look at what happened to PSN, Zappos, etc. These kind of breaches seem to happen more and more often these days.

      - Jason
      Jason D. O'Grady
      • RE: Apple doesn't enforce its own Address Book policy

        @Jason D. O'Grady <br>Zappos internal network breach happened. Apple/Apple Products or Apple policy has nothing to due with Zappos breach.
        daikon
      • RE: Apple doesn't enforce its own Address Book policy

        @daikon I think you are missing the point.

        They shouldn't be collecting this information (often they have no need to collect the information) and they are storing it on their servers, without the users knowledge or permission.

        Those servers can get hacked and all that data ends up in the hands of "bad guys". Whether the App Devs are also bad guys is a matter of opinion. But if they had been acting responsibly, there would be limited or no data to get breached, but they act irresponsibly and there is a lot of data hanging around on their servers, which shouldn't be there.

        That is not to speak of the app developer or its employees selling access to the database or selling it wholesale to third parties.
        wright_is
    • RE: Apple doesn't enforce its own Address Book policy

      @daikon - Let's not forget about developers that go out-of-business or get purchased by another company such as a data miner . . . who's to say where that data goes!
      Gr8Music
  • RE: Apple doesn't enforce its own Address Book policy

    Is it me or has there been considerably more negative stuff coming out about Apple and their policies?
    slickjim
    • The wind blows stronger...

      @Peter Perry
      ...at the top of the mountain.
      Userama
      • Yes, you are right

        @Userama
        Microsoft knows very well what Apple is facing right now. The good thing is that these negative stories only really seem to hurt the feelings of the Apple fanboi. Apple itself is laughing all the way to the bank. Just like Microsoft was laughing all the way to the bank when you were huffing and puffing at Microsoft when they were at the top of the mountain.

        However, we should distinguish between the spotlight and the act. Apple did nasty things before they reached the top and they are doing nasty things now. The only difference is that Apple didn't get as much attention when they did nasty things while they were losers at the bottom of the mountain. No one cared to report on all of Apple's nastiness. Apple's actions haven't changed, the only thing that has changed is that the spotlight has moved from Microsoft to Apple. The actions were always there, just not the spotlight. I'm glad to see that has changed. We all win when this nasty behavior is exposed.
        toddybottom_z
      • RE: Apple doesn't enforce its own Address Book policy

        @toddybottom_z - LOL. Doesn't hurt fanbois at all. Just the MS shills trying to use 'reverse pysc' to help their bottom line. Ain't happening. MS is famous for creating FUD. Same thing here. MS is dead.
        The Danger is Microsoft
    • Well, if you look at it objectively

      It's part hater campaign, part Apple, but mostly haters (if you consider only zdnet). If you consider the whole festering world, then they probably don't care, and if they do they probably shrug and get on with their lives.
      ego.sum.stig
      • RE: Apple doesn't enforce its own Address Book policy

        @ego.sum.stig@...

        Seriously? Or are you trolling?
        So you're saying that you have NO problem with any/every iOS app uploading your entire AB to the developer's servers without telling you?
        And I guess that you're fine that Apple doesn't enforce it's own privacy rules in this regard?

        Wow. Just wow.

        - Jason
        Jason D. O'Grady
      • RE: Apple doesn't enforce its own Address Book policy

        @ego.sum.stig@... I disagree, they certainly care! 250,000 signatures shows that people care about some of the things facing Apple right now.

        Also, there's quite a few people that really have had issues with recent Apple Devices and this is also stirring the pot on other web sites.
        slickjim
      • RE: Apple doesn't enforce its own Address Book policy

        @ego.sum.stig@... That's not very likely.
        athynz
      • RE: Apple doesn't enforce its own Address Book policy

        @Jason D. O'Grady - you did point it out yourself. Apple has no policy on developers uploading your AB. Your stretch with the 'me' contact was an obvious admission that Apple is not doing anything they said they would not do. Do I think Apple should make this a new policy and prevent developers to accessing, uploading or otherwise using in any way local data on my iPhone? Yes! And it should be worded as local or remote data (from my mobile device or iCloud). But has Apple done something against their policy? As of now, no.
        The Danger is Microsoft
    • RE: Apple doesn't enforce its own Address Book policy

      @Peter Perry

      It's not just you....Apple is finally showing its true colors! I'd be outraged if my entire AB was uploaded to some 3rd rate developer working out of China or Russia! Luckily I don't have this problem because I run Windows Phone 7.5!
      Rob.sharp
      • RE: Apple doesn't enforce its own Address Book policy

        @rob.sharp@... I know and the Android Apps tell you if they are going to access your contacts data and then you can choose not to install, or use those Applications.
        slickjim
      • RE: Apple doesn't enforce its own Address Book policy

        @rob.sharp@... Hate to be the bringer of bad news...Microsoft does this all the time; has since WinCE came out in 2000.
        The Danger is Microsoft