Wednesday, February 8, 2012

Path Uploads Your Entire iPhone Address Book to Its Servers

In 2010, I wrote:

I don’t understand why iOS makes such a big deal about permission to access location data, when any random app, even one that shouldn’t need network access at all, can access my address book, photos, and clipboard and upload them to who-knows-where.

Yesterday, Arun Thampi wrote:

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

John Gruber notes that the response from Path is not very satisfying. Is this really “currently the industry best practice”? See, for example, these questions from Matt Gemmell. There’s no automated way to get them to delete your data. Rule 17.1 of the App Store Review Guidelines seems to prohibit this sort of behavior without the user’s consent, yet Path has been in the curated App Store for over a year and Apple doesn’t seem to have noticed that it’s sending this information back to the server in cleartext. Now that the news has broken, Apple has neither pulled the app nor approved the update that asks users to opt in. As Peter Maurer says, “No technology will ever protect us from Trojan horses. Rules that destroy functionality are mere security theater.”

Update (2012-02-08): The official response from Path:

We are deeply sorry if you were uncomfortable with how our application used your phone contacts.

That could have been phrased better. Also, Gawker quotes Path CEO Dave Morin, in November 2010:

Path does not retain or store any of your information in any way.

Good thing they will “continue to be transparent.”

Also, in 2010, Dave Winer noticed that something wasn’t right, but he’d forgotten about it until now.

Update (2012-02-09): Gawker:

The official version from Morin is that the statement was technically accurate, at the time he made it. He just changed his mind.

Peter Maurer links to this screenshot of Path’s new opt-in alert, noting that it isn’t very transparent. It just asks whether you want to invite your friends, without explaining what this entails for your personal data. However, Ole Zorn links to this screenshot in which the alert actually says “Path needs to send contacts to our server.”

Brent Simmons on Dustin Curtis’s “quiet understanding” that it’s OK to do this with people’s address books:

I know a ton of developers, and I’ve never, ever heard this.

Update (2012-02-10): In the comments, CF quotes Steve Jobs at D8:

We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud. Privacy means people know what they’re signing up for.

Update (2012-02-15): Dave Copeland:

But Twitter, as reported by the Los Angeles Times, seems to be the biggest name to make a revelation so far. The company told the newspaper it is making changes to make the policy clearer to users of its app. The current policy does not clearly state that Twitter downloads the entire address book of users who use the “Find Friends” feature on the app, including names, email addresses and phone numbers, and stores the data on its servers for 18 months.

Venture Beat (via Jason Kottke):

Facebook, Twitter, Foursquare, Instagram Foodspotting, Yelp, and Gowalla all upload either your contacts’ phone numbers or email addresses to their servers for matching purposes. Some of these applications perform this action without first requesting permission or informing you how they long they plan to store this data. Foodspotting is the worst of the bunch, as it appears to transmit your data over an unencrypted HTTP connection (in plain text), making it even easier for mischievous parties to intercept.

John Paczkowski:

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

Not mentioned: (1) the other types of personal data that apps can access without permission, and (2) the difference between letting the app access your address book and letting the app transmit it.

12 Comments RSS · Twitter

"No technology will ever protect us from Trojan horses. Rules that destroy functionality are mere security theater."

But isn't this just an example of one area where iOS's security model is simply broken? As you note, the lack of user control on what app can do with Address Book data was a known flaw. Rules, implemented via a proper user-controlled security model, could've prevented this.

Thank god you be an informed user and install Little Snitch for iOS to avoid this kind of situation. Err, never mind...

@Chucky I think the security model should require user approval to access the address book. That would protect us from the majority of apps that have no business accessing it at all. But, no, I think Maurer’s conclusion is right. Many apps legitimately need network access, and social apps reasonably want address book access, but no technology can prevent the two from being combined in unwanted ways. Neither can Apple’s review process. It provides a false sense of security.

Cleartext? I thought it was https.

@g You’re right. I’d read several posts saying that it was transmitted unencrypted, but it’s https so it must be secure. Separately, there is the suggestion that the data should be hashed or encrypted so that it isn’t stored in cleartext on Path’s servers.

@Chucky & Michael: That's indeed precisely what I meant when I sort of contracted two thoughts into one tweet — Apple removed (or are about to remove, in the Mac's case) useful functionality to make their devices seem safer. But it can't work, because the only system that's safe from Trojan horses is a system without features.

Let's indulge in a conspiracy theory for a minute: Suppose all the Path guys ever really wanted was to build a social graph based on address book data, which they could then sell to other companies. (Remember: The app is free, so you're the commodity.) Even if you think that Path should simply be denied from accessing the address book (which would diminish its functionality), they could still write an address book app that looks nicer than Apple's. Then they'd add server-based synchronization and _claim_ they store your data in such a way that they can't access it. And feel free to audit their online storage mechanism, because they can always change it later, much like Dave Morin ostensibly changed his stance on uploading address book data after that email exchange with Gawker in 2010.

