Up­dated App Store rules now pre­vent de­vel­op­ers from us­ing ad­dress book in­for­ma­tion with­out ex­plicit per­mis­sion

The National - News - - BUSINESS LIFE -

Ap­ple changed its App Store rules last week to limit how de­vel­op­ers use in­for­ma­tion about iPhone own­ers’ friends and other con­tacts, qui­etly clos­ing a loop­hole that let app mak­ers store and share data with­out peo­ple’s con­sent.

The move cracks down on a prac­tice that’s been em­ployed for years. De­vel­op­ers ask users for ac­cess to their phone con­tacts, then use it for mar­ket­ing and some­times share or sell the in­for­ma­tion – with­out per­mis­sion from the other peo­ple listed in those dig­i­tal ad­dress books. On both Ap­ple’s iOS and Google’s An­droid – the world’s largest smart­phone op­er­at­ing sys­tems – the tac­tic is some­times used to juice growth and make money.

Shar­ing of friends’ data with­out their con­sent is what got Face­book into so much trou­ble when one of its out­side de­vel­op­ers gave in­for­ma­tion on mil­lions of peo­ple to Cam­bridge An­a­lyt­ica, the po­lit­i­cal con­sul­tancy. Ap­ple has crit­i­cised the so­cial net­work for that lapse and other mis­steps, while an­nounc­ing new pri­vacy up­dates to boost its rep­u­ta­tion for safe­guard­ing user data. The iPhone maker hasn’t drawn as much at­ten­tion to the re­cent change to its App Store rules, though. As Ap­ple’s an­nual de­vel­oper con­fer­ence got un­der way on June 4, the Cal­i­for­nia com­pany made many new pro­nounce­ments on stage, in­clud­ing new con­trols that limit track­ing of web brows­ing.

But the phone maker didn’t pub­licly men­tion up­dated App Store Re­view Guide­lines that now bar de­vel­op­ers from mak­ing data­bases of ad­dress book in­for­ma­tion they gather from iPhone users. Shar­ing and sell­ing that data­base with third par­ties is also now for­bid­den.

And an app can’t get a user’s con­tact list, say it’s be­ing used for one thing, and then use it for some­thing else – un­less the de­vel­oper gets con­sent again. Any­one caught break­ing the rules may be banned. An iPhone’s con­tact list can con­tain phone num­bers, email ad­dresses and pro­file pho­tos of fam­ily, friends, col­leagues and other ac­quain­tances. When users in­stall apps and then con­sent, de­vel­op­ers get dozens of po­ten­tial data points on peo­ple’s friends.

That’s a trove of in­for­ma­tion that de­vel­op­ers have been able to use, beyond Ap­ple’s con­trol.

In the years fol­low­ing the launch of the App Store in 2008, con­tact-list abuse sur­faced from time to time, and in 2012, Ap­ple added a way for users to ex­plic­itly ap­prove their con­tacts, pho­tos, lo­ca­tion in­for­ma­tion and other data be­ing up­loaded by de­vel­op­ers. Some apps, in­clud­ing Uber and Face­book, let users re­move con­tacts that have been up­loaded.

Even so, there’s no mech­a­nism to do that for all apps that have been in­stalled on an iPhone. Aside from that, Ap­ple’s rules on con­tact lists have re­mained rel­a­tively con­sis­tent for a decade. Bal­anc­ing user pri­vacy with the needs of de­vel­op­ers has helped the com­pany build a prof­itable app ecosys­tem. Ap­ple said last week that de­vel­op­ers have gen­er­ated $100 bil­lion (Dh367.3bn) since the App Store launched. The com­pany typ­i­cally takes 30 per cent of app rev­enue and runs search ads in its App Store.

“They have a huge ecosys­tem mak­ing money through the de­vel­oper chan­nels and these apps, and un­til the de­vel­op­ers get bet­ter on pri­vacy, Ap­ple is com­plicit,” says Domingo Guerra, pres­i­dent of Appthor­ity, which ad­vises gov­ern­ments and com­pa­nies on mo­bile phone se­cu­rity. “When some­one shares your info as part of their ad­dress book, you have no say in it, and you have no knowl­edge of it.”

