Yesterday afternoon Tapbot‘s Paul Hadad began posting an interesting data set to his Twitter feed in the wake of the discovery that the Path app was uploading personal data to their servers without disclosing that they were doing so. What Hadad did was look at other applications to see whether or not they were also sharing your personal information. With each new post it became increasingly clear that there were many iOS apps sending personal data to remote servers, some with your permission, many others without it.
There is an excellent article at The Next Web by Matthew Panzarino called Why and How iOS Apps Are Grabbing Your Data that looks in detail at Hadad’s data and at what is going on with some iOS apps.
What I find interesting about this article is not only the fact that some apps are uploading personal data without your permission, but that of the apps that do ask for your permission, most are sending tons more data than you might expect. According to Panzarino the apps that do ask for permission:
…send copious amounts of data including email addresses, first and last names and phone numbers. Path appears to be sending the most information out of the apps that were tested.
Path (Pretty much everything including mailing addresses, after warning)
Instagram (Email, Phone Numbers, First, Last , after warning)
Facebook (Email, Phone Numbers, First, Last, after warning)
Twitter for iOS (Email, Phone Numbers, after warning)
Voxer (Email, First, Last, Phone numbers, after warning)
There are several things that bother me about this, but a couple that I’ll make note of:
1.) It is clear that some of these companies are in the business of selling your personal information in order to make a profit. (Yes, I’m looking at you Facebook.) While I find it reasonable to capture my personal information if I say it’s OK for you to do so, you have no business capturing the names, addresses, phone numbers, etc. of all the people I know. If you are capturing that information it is imperative that you let me know exactly what you’re capturing and why. And, I think, that data sharing should be used for no purpose other than what say you plan to use it for. Find My Friends? Fine. Collect and sell my friends? Sorry, but no.
2.) What is worse, I think, is how often the non-tech savvy are inclined to offer full access to their data without actually knowing what it is that they are giving up. I think here of my father, my mother, my wife, my children, and the vast majority of my friends. Apple, has a very strict personal data policy for data they collect on their customers, but it is not always clear what the policies of other companies are. In fact, many of these companies may profit, in some fashion, from having access to your data. Most probably don’t think about what it is that they are giving up or how much information they are divulging with the simple click of a button.
In the above noted article Hadad states that he thinks:
…it’s Apple’s responsibility to change their API to make access to Address Book something that must be explicitly allowed by each user. I think its a developer’s responsibility to clearly lay out exactly what data is being sent and for what reasons.
It’s also the responsibility of the developer not to play on the naiveté of their users.
Don’t take more than you should.
Don’t take more than you ought.
And in all things do no harm.