
Stealing Your Address Book - maccman
http://dcurt.is/stealing-your-address-book
======
droithomme
We develop software for Windows and Macs. On the Mac the address book files
are certainly available to read, and also available through an API. We don't
read these files, we don't upload them, and we don't analyze them. We don't
touch them at all. We also don't touch anything else on our customer's system
that they wouldn't normally be expecting, and we don't send any information
back to our server without the user explicitly saying it's OK when it happens.

Here's one reason why we don't scan people's system for interesting private
files and secretly upload it for our economic benefit:

1\. It violates the user's trust, expectations and privacy.

Here's a second reason:

2\. It is a criminal act to do so.

I don't buy these discussions about how it is Apple's fault. It's not. It's
illegal to steal private data like this. The companies doing this should be
raided and shut down by the FBI immediately. All of them. Whether or not they
issued a tearful apology.

~~~
sambeau
It is definitely illegal in the UK (and Path is available in the UK).

<http://en.wikipedia.org/wiki/Data_Protection_Act_1998>

I naively thought that iOS Apps wouldn't do this, in part, because it _was_
illegal.

~~~
sambeau
Also, by deleting the data from the servers—are they not now destroying
evidence?

~~~
joering1
I voted you up because you bringing a great point. didnt think this way. but
now going this hm path :) if there will be any FCC or other inquiry, wonder if
longterm this will help Path or not.

------
feralchimp
The biggest problem with all of this, and which I'm surprised no one else has
mentioned, is that my Address Book isn't principally "personal data about me,
which I wish to keep safe." It is "personal data about _other_ , often _more
important_ people, who have _entrusted me with the security of that data_ "!

If you pull my CEO's private contact info off my phone, or pull a high-level
contact from some company we've been privately looking to acquire, you best
pray that theft doesn't result in a leak of privileged business information.

~~~
apgwoz
> or pull a high-level contact from some company we've been privately looking
> to acquire, you best pray that theft doesn't result in a leak of privileged
> business information.

Right, because the presence of some contacts at company B immediately implies
"oh, we're going to acquire them."

What people really aren't mentioning is that people give out the information
likely stored in your address book to pretty much any service that even
_looks_ to be interesting based on a screencast, or even a splash page. Do you
read the terms of service and privacy policies of all random websites you sign
up for? Do the people whose contact information you are _protecting_ do so?

~~~
erikpukinskis
_people give out the information likely stored in your address book to pretty
much any service that even looks to be interesting_

You're missing a "some" in that sentence, and the difference between "all
people" and "some people" sort of renders your point moot.

------
polemic
It's interesting that one side effect of the Apple 'walled-garden' and the
perceive strictness of the app approval process has led to the idea that:

> _...this issue is a failure of Apple and a breach of trust by Apple, not by
> app developers._

That's a cop-out, of course. There is no lesser responsibility on the part of
an app developer to "do no evil" if you've simply bent your definition of evil
to "whatever Apple DOESN'T let me do to their users".

Let's look at this statement:

> _...there's a quiet understanding among many iOS app developers that it is
> acceptable to..._

That should be a big red flag to the writer. Quiet understandings have led to
all sorts of problems - certain financial collapses come to mind.

Ultimately, this _is_ something Apple needs to confront. Consistency is far
more important that any specific moral position - for users and app
developers. But that's not a get out of jail free card for the developer.

~~~
baddox
> _That's a cop-out, of course. There is no lesser responsibility on the part
> of an app developer to "do no evil" if you've simply bent your definition of
> evil to "whatever Apple DOESN'T let me do to their users"._

That's arguable. Privacy is all about "expectation of privacy," which means
there's really no predictable, testable methodology other than implementing a
feature and finding out if people are outraged. In fact, it's almost certainly
different for apps with different target audiences. Path probably gets a lot
of tech-savvy 20- and 30-something users who are outraged by address book
sharing, but the average Facebook user probably wouldn't care even if they
found out it was happening.