While Ap­ple is act­ing now, the com­pany can’t go back and re­trieve the data that may have been shared so far. After giv­ing per­mis­sion to a de­vel­oper, an iPhone user can go into their set­tings and turn off apps’ con­tacts per­mis­sions. That turns off the data faucet, but doesn’t re­turn in­for­ma­tion al­ready gath­ered. The Google app store works in a sim­i­lar way. On the com­pany’s help page about app per­mis­sions, un­der “Im­por­tant”, it says: “If you re­move per­mis­sion for an app, this ac­tion won’t delete the info the app al­ready has. How­ever, the app can’t use new info or take ac­tions from that point on.”

The dif­fer­ence is that Google mostly keeps quiet about how it uses peo­ple’s data for ad­ver­tis­ing, while Ap­ple of­ten talks about not col­lect­ing user in­for­ma­tion or build­ing pro­files of them. The iPhone maker also rolled out ex­tra pri­vacy con­trols to com­ply with a strict new Euro­pean law ear­lier this year and has fought US gov­ern­ment ef­forts to ac­cess user data on its de­vices. One de­vel­oper con­tacted Bloomberg News in the af­ter­math of Face­book’s Cam­bridge An­a­lyt­ica scan­dal, ex­press­ing con­cern that Ap­ple users may not un­der­stand what de­vel­op­ers can see when they pro­vide ac­cess to their con­tacts.

The de­vel­oper re­quested anonymity for fear of ret­ri­bu­tion from Ap­ple or the de­vel­oper’s em­ployer.

Once a user clicks OK, de­vel­op­ers can download the in­for­ma­tion the user keeps about ev­ery­one in their ad­dress book. That might in­clude not only names and phone num­bers, but other data such as birth dates and home and work ad­dresses. If peo­ple at­tached a photo to their friends’ pro­files, the de­vel­op­ers get that, too. The app maker can also learn when a con­tact en­try was cre­ated and edited, giv­ing clues on the ac­cu­racy of the phone num­ber and whether this is a new or old ac­quain­tance.

“The ad­dress book is the Wild West of data,” the iOS de­vel­oper says. “I am able to in­stantly trans­fer all the con­tacts info into some ran­dom server or up­load it to Drop­box if I wanted to, the very mo­ment a user says OK to giv­ing con­tacts per­mis­sion. Ap­ple doesn’t track it, nor do they know where it went.’’

An­other de­vel­oper says they’ve only seen one app that col­lected user con­tact lists for dis­hon­est pur­poses. And many uses for con­tact in­for­ma­tion are well un­der­stood. When down­load­ing a game, the game maker may ask for con­tacts per­mis­sion to show you friends who also have the app who you can play with, or they may build an easy way for you to text a friend about join­ing you on the app.

Apps like In­sta­gram and Snapchat ask for con­tact in­for­ma­tion to help users build so­cial net­works. The Bloomberg News app also asks for ac­cess to users’ con­tact lists, and other web ser­vices ac­cess email ad­dress books, so it’s not just an Ap­ple or Google prob­lem.

After re­ports on Ap­ple’s rule changes, US Sen­a­tor Mark Warner said the com­pany “should be ap­plauded – for this, and for other user-em­pow­er­ing moves Ap­ple has made that will give con­sumers bet­ter con­trol over how their data is used”.

“More com­pa­nies should fol­low suit,” said Mr Warner, a Demo­crat from Vir­ginia who’s been one of Face­book’s fiercest crit­ics. The US Fed­eral Trade Com­mis­sion warns con­sumers to be wary when apps ask for in­for­ma­tion un­re­lated to the pur­pose of the app. On its web­site, the FTC says any in­for­ma­tion col­lected by de­vel­op­ers can be shared with third par­ties or used to build data­bases.

Con­tact in­for­ma­tion may not al­ways be di­rectly use­ful to a de­vel­oper’s app, un­less it has a so­cial or chat com­po­nent. But it could be sold to data bro­kers, who com­bine it with other in­for­ma­tion to help com­pa­nies sell goods and ser­vices on­line.

And in some cases, it’s a tool to mar­ket an app to other peo­ple with an en­dorse­ment from the per­son who down­loaded it.

