iOS apps: Massive invasion of user privacy?

A study of iOS developers suggests data harvesting may be more serious than anticipated. Zuckerberg's number, anyone?
Written by Charlie Osborne, Contributing Writer

Many iOS developers have access to personal information that, if made truly public, would probably make users uneasy.

According to Dustin Curtis, a writer and user interface designer, there is a 'quiet understanding' among iOS developers that it is a perfectly acceptable practice to harvest information from user address books and store the data away for use in the future on a server.

A survey completed by Curtis involved contacting 15 developers of popular iOS applications. In a twist that beggars belief, 13 of them told Curtis that they had access to a 'contacts database' with millions of records containing personal and private information that should not be made public at any point.

One company's database is reported to contain data including:

  • Mark Zuckerberg's cell phone number;
  • Larry Ellison's home phone number;
  • Bill Gates' cell phone number.

This is data that we would expect to not be available in a public manner. Yet, the majority of these developers have access to it through databases.

In the aftermath of Path's apology for storing the address book details of users within its servers, the uproar that such practices were allowed to pass can still be keenly felt. The address book details stored on a user's smartphone became harvested by Path through an 'Add Friends' feature. The company apologized rapidly in desperate damage control limitation, admitting that 'the way we had designed our ‘Add Friends’ feature was wrong'.

However, it is almost impossible that Path are the only ones who indulge in such practices, and simply that they were the ones who were caught out.

Considering this, why exactly does Apple allow iOS applications to access any information stored within a user's address book without explicit permission? Other operating systems, such as Android, force apps to ask for this kind of consent before any changes can be made to a device, and no information can be transferred without the knowledge of the user.

Curtis points out that on iOS, other data sources seem to have the kinds of stringent protection that such a simple facility, an address book, lacks. Is this merely a mistake on behalf of Apple, or is it more -- an overlooked breach of trust?

On the matter, Curtis says:

"Because Apple provides extremely easy access to address book data, the pro -- that is, using the data to improve user experience, increase virality and growth, etc. -- outweighs the con. To stay on equal footing, larger apps, like Yelp, Facebook, and Foursquare, have to follow along. From a design perspective, it is a concession of user growth at the expense of user trust."

There may be beneficial reasons for wishing to store this kind of information -- for example, in an attempt to improve the customer experience. However, if the information is transferred without the full knowledge, understanding and consent of a mobile device user, then can we not also label it as a breach of privacy?

Or should we simply accept the exchange as part of using an application, even when information such as a friend's contact details are not ours to give?

This could have some serious repercussions if one considers privacy protection laws, and raises questions as to what data we ourselves actually own and can therefore use as we see fit -- and what companies should be allowed to store.

(via dcurt.is)


Editorial standards