Trump Campaign App's Data Grab Could Expose Everyone in Your Contact List, Experts Say

Several experts were concerned by the app's attempts to collect contact data.

ByABC News
August 26, 2016, 1:57 PM

— -- Donald Trump’s campaign app may be putting “America First,” but experts say it's not necessarily prioritizing users’ privacy.

The Trump campaign’s smartphone offering seeks to collect and store the contents of users’ address books –– potentially vacuuming up large quantities of personal data about individuals who have never used the application and who may be unaware that it’s in the hands of the campaign.

The app, titled "America First," was quietly launched on Apple’s App Store and the Google Play store as a free download last week.

In a series of interviews with ABC News, several electronic privacy experts expressed concerns about the scope of the Trump campaign app’s data collection techniques, even though all of the methods appeared legal. The experts warned that users may be unwittingly handing over personal data about themselves and their contacts –– potentially exposing all involved to undesired campaign communications, or, at worst, a host of abuses in the event of a malicious data breach.

The Trump campaign did not immediately respond to ABC News' request for comment.

According to the app’s privacy policy –– a common legal document that outlines a software vendor’s intentions for using users’ data –– the campaign “may access, collect, and store personal information about other people that is available to us through your contact list and/or address book.”

The Hillary Clinton campaign launched its app in July. Both campaigns collect data on those who use their apps –– including information about a user’s phone, their mobile network provider, and other uniquely identifiable data, according to the privacy policies available on the apps.

However, Trump’s app goes a step further by seeking to collect information about other individuals through app users’ contact books during the initial registration process. Clinton’s app requests this information when users seek to use a sharing feature in a menu, not during the initial registration process.

“Trump’s is asking to collect significantly more data, and not just data about you, but data about anyone who might be in your contact list,” Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California, told ABC News.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, said that Trump is "basically saying he has the right to pull down the contact list of the donors and supporters [using the app], which is something that is really very controversial."

Craig Spiezle of the Online Trust Alliance agreed, saying the policy was “very problematic,” and “not one that privacy or consumer advocates would consider reasonable.”

Collecting data from app users is not unique to the Trump campaign. However, Rotenberg said that the scope of the Republican nominee’s collection “in particular is egregious."

Of particular concern is the personal nature of data contained in modern electronic address books, which is often shared with personal confidants under the assumption that it will be kept private or shared with only the utmost discretion.

Address books on mobile phones don’t just contain phone numbers and email addresses -- which themselves may be private or sensitive. In many cases, they can contain notes about health information, snippets of emails, codes for security systems or garage doors, shared passwords, or even Social Security numbers.

Many people using apps that collect contact data may not realize the extent of the information that they’re handing over, experts said.

PHOTO: The "America First" smartphone app released by "Donald J. Trump for President, Inc." requests access to the user's contacts list after installation.
In screen grabs made on Aug. 25, 2016, the "America First" smartphone app released by Donald J. Trump for President, Inc. requests access to the user's contacts list after installation.

The crucial decision is made during the initial registration process when the app is first launched.

Users are presented with a screen featuring the campaign logo superimposed over a photo of Trump. Beneath it they are presented with multiple options for registering an account with the app.

Further down still, in small text at the bottom of the screen, is a link to the app’s privacy policy, which, when clicked, takes users to the legal document on the campaign’s website.

During the registration process, ABC News journalists testing the app were presented with a pop-up screen requesting access to their address book. They denied the request and the app functioned normally during brief usage.

However, experts noted that privacy policies go partially or fully unread, and users often rapidly and impatiently click through pop-ups asking for permission to access the data. Some may not even know what a privacy policy is or that one is available, the experts noted.

A Pew Research study from late 2014 found that less than half of Americans polled correctly identified what a privacy policy is.

So, in many cases, users are unaware of what they’re about to hand over, experts said.

Additionally, some apps are coded so that they will not function if they are not granted access to requested data. Trump’s app appeared to function even though access to the contacts was denied, however, this is not made clear before the prompt, which appears during the initial registration.

“I think most people have this perception that if they don’t click yes, they can’t use the apps. It’s misleading at best,” Rotenberg said. “But it’s unfair when we look more closely at the Trump policy in particular, because it says, ‘You’re giving us the right to capture your contact list.’”

PHOTO: An Apple iPhone screen grab made on Aug. 25, 2016 on shows the privacy settings for the user's contacts.
A screen grab made on Aug. 25, 2016 on a smartphone with the Trump campaign app "America First" and the Clinton application "Hillary 2016" shows the Trump application has requested access to the user's contacts. The Clinton application doesn't appear on the screen because it hasn't requested access from the user.

Even though it's legal to transfer data about people who may have never downloaded the app, the practice remains controversial.

“Here you have the situation where an individual is wanting to use the app, and they’re making decisions about other people’s privacy,” Ozer said.

“[Neither] the individual nor the app is making sure individuals in those contact lists knows their information is ending up in the hands of the campaign,” she added. “Just because you choose to use an app, doesn’t mean that all the people you come in contact with want information about them shared with that campaign or that company.”

“Your contact list are a treasure trove. They are potentially thousands of people that you know, and personal information about them that they might not share publicly. It can be their private mobile numbers, it can be there home addresses, it can be many other things about them that would be valuable to both companies and political campaigns,” she said.

But not all experts share those concerns about the practice.

“It is perfectly legal to do so,” said Albert Gidari, director of privacy at the Center for Internet & Society at Stanford Law School.

“That you may betray your friends' privacy in doing so is a matter of your ethics, not the site's," Gidari told ABC News. "Do people stop and think about this? Of course not!”

The Trump app’s privacy policy notes that users who originally agree to share their contact data can later revoke this access on their device’s settings. However, the vast majority of privacy experts interviewed by ABC News expressed concern that the policy says nothing about whether data that had already been transmitted to the campaign’s servers would be deleted.

“A real revocation of that permission would require the Trump campaign -- or any organization -- to delete the information,” Rotenberg said.

The collection of this data is concerning, the experts said, in light of recent high-profile hacking attacks.

Recent data breaches at the Democratic National Committee and the Democratic Congressional Campaign Committee, as well as a number of other organizations and businesses, highlight how common the public exposure of private data by hackers has become.

“The more data, the longer its retained, the more likely that something can happen to it,” Ozer said. “That it ends up being used in a way that the individual did not intend or could end up being hacked or breached at some point down the line.”

While the Clinton privacy policy states that the campaign “takes reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction,” no such language exists in the privacy policy for the Trump app.

Editor's note: This story has been updated to reflect the existence of a feature in a menu on the Clinton campaign app that does ask users' for access to their address books. However, this is an opt-in feature that appears in a menu, not during the initial registration process.

Related Topics