Congress grills iOS devs following Path privacy backlash

In the latest aftershock from the Path affair, and the massive can of privacy worms it cracked open, a pair of US congressmen have written to a number of iOS developers and key figures posing a series of questions around how they implement and manage user privacy.

The Path case, where the app makers were accused of uploading users’ address books without their knowledge, sparked a wider inquiry into the gathering and use of personal information by apps.

Following the furore, house representatives Henry Waxman and G.K. Butterfield asked Apple CEO Tim Cook to provide information on whether ‘Apple’s iOS developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts’.

They are yet to have all their questions answered, however. And, unsatisfied with Cook’s initial written response, have requested that Apple send a representative to appear before the Energy and Commerce Committee in person.  

In this further widening of the inquiry, letters have been sent to Apple and 32 companies that publish social apps on the App Store, including Twitter, Facebook and LinkedIn, and a number of developers including the guys behind Path, Instagram and Foodspotting. Posting the letters publicly online yesterday, the committee wrote:

“Following recent reports that apps could collect address book information and photos without notice and consent from users of Apple’s mobile devices, the members are seeking to better understand what, if any, information these particular apps gather, what they do with it, and what notice they provide to app users.  The members want the information to begin building a fact-based understanding of the privacy and security practices in the app marketplace.”

There’s no indication that any of these organisations in particular are accused or even implicated in any wrongdoing. They were simply selected for the inquiry based on their inclusion in the “Social Networking” subcategory within the “iPhone Essentials” area of Apple’s App Store.

The letters, which can be viewed in full here, include the following questions. The recipients have until 12 April to respond, and assuming the committee intends to publish its findings, some of the answers could make very interesting reading.

  • (1) Through the end of February 2012, how many times was your iOS app downloaded from Apple‘s App Store?
  • (2) Did you have a privacy policy in place for your iOS app at the end of February 2012? lf so, please tell us when your iOS app was first made available in Apple‘s App Store and when you first had a privacy policy in place. In addition, please describe how that policy is made available to your app users and please provide a copy of the most recent policy.
  • (3) Has your iOS app at any time transmitted information from or about a user’s address book? If so, which fields? Also, please describe all measures taken to protect or secure that information during transmission and the periods o f time during which those measures were in effect.
  • (4) Have you at any time stored information from or about a user’s address book? If so, which field? Also, please describe all measures taken to protect or secure that information during storage and the periods of time during which those measures were in effect.
  • (5) At any time, has your iOS app transmitted or have you stored any other information from or about a user’s device – including. but not limited to, the user’s phone number, email account information, calendar, photo gallery. WiFi connection log, the Unique Device Identifier (U DID), a Media Access Control (MAC) address, or any other identifier unique to a specific device?
  • (6) To the extent you store any address book information or any of the information in question 5, please describe all purposes for which you store or use that information, the length of time for which you keep it, and your policies regarding sharing or that information.
  • (7) To the extent you transmit or store any address book information or any of the information in question 5, please describe all notices delivered to users on the mobile de vice screen about your collection and use practices both prior to and after February 8, 20 12.
  • (8) The iOS Developer Program License Agreement detailing the obligations and responsibilities of app developers reportedly states that a developer and its applications — may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising.” (a) Please describe all data available from Apple mobile devices that you understand to be user data requiring prior consent from the user to be collected. (b) Please describe all data available from Apple mobile devices that you understand to be device data requiring prior consent from the user to be collected. (c) Please describe all services or functions for which user or device data is directly relevant to the use of your application.
  • (9) Please list all industry self-regulatory organizations to which you belong.
Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.