Nation/World

Apple cracks down on apps sharing information on users' friends

Apple changed its App Store rules last week to limit how developers obtain, use and share information about iPhone owners' friends and other contacts.

The move cracks down on a years-long practice. Developers ask users for access to their phone contacts, then use the information for marketing and sometimes share or sell it without permission from others listed in those digital address books. On both Apple's iOS and Google's Android, the world's largest smartphone operating systems, the tactic is sometimes used to increase growth and make money.

Sharing friends' data without their consent is what got Facebook into so much trouble when one of its outside developers gave information on millions of people to political consultancy Cambridge Analytica. Apple has criticized the social network for that lapse and other missteps while announcing privacy updates to boost its reputation for safeguarding user data. The iPhone maker hasn't drawn as much attention to the recent change to its App Store rules, though.

As Apple's annual developer conference got underway on June 4, the Cupertino, California-based company made many new pronouncements onstage, including controls that limit tracking of web browsing. But the phone maker didn't publicly mention updated App Store Review Guidelines that now bar developers from making databases of address book information they gather from iPhone users. Sharing and selling that database with third parties is also now forbidden. And an app can't say a user's contact list is being used for one thing and then use it for something else unless the developer gets consent again. Anyone breaking the rules may be banned.

IPhone contact lists contain phone numbers, email addresses and profile photos of family, friends, colleagues and other acquaintances. When users install apps and then consent, developers get dozens of potential data points on users' friends. Developers have been able to use that trove of information beyond Apple's control.

Since the 2008 launch of the App Store, contact-list abuse surfaced occasionally. In 2012, Apple added a way for users to explicitly approve their contacts, photos, location information and other data being uploaded by developers. Some apps, including Uber and Facebook, let users remove contacts that have been uploaded. Even so, there's no mechanism to do that for all apps installed on an iPhone.

Aside from that, Apple's rules on contact lists have remained relatively consistent for a decade. Balancing user privacy with the developer needs has helped the company build a profitable app ecosystem. Apple said last week that developers have generated $100 billion since the App Store launched. The company typically takes 30 percent of app revenue and runs search ads in its App Store.

ADVERTISEMENT

"They have a huge ecosystem making money through the developer channels and these apps, and until the developers get better on privacy, Apple is complicit," said Domingo Guerra, president of Appthority, which advises governments and companies on mobile phone security. "When someone shares your info as part of their address book, you have no say in it, and you have no knowledge of it."

But Apple can't retrieve data that may have already been shared. After giving permission to a developer, iPhone users can go into their settings and turn off apps' contacts permissions. That turns off the data faucet but doesn't return information already gathered.

The Google app store works similarly. The company's help page about app permissions, under "Important," says: "If you remove permission for an app, this action won't delete the info the app already has. However, the app can't use new info or take actions from that point on."

The difference is that Google mostly keeps quiet about how it uses people's data for advertising, while Apple often talks about not collecting user information or building profiles. The iPhone maker also rolled out extra privacy controls to comply with a strict new European law announced this year and has fought U.S. government efforts to access user data on its devices.

One developer contacted Bloomberg News after Facebook's Cambridge Analytica scandal, expressing concern that Apple users may not understand what developers can see when they provide access to their contacts. The developer requested anonymity for fear of retribution from Apple or the developer's employer.

Once a user clicks OK, developers can download information the user keeps about everyone in their address book, which might include names, phone numbers, birth dates, and home and work addresses. If people attached a photo to their friends' profiles, the developers get that, too. The app-maker can also learn when a contact entry was created and edited, giving clues on the accuracy of the phone number, and whether this is a new or old acquaintance.

"The address book is the Wild West of data,'' the iOS developer said. "I am able to instantly transfer all the contacts info into some random server or upload it to Dropbox if I wanted to, the very moment a user says OK to giving contacts permission. Apple doesn't track it, nor do they know where it went.''

Another developer said it has seen only one app that collected user contact lists for dishonest purposes. And many uses for contact information are well understood. When downloading a game, the game-maker may ask for contacts permission to show you friends you can play the game with, or to build an easy way for you to text a friend about joining you on the app. Apps like Instagram and Snapchat ask for contact information to help users build social networks. It's not just Apple or Google: The Bloomberg News app, for example, asks for access to users' contact lists, and other web services access email address books.

The Federal Trade Commission warns consumers to be wary when apps ask for information unrelated to the app's purpose. Its website says any information collected by developers can be shared with third parties or used to build databases.

Contact information may not always be directly useful to a developer's app unless it has a social or chat component. But it could be sold to data brokers, who combine it with other information to help companies sell goods and services online. Sometimes it's a tool to market an app to other people with an endorsement from the person who downloaded it.

Last week, Apple banned apps from contacting people using information collected via a user's contacts or photos "except at the explicit initiative of that user on an individualized basis." Developers must also provide users with a clear description of how the message will appear to the recipient before sending it.

That type of bulk-texting has been the basis of viral growth for apps like the 2016 sensation Down To Lunch, which let people invite all their friends to lunch at the same time. It's also been a common tool in political campaigns, supported by companies like CallHub.

In early 2017, some iPhone users began getting texts from an app they'd never heard of before. "A friend added you on ChitChat," the messages said. "Tap here to get it."

ChitChat was built by Swipe Labs, a social product design studio using contact-list access to market its new messaging service to users' friends - in effect, digital cold-calling on steroids. People complained on Twitter, where venture capitalist Chris Sacca called it "the herpes of contact lists."

Marwan Roushdy, chief executive officer of Swipe Labs, apologized, calling the tactic a "half-baked growth feature."

"We had some issues with too many notifications being sent out," he said. A new version of the app that "throttles down notifications" was sent to Apple for review, Roushdy explained. Swipe Labs was later acquired by Uber Technologies.

In 2013, the FTC sued social-networking app Path over collecting address book information from iPhones and Android phones without user consent. Path settled and committed to not misleading users in the future. Apple CEO Tim Cook met with Path's CEO to chastise him for the practice, Bloomberg Businessweek reported at the time.

ADVERTISEMENT

Apple and Google have taken steps to improve app permissions. But when things go awry, regulators tend to put the onus on the apps, not the operating systems. In 2013, the FTC settled with a flashlight app on Android phones for collecting location information and selling it to advertising networks without consumers knowing.

Facebook has stressed that the practice of developers sharing users' friends' data was against its rules. The social-media giant banned the developer who shared this information with Cambridge Analytica. And it made the political consulting firm sign an agreement confirming it had deleted the data back in 2015. In March, the New York Times and other outlets reported the information hadn't been deleted. The episode started a new global discussion about privacy, with European and some U.S. lawmakers arguing consumers, not giant tech companies, should dictate where their data flows.

Users make their own profiles on the social network, but smartphone address books contain digital dossiers that are made by others, so there may be hundreds of versions of people's contact information that they have no control over. The same person might be "Dad" on one phone and "Craigslist Couch Guy" on another - and the woman who bought his couch years ago may still be inadvertently sharing his address via the game she plays on her iPhone every morning.

ADVERTISEMENT