Path debacle and subsequent row prompts approval change
We last week reported on the iOS Path app uploading address book data to its servers, but without first asking for permission. Developer Matt Gemmell commented on the incident, and argued that "when dealing with personal information, it's important that developers and management be educated on privacy issues and in techniques for addressing them".
Path itself also responded quickly, apologised and has since released an update that prompts the user for permission to upload data, but it soon became clear that Path was far from the only culprit. Marco Arment and Dustin Curtis reported as such and both additionally put the onus of blame on Apple rather than developers, arguing that the company should not enable address book data to be used without permission.
There were arguments that Apple's developer guidelines, as shown below, did in fact state this action was not allowed:
17.1: Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used
17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected
However, US congressmen started demanding answers from Apple, with an open letter stating: "You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information."
In a written statement to the media, Apple said it will soon release an update that will fix this issue: "Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines. We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."
Apple's response should satisfy most, but the incident has opened yet another can of worms regarding privacy. With apps seemingly routinely grabbing address book data, there are now questions regarding how often this is happening on other mobile systems and also desktop operating systems; the lack of security in data upload from some apps makes even Apple's opt-in requirement in part pointless, in an age where people just click or tap dialog boxes to get rid of them; and now, according to the EFF, Google's circumvented privacy protections built into Safari, once again showcasing that even if protections are in place, it's often possible to get around them.