Congress Pushes Apple to Protect Your Address Book

Feb. 15, 2012 -- Just how much of your iPhone's address book – your contacts' names, email addresses and phone numbers – is being stored on Twitter, Apple, and other companies' servers?

For users of some iPhone apps, the answer is everything.

Surprising? It's just that surprise and lack of transparency that has given rise to major privacy concerns, leading members of Congress to send a letter to Apple this afternoon to clarify and correct the situation.

The story really begins two weeks ago when a developer named Arun Thampi discovered that the social networking service Path, which allows you to post pictures and see where your friends are, was collecting address book data from iPhones without direct user permission, and then storing the data on its servers for 18 months.

Today, it was reported that Twitter was doing the same thing. When users tap the "Find Friends" button, their entire address books, including email addresses and phone numbers, were being sent to Twitter's servers where they could be housed for up to 18 months.

Neither of the companies explicitly disclosed to users that they were downloading and storing the personal data. And no one is alleging that the companies have misused the information.

Yet once the privacy concerns emerged, Path and Twitter apologized for the lack of transparency and both companies have vowed to make changes.

"We made a mistake," said Path's Dave Morin, CEO, in a blog post. "Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts."

"As a clear signal of our commitment to your privacy, we've deleted the entire collection of user uploaded contact information from our servers," Morin added. In the 2.0.6 version of the Path iPhone app, released last week after the privacy concerns were aired, users are prompted to opt in or out of sharing address book information with the company.

Twitter has taken a similar line. "We want to be clear and transparent in our communications with users," said Carolyn Penner, a company spokesperson. "Along those lines, in our next app updates, which are coming soon, we are updating the language associated with Find Friends -- to be more explicit. In place of 'Scan your contacts' we will use 'Upload your contacts' and 'Import your contacts' (in Twitter for iPhone and Twitter for Android, respectively)."

Twitter has always allowed users to remove their contacts info from its servers, but many opt to keep this information stored as it lets Twitter notify users if their friends have joined the service. (Click here to see how to remove your contacts.)

These specific companies and many others have gotten away without disclosing these address book storing practices, but some are pointing fingers at Apple, which has a policy directly prohibiting this in its App Store Review Guidelines.

Apple acknowledged in a statement that these app developers are not abiding: "Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines. We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

Apple did not say when that software update would be released.

Members of Congress, specifically Rep. Henry Waxman (D-Calif.) and Rep. G.K. Butterfield (D-N.C.) of the Committee on Energy and Commerce, are also pushing the issue and have sent a letter to Apple CEO Tim Cook asking for answers to a series of questions about how many apps require user consent, amongst other things.

That letter can be read here.

There is also mounting concern the address book security concerns are more widespread than currently known and that there may be a flaw in Apple's iPhone operating system, iOS. (There's a good report on the details of that here.)

How Apple will respond and enforce its own guidelines remains to be seen, but it's clear that this entire address book debacle has already forced makers of popular apps like Path, Twitter, Instagram, Foursquare and others to become more transparent about just where your address book lives.