Obviously, this just means that developers should err on the side of openness
(e.g. in your privacy policy) and explicitness (e.g. popup dialog asking for
permission). But that's often only apparent in hindsight, since a developer
may never think that something could even be interpreted as a privacy issue,
since the developer knows he or she will never misuse the data or even use it
all in any personally-identifiable way.

Presumably, for better or for worse, many developers either consciously or
subconsciously trust Apple to have a pulse on the community of users when it
comes to privacy. It would be nice to be able to do so, but apparently that
can't be trusted. Of course, from the user's perspective, it means they can't
trust _any_ app to not be abusive (according to their own definition of
"abuse").

------
pclark
I find the whole thing really rather curious. I too am baffled as to why Apple
has allowed this functionality from day one. I am also surprised that there
has not been considerably more malicious usages of this data.

Apple clearly does not enforce the the guidelines 17.1 strictly - but some
developers _are_ rejected for this. I can _imagine_ it being _possible_ (and I
have no idea) that Apple turns a blind eye to developers that break this rule
on the assumption they are doing it as a reputable company and doing it for
"clear" value to the end user. (e.g.: not just acquiring all your contacts
despite being a fart app.)

 _> 17.1: Apps cannot transmit data about a user without obtaining the user's
prior permission and providing the user with access to information about how
and where the data will be used._

Apple traditionally will happily leave functionality users or developers deem
critical out of iOS until it is done right - push notifications, geo-location,
background applications. It seems to make so much sense that "contacts" are
part of something that Apple would want to do right - after all - it _can_
create significant value for the user. (as discussed here:
[http://parislemon.com/post/11647475506/your-true-social-
netw...](http://parislemon.com/post/11647475506/your-true-social-network))

But that doesn't explain why allow it in the first place in its current state?
Its a really odd thing to simply offer developers on a whim (all their SDK
blurb says is "Your application can create new Address Book contacts and get
existing contact info.") Why can I import all of a users' contacts but it is
not possible to populate an iMessage with a recipient and content?

(I mean, Game Centre, the nearest thing to an Apple "social network" uses
contacts to find your friends but in a truly terrible - albeit more ethical -
manner. Which is both parts fascinating and infuriating as GameCentre is
mostly crippled by being incapable of _finding your friends_.)

At a guess: internally Apple iOS development is under resourced and they have
a todo list a mile long. This simply has not been a severe enough problem that
it has warranted being fixed _yet._

Whatever the reason, I hope it gets fixed.

~~~
Terretta
They didn't allow it from day one. GPS apps, for example, couldn't navigate to
contact addresses. VOIP couldn't use your numbers.

It was relaxed later. I don't recall exactly when, but I'm thinking around 3.2
or so. Before whatever update, you had to have silos of contacts. After it,
all apps could use your address book.

------
stevenou
It _is_ super curious why Apple decided to allow apps to access the Address
Book freely. I'm releasing an app on the App Store next week and I
_definitely_ thought about all the evil things I could do to my users because
Apple provides them no protection. And as a developer looking for success on
the App Store, it is _very_ tempting.

I once considered the possibility of uploading the entire address book to my
servers, too. In fact, I even considered email/sms spamming everyone in those
address books with "invitations" from the address book owner to download my
app. Of course, I did not end up doing any of that nefarious stuff. Not even
uploading the address book for innocent "Add Friends" features. But the fact
remains that given the freedom to do so, almost every developer will be, at
least, _tempted_ to take advantage of it. Most will.

I honestly don't think Path did anything wrong and I'm sure they kept the
information secure on their servers. It's Apple that somehow let this one slip
through.