No set of rules can free us from having to learn whom to trust. Apple will always have to trust developers to some extent, and users will have to trust both Apple and us developers.

Without trying to be facetious, I thought Apple prevented this sort of activity.

Have Whatsapp and Viber on iOS sent my address book to their servers? I did pay for Whatsapp. I almost tried Groupme too.

@CF This is why developers like me are so frustrated about the App Store. Apple hasn’t lied, but they’ve certainly created the impression among smart non-developers like Jason Kottke that users are giving up features and developers are giving up flexibility in return for Apple protecting against this sort of thing. But Apple doesn’t and can’t. So the end result is that power transfers from users and developers to Apple, which doesn’t actually deliver what you thought you were getting in exchange.

Your photos, clipboard, and calendar data are available to apps, too.

@Michael: I just saw you updated this post. Let me attempt to clarify on those dialog screenshots… (Brace yourselves, this is messy.)

The first dialog I linked to (originally posted by Mónica Ferro in response to a request for the new dialog's wording), was there prior to Path 2.0.6, according to David Attrache. If that's true, then this is obviously not the one we were looking for.

If you confirm that first dialog, however, you get a second dialog (yay!) in Path 2.0.6, which is more to the point, at least in Path's English localization (linked to by Ole Zorn). The Spanish localization (originally posted by David Attrache), on the other hand, doesn't mention uploading at all. The disparity between those localizations may be a sign of translation issues or legal considerations or what have you — regardless, this is most likely the new dialog Path talked about in their recent explanation. And its usefulness depends on your interface language.

Finally, none of those dialogs mention data storage. You may or may not consider the storing of your address book data an implication of having it sent to their servers, but there appears to be no information available about how they store it, for how long they store it, and who will have access to the data.

@Peter Thanks for that info. I don’t expect much more out of an alert, but are you saying they don’t have a privacy policy or suchlike posted on their Web site?

@Michael: No, I was talking about the dialog, and our expectations may indeed differ in this respect. The site does have a privacy policy at path.com/privacy. And that policy may be legally sufficient, but as a layman, I wouldn't have gathered they're taking my entire address book from reading it.

Anyway, if collecting address book data is covered, here are two intriguing possible loopholes:

"For example, we may use personal information we collect: […] for any other purpose for which the information was collected."

"For example, we share personal information as follows: […] in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition, or in any other situation where personal information may be disclosed or transferred as one of the business assets of us."

Again, as a layman, I can't help but think they could sell those address books to anyone, as long as they decide to think of them as company/business assets.

I'm quite stunned at this. I feel like I did years ago, when it was demonstrated that any site you visited could download your browse history. Except that this seems much worse. I skip through most (OK, all) EULAs, and honestly thought that the function of a walled garden was that applications that sent things like my address book online were weeded out.

e.g.
Steve Jobs at the D8 conference http://allthingsd.com/20100601/steve-jobs-session/

7:31 pm: A question about privacy. Is privacy looked at differently in Silicon Valley than in the rest of the world?
“We’ve always had a very different view of privacy than some of our colleagues in the Valley,” Jobs says. “We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud. Privacy means people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking if they get tired of your asking them. Let them know precisely what you’re going to do with their data.”

I feel that the reasoning of “the service is free, how do you think it works?" which I've been reading about elsewhere, is very very thin. I understand that Web 2.0 sites collect visitor information, and require these to run, and may monetise that way. I think this is a step beyond that. I must be just old: I thought things like cookies and pixel images were all that was fair game.

In practical terms, how has this affected me? I was going to try pepperplate.com today—which is free, for recipe storage. Should I? Should I delete (as an example) Tiny Wings or Angry Birds from my iPhone on the off-chance that a recent update has given the developer a reason to harvest my Address Book details? I feel like I should apologies to my contacts in my Address Book—lawyers, accountants, friends and families—because my misunderstanding of iOS privacy standards led to their contact details being exposed and traded between startups.

The other things I am concerned about are,

1. Unless I am mistaken, most sites have focused on Path's recent apology. And, not that other applications exist now that can perform the same functions. Aside from the people linked to on this blog, I have seen a user comment on Macintouch at:
http://www.macintouch.com/readerReports/iphone_touchplatform/index.html#d08feb2012

> I'd like to think I am not easily appalled, but this issue did it no problem.

2. that the iOS App Store has been running for 3 years, and yet this is only coming to light now.

3. Is this common practice on the Macintosh (the desktop/laptop lines)? (App store apps or not)

4. Thanks for the headsup about clipboards, calendar and photos. Why not just take my email as well?

@CF Thanks for the D8 quote.

There actually was a kerfuffle a while back when the Wall Street Journal reported that Angry Birds was uploading address book data. I think it only did this after asking permission, though.

Mac apps have historically been very well behaved; I can’t recall a single instance of anything like this happening.

Leave a Comment