Last week, Ap­ple banned apps from con­tact­ing peo­ple us­ing in­for­ma­tion col­lected via a user’s con­tacts or pho­tos “ex­cept at the ex­plicit ini­tia­tive of that user on an in­di­vid­u­alised ba­sis”. De­vel­op­ers must also pro­vide users with a clear de­scrip­tion of how the mes­sage will ap­pear to the re­cip­i­ent be­fore send­ing it.

That type of bulk-tex­ting has been the ba­sis of vi­ral growth for apps like the 2016 sen­sa­tion Down To Lunch, which let peo­ple in­vite all their friends to lunch at the same time. It’s also been a com­mon tool in po­lit­i­cal cam­paigns, sup­ported by com­pa­nies like Cal­lHub.

In early 2017, some iPhone users be­gan get­ting texts from an app they’d never heard of be­fore. “A friend added you on ChitChat,” the mes­sages said. “Tap here to get it.”

ChitChat was built by Swipe Labs, a so­cial prod­uct de­sign stu­dio that was us­ing con­tact list ac­cess to mar­ket its new mes­sag­ing ser­vice to users’ friends – in ef­fect, dig­i­tal cold-call­ing on steroids. Peo­ple com­plained on Twit­ter, where ven­ture cap­i­tal­ist Chris Sacca called it “the her­pes of con­tact lists”. Mar­wan Roushdy, chief ex­ec­u­tive of Swipe Labs, apol­o­gised, call­ing the tac­tic a “half-baked growth fea­ture”.

“We had some is­sues with too many no­ti­fi­ca­tions be­ing sent out,” he said. A new ver­sion of the app that “throt­tles down no­ti­fi­ca­tions” was sent to Ap­ple for re­view, Mr Roushdy said. Swipe Labs was ac­quired by Uber Tech­nolo­gies a few months later.

In 2013, the FTC sued so­cial net­work­ing app Path over col­lect­ing ad­dress book in­for­ma­tion from iPhones and An­droid phones with­out user con­sent.

Path set­tled and com­mit­ted to not mis­lead­ing users in the fu­ture. Ap­ple chief ex­ec­u­tive Tim Cook met with Path’s chief ex­ec­u­tive to chas­tise him for the prac­tice, it was re­ported at the time.

While Ap­ple and Google have taken steps to im­prove app per­mis­sions, when things go awry, reg­u­la­tors tend to put the onus on the apps, not the op­er­at­ing sys­tems. In 2013, the FTC set­tled with a flash­light app on An­droid phones for col­lect­ing lo­ca­tion in­for­ma­tion and sell­ing it to ad­ver­tis­ing net­works with­out con­sumers know­ing.

Face­book has stressed that the prac­tice of de­vel­op­ers shar­ing users’ friends’ data was against its rules. The so­cial me­dia gi­ant banned the de­vel­oper who shared this in­for­ma­tion with Cam­bridge An­a­lyt­ica, and it made the po­lit­i­cal con­sult­ing com­pany sign an agree­ment con­firm­ing it had deleted the data back in 2015.

This March, the New York

Times and other out­lets re­ported the in­for­ma­tion hadn’t been deleted. The episode started a new global dis­cus­sion about pri­vacy, with Euro­pean and some US pol­i­cy­mak­ers ar­gu­ing con­sumers should dic­tate where their data flows, not gi­ant tech com­pa­nies.

On the so­cial net­work, users make their own pro­files, while smart­phone ad­dress books con­tain dig­i­tal dossiers that peo­ple make about other peo­ple. There may be hun­dreds of ver­sions of peo­ple’s con­tact in­for­ma­tion that they have no con­trol over. The same per­son might be “Dad” on one phone and “Craigslist Couch Guy” on an­other. The woman who bought his couch years ago may still be in­ad­ver­tently shar­ing his ad­dress with the game she plays on her iPhone ev­ery morn­ing.

ChitChat used con­tact list ac­cess to mar­ket its ser­vice to users’ friends, lead­ing to com­plaints and a sub­se­quent apol­ogy


The Ap­ple World­wide De­vel­op­ers Con­fer­ence in San Jose, Cal­i­for­nia, ear­lier this month. Ap­ple an­nounced the in­tro­duc­tion of new con­trols that limit the track­ing of web brows­ing on iOS de­vices such as iPhones and other se­cu­rity mea­sures amid grow­ing con­cerns about per­sonal data pri­vacy

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.