~~~
eridius
Your stance seems to boil down to "if Apple doesn't catch you and reject your
app, then you've done nothing wrong", which seems preposterous.

~~~
stevenou
I think you misunderstand. I think Path did nothing wrong not because they
"weren't caught". I'm sure they keep their data secure and they only use it to
benefit the user's experience - ergo, nothing wrong. On the other hand, if
say, they spammed people's address books, then I would think they are in the
wrong. Or if they sold the data, then they are in the wrong. But as far as I
can tell, they did nothing bad.

Oh and by "let it slip through," I didn't mean the app itself, but the fact
that the SDK requires no authorization from the user for any app to access the
address book. Like the author of the article said, it requires it for
location. Why on earth doesn't it require it for your contacts? They're
arguably _much_ more valuable.

------
phuff
I think it's a bit conspiracy-theorist to say that companies do this because
they want to use everything they can get. The relatively easy privacy
maintaining alternative (hash address book contents and store the hash, and
check against hashes when people join) is simply not as obvious as simply
uploading what you get from the API.

Most app developers are just trying to get a job done as quickly as they can,
and are in that hustle are choosing the path of least resistance, rather than
thinking, "I really want to exploit this data as much as possible and invade
as much privacy as possible."

~~~
eli
Totally agree. I'm actually surprised at how many people assume this was done
with malicious intent.

There are still plenty of sites storing plaintext passwords. I doubt there's a
data mining conspiracy there (although I bet you could make some interesting
guesses about people based on their password choice). It's just a poor design
that accomplishes its task in the simplest way possible.

~~~
Aqua_Geek
> I'm actually surprised at how many people assume this was done with
> malicious intent.

I don't care whether or not it was done with malicious intent. What bothers me
is that copies of my address book are floating around out there without my
permission.

------
WestCoastJustin
Am I missing something? I'm not a iPhone/iOS user so please forgive me. Does
iPhone/iOS not ask if you give permission for this App to view your Address
Book?

If not, then I can see why this might be Apples fault for allowing developers
to abuse this.

If yes, then how can this possibly be Apple's fault? It seems almost absurd to
blame them. The buck stops with the end user for not protecting their Address
Book. If you allow some weather app to download your Address Book, why should
Apple care? You cannot trust every developer (turns out we are all data
hungry), and they even asked to peak in there too.. You explicitly gave them
permission!

~~~
Macha
All iOS apps have every permission except location without asking.

~~~
ryanwaggoner
Here are a list of things that iOS apps can't access by default:

    
    
       - location (only accessible via permissions dialog)
       - existing photos and videos (only accessible via apple-provided picker dialog)
       - reading email or SMS (never accessible) 
       - sending email or SMS (only accessible via apple-provided compose dialog)
       - any data or settings for other apps (never accessible)
       - push notifications (only allowed after permissions dialog)
       - Safari history, cache, cookies, etc (never accessible)
    

In fact, the only thing apps can access without permission that's really
problematic are the contacts. And yes, I expect Apple will be closing this
very soon.

You could maybe argue that accessing the live camera and microphone feed are
an issue?

~~~
Timothee
_existing photos and videos (only accessible via apple-provided picker
dialog)_

Are you sure about that? I was under the impression that the Asset Library
framework
([https://developer.apple.com/library/ios/#documentation/Asset...](https://developer.apple.com/library/ios/#documentation/AssetsLibrary/Reference/AssetsLibraryFramework/_index.html#//apple_ref/doc/uid/TP40009730))
would allow one to build their own picker and thus access the existing photos
and videos. But I didn't go far enough into iOS yet to try it and see what it
really does…

