{"id":4254,"date":"2012-02-08T15:26:52","date_gmt":"2012-02-08T20:26:52","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=4254"},"modified":"2020-03-05T09:01:57","modified_gmt":"2020-03-05T14:01:57","slug":"path-uploads-your-entire-iphone-address-book-to-its-servers","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2012\/02\/08\/path-uploads-your-entire-iphone-address-book-to-its-servers\/","title":{"rendered":"Path Uploads Your Entire iPhone Address Book to Its Servers"},"content":{"rendered":"

In 2010, I wrote<\/a>:<\/p>\n

I don’t understand why iOS makes such a big deal about permission to access location data, when any random app, even one that shouldn’t need network access at all, can access my address book, photos, and clipboard and upload them to who-knows-where.<\/p><\/blockquote>\n

Yesterday, Arun Thampi<\/a> wrote:<\/p>\n

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path<\/strong>. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.<\/p>\n<\/blockquote>\n

John Gruber<\/a> notes that the response from Path<\/a> is not very satisfying. Is this really<\/a> “currently the industry best practice”? See, for example, these questions from Matt Gemmell<\/a>. There’s no automated way to get them to delete your data. Rule 17.1 of the App Store Review Guidelines seems to prohibit this sort of behavior without the user’s consent, yet Path<\/a> has been in the curated App Store for over a year and Apple doesn’t seem to have noticed that it’s sending this information back to the server in cleartext<\/strike>. Now that the news has broken, Apple has neither pulled the app nor approved the update that asks users to opt in. As Peter Maurer<\/a> says, “No technology will ever protect us from Trojan horses. Rules that destroy functionality are mere security theater.”<\/p>\n

Update (2012-02-08): The official response from Path<\/a>:<\/p>\n

We are deeply sorry if you were uncomfortable with how our application used your phone contacts.<\/p><\/blockquote>\n

That could have been phrased better. Also, Gawker<\/a> quotes Path CEO Dave Morin, in November 2010:<\/p>\n

Path does not retain or store any of your information in any way.<\/p><\/blockquote>\n

Good thing they will “continue to be transparent.”<\/p>\n

Also, in 2010, Dave Winer<\/a> noticed that something wasn’t right, but he’d forgotten about it until now<\/a>.<\/p>\n

Update (2012-02-09): Gawker<\/a>:<\/p>\n

The official version from Morin is that the statement was technically accurate, at the time he made it. He just changed his mind.<\/p><\/blockquote>\n

Peter Maurer<\/a> links to this screenshot of Path’s new opt-in alert<\/a>, noting<\/a> that it isn’t very transparent. It just asks whether you want to invite your friends, without explaining what this entails for your personal data. However, Ole Zorn links to this screenshot<\/a> in which the alert actually says “Path needs to send contacts to our server.”<\/p>\n

Brent Simmons<\/a> on Dustin Curtis’s<\/a> “quiet understanding” that it’s OK to do this with people’s address books:<\/p>\n

I know a ton of developers, and I’ve never, ever heard this.<\/p><\/blockquote>\n

Update (2012-02-10): In the comments, CF<\/a> quotes Steve Jobs at D8:<\/p>\n

We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud. Privacy means people know what they’re signing up for.<\/p><\/blockquote>\n

Update (2012-02-15): Dave Copeland<\/a>:<\/p>\n

But Twitter, as reported by the Los Angeles Times<\/a>, seems to be the biggest name to make a revelation so far. The company told the newspaper it is making changes to make the policy clearer to users of its app. The current policy does not clearly state that Twitter downloads the entire address book of users who use the “Find Friends” feature on the app, including names, email addresses and phone numbers, and stores the data on its servers for 18 months. <\/p><\/blockquote>\n

Venture Beat<\/a> (via Jason Kottke<\/a>):<\/p>\n

Facebook, Twitter, Foursquare, Instagram Foodspotting, Yelp, and Gowalla all upload either your contacts’ phone numbers or email addresses to their servers for matching purposes. Some of these applications perform this action without first requesting permission or informing you how they long they plan to store this data. Foodspotting is the worst of the bunch, as it appears to transmit your data over an unencrypted HTTP connection (in plain text), making it even easier for mischievous parties to intercept.<\/p><\/blockquote>\n

John Paczkowski<\/a>:<\/p>\n

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”<\/p><\/blockquote>\n

Not mentioned: (1) the other types of personal data that apps can access without permission, and (2) the difference between letting the app access your address book and letting the app transmit it.<\/p>","protected":false},"excerpt":{"rendered":"

In 2010, I wrote: I don’t understand why iOS makes such a big deal about permission to access location data, when any random app, even one that shouldn’t need network access at all, can access my address book, photos, and clipboard and upload them to who-knows-where. Yesterday, Arun Thampi wrote: Upon inspecting closer, I noticed […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2020-03-05T14:02:01Z","apple_news_api_id":"4660a044-0002-4a16-acc4-156b93d86b5b","apple_news_api_modified_at":"2020-03-05T14:02:01Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/ARmCgRAACShasxBVrk9hrWw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[91,1930,31],"class_list":["post-4254","post","type-post","status-publish","format-standard","hentry","category-technology","tag-appstore","tag-app-store-review-guidelines","tag-ios"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/4254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=4254"}],"version-history":[{"count":35,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/4254\/revisions"}],"predecessor-version":[{"id":4326,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/4254\/revisions\/4326"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=4254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=4254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=4254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}