Address Book security

Last April, I wrote about the UK Conservative Party’s election app. This app uses your iPhone’s address book to send personal details (and likely voting intentions) of your friends and contacts to the Conservative Party.

The subject of address book security has been in the news again recently. Two particular stories have caught my eye, both of which raise questions about how we value address book privacy in mobile apps and on the Internet.

Luluvise

The first story was an excellent Guardian article by Tom Scott, about the women-only social network Luluvise. Scott describes how Luluvise uses Facebook as its login system, including for a publicly-available section called WikiDate, on which women can rate men they have dated. This includes men they are friends with on Facebook.

As Scott notes:

Facebook’s privacy page has the innocuous statement: “People who can see your info can bring it with them when they use apps.” This means that when your friend signs into an application, they don’t just share their own data – they can share some of your data as well.

This is certainly the case with WikiDate, where a man’s name and location – pulled from the woman’s Facebook contacts – are made publicly available on the Internet. (When WikiDate first launched, it included not just the man’s name and location, but also his photograph, pulled from his Facebook account. The photograph feature has since been removed; the name and location remain.) Each man’s page encourages you to sign in to Luluvise to find out about his chivalry, ambition, and sexual prowess, as rated by the Luluvise member. (At no point is the man asked or made aware about their Facebook data being used in this way.)

How might you stop yourself appearing on WikiDate, or other services like it? Well, you could change your preferences in the Apps section of your Facebook privacy settings, and turn off the ability for friend’s apps to access your Bio, Birthday, Location, and so on. (Facebook tell you how to do so in their FAQs.)

However, even if you do this, you still can’t keep your gender, or your friends list, from being used by your friend’s Facebook apps. The only way to do so is to disable all Facebook apps, including those you use yourself:

If you don’t want apps and websites to access other categories of information (like your friend list, gender or info you’ve made public), you can turn off all Platform apps. But remember, you will not be able to use any games or apps yourself.

So the only way to stop friends from sharing your friends list and gender is to disable all apps – something which makes Facebook a far less useful tool for yourself.

Path

The second story I read was an article by Arun Thampi, who discovered that the iPhone app for personal social network Path was uploading his entire address book – including the full names, emails and phone numbers of his contacts – to Path’s servers. Although Thampu was not suggesting that Path uses information for nefarious means, it shows just how easy it is for an app – potentially one less scrupulous than Path – to obtain your address book data. (Following Thampi’s article, Path has changed its policy, deleted all stored data, and made address book access an opt-in process in their latest app update.)

Ownership

Path is not the only app accessing your address book. In fact, apps have been able to access your address book, without asking your permission, for as long as the App Store has existed. Apple provides a full API for developers to access (and even modify) the current user’s address book without permission.

It could certainly be argued that Apple were in part responsible for allowing Path and others to access your address book without asking for permission. Apple has subsequently said it will reverse this policy in an upcoming software update. However, I still don’t think this tackles the underlying problem, which Greg Kumparak sums up perfectly:

On Twitter, Greg Kumparak says: Address book uploading shouldn't be turned into a prompt; it just shouldn't be allowed, period. Your address book isn't your data to share.

(Thanks to Harry McCracken for retweeting Greg’s tweet and drawing it to my attention.)

Put simply, the data in your iOS Address Book is not your data. At the least, it may contain your contacts’ email addresses and phone numbers; if you’re diligent, it may also contain their home addresses, job titles, birthdays, and your personal notes about them. Unlike Facebook, however, the contacts in your address book have no way to stop you sharing their data – even if you do so unwittingly, as seen with Path. It’s not your data to share, and you shouldn’t have the opportunity to opt in to doing so.

2 thoughts on “Address Book security

  1. Where do you draw the line? Should you be allowed to uploaded your address book into Facebook? Should you be allowed to keep contact information on online services such as Gmail? Ultimately you are passing other people’s contact details to a 3rd party.

  2. I think the benefits outweigh the drawbacks, and it’s sensible to let the user decide what to share.

    I suppose Apple could provide first-class support for anonymised email addresses purely for ‘friend-finding’ applications; it might be a useful middle ground. But in general I think we lose too much with a blanket ban.

    Our mobile devices are supposed to be personal, and to me, this means that the social network of the user (Address Book and beyond) is absolutely something I want apps to be able to see and manipulate.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>