That being said, I can't find an app that allows me to select multiple
pictures at once. (you'd think the Facebook app would let you do that) Which
is weird because I'm fairly certain that Picasa Web Albums allowed that at
some point. ([http://itunes.apple.com/us/app/web-albums-a-picasa-
photo/id3...](http://itunes.apple.com/us/app/web-albums-a-picasa-
photo/id344997890?mt=8)) I remember because I specifically bought the app to
upload a couple of folders at a time and I don't see myself choosing them one
by one… In any case, while the description implies it can, the current version
won't let me.

~~~
Terretta
If you use your own w/o the location permission, you don't get EXIF data, just
the bitmap.

FlickStacker supports batch select, as do many other up loaders or photo
vaults.

------
gojomo
Apple doesn't just _allow_ this; it seems they do it (for Twitter's benefit)
themselves, in the official iOS5 Twitter integration settings panel:

[http://cache.gizmodo.com/assets/images/4/2011/06/ios5twitter...](http://cache.gizmodo.com/assets/images/4/2011/06/ios5twitter2.jpg)

(It's possible they're scraping Twitter handles/photos in some way that
doesn't link the 'email addresses and phone numbers' to the requester's
Twitter handle... but almost any straightforward way of implementing this has
the de facto effect of informing Twitter of all your contacts' emails and
phone numbers.)

Everyone's at it.

------
zbowling
Apple avoids the Vista like "ask for permission" on access design like android
by requiring you to justify your needs to the app reviewer as an app
developer. Not having an untrusted source of apps that can install on the
device that is allowed on the iPhone means Apple can, in theory, improve user
experience by not having as many of these dialogs bugging the user.

Apps, should just work.®

Constant permission prompts just train users in to muscle memory to accept
these dialogs without thinking. Instead Apple sees it better make developers
justify their needs to the APIs when they submit. Then Apple tests the app and
looks for anything fishy. In the end, they reserve the right to pull them when
they violate their terms.

The article is wrong in that the camera roll is secure. It's technically not.
Through the asset library API you can get at it. See docs here:
[https://developer.apple.com/library/ios/#documentation/Asset...](https://developer.apple.com/library/ios/#documentation/AssetsLibrary/Reference/ALAssetsLibrary_Class/Reference/Reference.html)

One of the issues Android had up until recently was that you couldn't update
all apps in one shot. The reason is that app update may have required
permission changes from a pervious version. You would have to acknowledge each
of these before installing the update. This was a crappy user experience and
it's still the current experience when you install 3rd party APKs and update
them.

The problems with these "list of permissions wanted" screens is they don't let
the developers justify to the user why they need access to these different
features inline with the request. The users see it at install or update often.

There are often very simple reasons why I need access to data on the device on
Android in my app. I had people not install my app because I asked to send
SMSs (which tells the user I can charge them money that way) in my music app,
but it's only because I had a share button that is user invoked and clearly is
sending a text message to user.

Sure, be clear with your intent with your users, but these permission models
don't always scale for the everyday users.

~~~
furyofantares
Your complaints can be addressed by waiting to ask for permission the first
time the app needs it, as opposed to a list of permissions to give at install
time, and making the 'yes' answer sticky as opposed to prompting constantly.

~~~
zbowling
They are not my "complaints". Popups causes muscle memory.

~~~
furyofantares
Constant popups cause muscle memory. Infrequent popups do not.

------
dredmorbius
Why can I not lock down my phone information and describe, at the device
level, what I'm willing to share? The present alternative (on Android) is to
allow/deny applications on a case-by-case basis. Fuck up once and I've let
slip data I don't want to share. Some apps cannot be deleted (on an unrooted,
phone -- only with difficulty on a rooted one).

Why can I not query each and every application vendor for all data held on me,
and either modify or correct this as I see fit?

I've enjoyed playing with my Android phone for the past while, but I'm
increasingly very unhappy carrying a persistent snitch in my pocket.

I'm waiting for the Perl Harbor / 9/11 day for this stuff. It's going to
happen, it's a matter of when.

------
copenhagencoder
"I fully believe this issue is a failure of Apple and a breach of trust by
Apple, not by app developers."

So the companies that willfully ignore Apple's app rules and normal ethics are
in no way to blame?

------
enobrev
It's a lazy mistake. The tools are provided by way of a command or two on just
about any platform available to any programmer. Hashing information and
matching against said hash are problems that have been solved and simplified
in as many languages as asking for the bathroom.

It's easier to send the raw data. It's foolish to send the raw data. It's a
lazy mistake. We all know it happens. We all know WHY it happens. Stop fucking
with our data. Pay attention because sometimes you should not be quite so
lazy.

Path gets off easy because they're Path. I'm ok with that. But I would fire
your ass if you did this under my watch because I know for a fact that this is
a stupidly easy problem to resolve. Don't be so damned lazy when it matters.

------
jacques_chester
It seems to me that all of these applications would be in trouble under
Australia's fairly strict privacy laws. In particular, you are allowed only to
collect details reasonably useful to your business and you must give a great
deal of notice that this is happening[1].

