The controversy surrounding iPhone apps accessing users' address books appears to have come to a head: The Next Web reports that Rep. Henry Waxman (D-Calif.) and Rep. G.K. Butterfield (D-N.C.) have sent an official letter to Apple CEO Tim Cook asking him to explain several aspects of "policies and practices ... [for] protecting the information of iPhone users and their contacts."
Cook and Apple have until Feb. 29 to respond. Until they do, let's look at what these apps are doing and which of your iPhone apps are doing it (SPOILER: most of the really big ones).
Last week, it was revealed that Path, a popular new social networking app for the iPhone, was uploading users' address books -- including first and last names, phones numbers and email addresses -- to its servers without asking users for permission. Worse, Path was apparently storing this information on its servers indefinitely, and in plain English, without encrypting or attempting to encode the info. The blogger who discovered the apparent indiscretion, a developer named Arun Thampi, introduced the technical details of how Path was accessing its users' address books with the following disclaimer:
I'm not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service. I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy. I wonder how many other iOS apps actually do the same...
Those last two sentences would turn out to be very, very prescient indeed. Users agreed with Thampi that the app's actions to harvest personal information without notification was, indeed, creepy. Now, independent research by iOS developers has revealed that several of the most popular apps for the iPhone are engaged in a similar kind of wordless, notification-less storage of your contacts.
The Path saga is nearing its conclusion: CEO Dave Morin publicly apologized and permanently deleted all user information from Path's servers. A subsequent update to the Path iOS app added a pop-up box asking for explicit permission from the user to upload his or her address book. Users can opt out of sharing their address book with Path from here on out.
For Apple, however, and ubiquitous iPhone apps like Foursquare, Twitter and Facebook the saga may be just beginning. Prompting congressional inquiry into Apple was, in part, an article on developer Dustin Curtis' personal blog called "Stealing Your Address Book," which began with a startling claim about standard industry practice: "It's not really a secret, per se, but there's a quiet understanding among many iOS app developers that it is acceptable to send a user's entire address book, without their permission, to remote servers and then store it for future reference."
A report from Matthew Panzarino at The Next Web seems to confirm that claim: Panzarino, with the help of TapBot developer Paul Haddad, investigated about a dozen of the most popular apps for iOS, including Foursquare, Facebook, Twitter and Instagram, and found that many of those apps are not only storing the contact information of your friends, but are storing it in plain text rather than in encrypted form. Though all of these apps ask for permission to access your address book, they do not explicitly ask for permission to transmit that data to their servers.
That's right: Facebook, Twitter, Foursquare, Instagram all send email addresses and phone numbers to their local servers.
Users concerned about the state of their address books should read The Next Web's in-depth investigation into the ways in which these apps store unencrypted contact info on their servers. As an example, here's what the contact information of a Jane Smith (with mobile phone (888)-888-8888 and iPhone (222)-222-2222 and email addresses jane@smith.com and jane@work.com) looks like being transmitted to Facebook's servers:
{"name":"Jane Smith","phones":["(888) 888-8888","(222) 222-2222"],"emails":
["jane@smith.com","jane@work.com"],"record_id":1}]
In other words, it's right there in the open.
So, what's likely to happen? App developers will, at the very least, find themselves pressured to encrypt that data from now on -- of the apps profiled by Panzarino, Facebook, Foursquare and Instagram were all seen to transmit without satisfactory encryption. Twitter recently admitted that it stores information from your address book for up to 18 months, which has caused another outcry from users. The L.A. Times has that story and notes that you can use to remove your personal contacts from Twitter's domain at any time on this page.
It is clear, however, given Rep. Waxman's letter, that what Apple and app developers are required to disclose now is viewed as unsatisfactory by many. Apple spokesperson Tom Neumayr recently gave a statement to tech blog AllThingsD, apparently faulting Path for violating its App Store guidelines. "Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines," he said. "We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."
This does not, however, address the controversy over unencrypted data and data storage -- that dispute continues. Across the web, and in Washington, it is still being hotly debatedwhether the blame lies on Apple for allowing so many developers such free and easy access to iPhone owners' address books, or whether the blame falls upon on the app developers for taking advantage of that easy access when they don't really need to and then transmitting that information so carelessly.
What is not being debated is that something in the way that apps access and transmit users' private address books on iOS needs to change, and soon.
-----
UPDATE: Foursquare spokeswoman Erin Gleason responded to this article in an email to HuffPost, seeking to clear up Foursquare's address book practices. She wrote:
We have never stored address book information on our servers. When a person searches for friends on foursquare, we transmit the address book information over a secure connection and do NOT store it beyond that point. Because of the recent attention to this issue, we submitted an app update that makes our policy even clearer to users through an explanatory pop-up. I've attached a screenshot of the notification. This update went live yesterday.
----
CORRECTION: A previous version of this article referred to developer David Curtis. His name is Dustin Curtis.