Many iOS apps have been found to upload users' address book data silently. They've stopped, and after Congressional questions Apple is plugging the hole that allowed it.
It began last week when a blogger in Singapore discovered that the iOS photo-sharing application Path was, without asking permission, uploading the complete address books of users and storing the data on their servers. It sure sounds like personal, and personally identifiable, information -- all the names, phone numbers, and email addresses of everybody on your contact list.
A firestorm ensued on the Internet and in the tech press. Momentum in the backlash built when Path's CEO Dave Morin referred to the practice of uploading address books as an "industry best practice." What he meant was "common practice," but the sentiment poured kerosene on the firestorm. The next day, Morin issued an actual sincere apology and said that Path had deleted all of the user data from its servers and would ask permission in the future before grabbing address books.
It soon came out that many other iOS apps were doing the same or similar things. The companies identified included Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp, and Gowalla. Not all of them failed to ask permission, and not all of them were storing the users' data; in all cases, the point of the uploading was to help the application locate the user's friends so they could be invited to the service. Still, users had no guarantees about what became of their data once it was exfiltrated from their systems.
Most, if not all, of the companies that had been uploading address book data in any form have now publicly backed away from the practice.
Attention next shifted to Apple, whose iOS operating system and App Store guidelines did not forbid the privacy violations in which many apps had been engaged. Two members of Congress sent a list of nine questions to Apple CEO Tim Cook. While working on a formal reply, Apple let it be known that it would be instituting changes that will require app developers to get user permission before touching anyone's address book.
Lessons for business
While Path-Gate has played out mainly in the B2C space, B2B businesses should not ignore the implications of the story as they develop their mobile strategies, whether for external or internal consumption. Mobile privacy is a hot-button issue for a large segment of the public, a bigger issue than privacy in general. There is something so personal about your smartphone. It is always with you, and it knows your location. You may spend a significant portion of your life on it and store the traces of it there.
And data such as an address book can literally be a life-and-death matter in certain contexts, as a New York Times piece points out: the State Department is supporting the development of a "panic button" application to erase smartphone contacts with one click in case the owner is arrested during a protest.
Mobile devices, paradoxically, embody extreme privacy sensitivity along with the temptation of uniquely useful data. Location, contacts, browsing history, camera, accelerometer, unique device ID -- these data would be massively useful in many business contexts. Advertising is only the beginning. Just make sure that, when crafting a mobile strategy, you keep your privacy antenna tuned beyond ultra-sensitive.