Persons wishing to bring this issue to Apple's attention might wish to engage
an Australian lawyer or bring the matter to the attention of the Attorney-
General's department.

I don't have an iPhone, so I'd have no standing. Fellow Australians, call your
lawyers and start raising a stink.

(IANAL, TINLA).

[1]
[http://www.privacy.gov.au/materials/types/infosheets/view/65...](http://www.privacy.gov.au/materials/types/infosheets/view/6583)

------
nantes
So, let's see if I can turn this into a positive ...

A while back I casually nuked my iPhone 3G back to factory to give to a
friend. I did so without realizing there were some contacts on there that
failed to backup to my Mac.

What are the odds some startup or other company out there has my contacts? Do
any of them offer personal data dumps? Sadly, these contacts never made it to
Google, where I can dump the data.

Just curious.

------
twsted
I think that it is important that at least 2 levels of access can be asked by
an app per resource (location, contacts, etc):

1\. Permission to access a resource just locally for the benefit of the user;

2\. Permission to transmit the data about a resource for social purposes.

------
creativityland
There are many legitimate uses and I know I've downloaded many apps that
uploaded my phone book for backup purposes, syncing purposes so on. Anything
can be abused if used wrongly however, that's my philosophy.

------
geoffbp
I wouldn't really care if a company had access to my address book, different
if they were reading my memos or something though.

~~~
rkudeshi
I suspect your address book is just names and phone numbers?

I use my address book for everything. I have my contacts' names, phone
numbers, email addresses, addresses, IM usernames, birthdays, anniversaries,
websites, workplace and other info stored in mine (not to mention some
personal info jotted in the notes section).

Until today, I believed that information was secure. I had no idea an app
could upload all of that information to their server WITHOUT MY KNOWLEDGE,
much less consent.

Because of Google's approval process (or lack thereof), Android users have
always been paranoid of the apps they install and what permissions they give
them. As an iOS user, I never thought I had to worry about that because of
Apple's approval process.

Does it make a little more sense why some of us are furious about this now?

~~~
kisielk
Exactly. I was always under the (apparently totally mistaken) assumption that
Apple's approval process was there to catch exactly this kind of behaviour.
It's supposed one of the reasons why an Android-style permissions system is
not necessary on iOS devices.

Recently it seems it's been coming to light that their curation process is not
nearly as thorough as they would have us believe.

------
four
Unacceptable. What craven view of ethics puts any concept of "user experience"
above treating others truthfully and respecting their privacy, property and
personal domain?

This is not a "mistake". Why would anyone want to have anything to do with
such people, much less be their customer?

This warrants punishment, not forgiveness.

------
becasse
tl;dr - What d'you mean stealing address books is wrong?! Everyone else is
doing it!

------
spwmoni
Not really related to the content of the article, but my pointer wandered over
some dot on the page. Suddenly it started animating, with the caption "DON'T
MOVE." So I didn't. Then it changed to a checkmark, with the caption "SENT."
What the hell did I just do?

~~~
kyro
You just sent your entire email list to his servers.

------
idspispopd
I'm curious why Apple allows this also, but making this an excuse to render a
blame and bash Apple article is misguided.

I say misguided because there are many ways that your personal information,
behaviours, interests and usage history can be fettered away from you all
outside of Apple's control, this is a privacy and transparency issue.

Not only should there be some level of respect for the information you possess
(especially information you possess on others), but many countries already
have legislation that address these privacy concerns specifically.

This means that there are real legal consequences to this address book saga,
but contrary to the article's spin this is again not directed at Apple.

In short: Apple can do more to protect users, but shovelling them with the
full blame over apps that are deliberately designed to gather and produce
results from your contact information to provide is misguided.

~~~
eternalban
The people who built your house also "allow" thieves to break in your house
rather trivially. Would you hold them responsible in the event of a robbery?

~~~
yabai
I don't think this is exactly the case.

More like...the people who built your house and are guarding it allowed
thieves to break in.

I believe I might hold them responsible.

