One week after the photo-sharing service Path began taking heat for downloading user address books without user permission, a U.S. House subcommittee said it wants to know why Apple doesn't force iOS app developers to seek user permission before downloading their contacts.
"This incident raises questions about whether Apple's iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts," Rep. Henry A. Waxman (D-Calif.), ranking member of the Subcommittee on Commerce, Manufacturing and Trade, wrote in a letter sent to Apple CEO Tim Cook that was made public today.
Apple responded a couple of hours later, pledging to change its policy so that iOS apps which use address book data will first need the explicit permission of users. "Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines," Apple spokesman Tom Neumayr said.
The guidelines on the Apple App Store specifically prohibit apps from transmitting data "about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used."
But in its letter, the committee suggested that the practice may be more common than originally thought, quoting a claim by blogger Dustin Curtis that there is a "quiet understanding among many iOS app developers that it is acceptable to send a user's entire address book, without their permission, to remote servers and then store it for future reference."
The committee is giving Apple until February 29 to answer specific questions, including which Apple's iOS App Guidelines relate to privacy and security of data accessed or transmitted by apps; how Apple determines whether an app meets the criteria; what is considered to be "data about a user;" how many iOS apps transmit "data about a user;" whether address book contents are considered to be "data about a user" or data of the contact and if not why; and why Apple doesn't offer users the ability to turn off transmission of contact information on an app-by-app basis like it does for location data.
The matter came to light last week after blogger Arun Thampi discovered that Path automatically uploaded the entire address book of users -- which included full names, phone numbers, and e-mail addresses -- to its servers. Path CEO Dave Morin quickly apologized and promised to delete all the address book information from its servers. A new version of the app prompts users for permission to download contact information.
Android users are notified what data apps are capable of accessing and that by downloading the app they are opting in.
Meanwhile, various reports have discovered that Path isn't the only developer doing this with user address book data. Foursquare grabs contact data without user permission, according to Venture Beat. Facebook, Twitter, and Instagram download data after warning the user, according to reports.