The potential data privacy concerns associated mobile applications were brought to the attention of members of Congress and consumers last month after reports emerged to suggest a number of popular programs could be harvesting sensitive information without user consent. The controversy has heated up considerably this week after 18 companies – including Facebook, Apple, Twitter and Yelp – were named in a class-action lawsuit charging them with secretly gathering data from smartphone address books.
In early February, computer programmer Arun Thampi brought to light an interesting observation on his personal blog. While tinkering with the application performance interface for Path, a mobile photo-sharing utility, he noticed that a request had sent the full contents of his iPhone's address book to Path's servers. At no point was he prompted with a notification asking for permission to do so.
After Thampi's revelations circulated the information security community, Path co-founder Dave Morin eventually confirmed suspicions. In a public apology, Morin acknowledged his company's transgression, pledged to purge all address book data still held on servers and quickly issued an updated version of the application with a greater emphasis on transparent data handling.
A deeper analysis of the situation later revealed that Path's data collection mechanism had actually become standard practice among mobile app developers, unbeknownst to the general public. As consumer frustration grew, lawmakers soon intervened with U.S. Representatives Henry Waxman and G.K. Butterfield eventually writing to Apple chief executive Tim Cook demanding a briefing on the details of his company's application regulation protocol.
"Claims have been made that 'there's a quiet understanding among iOS app developers that it is acceptable to send a user's entire address book, without their permission, to remote servers and then store it for future reference,'" the legislators asserted. "The fact that the previous version of Path was able to gain approval for distribution through the Apple iTunes Store, despite taking the contents of users' address books without their permission, suggests that there could be some truth to these claims."
Apple was quick to comply with the request, submitting an explanation of the detailed vetting process in place to keep malicious programs out of the App Store. After reviewing Cook's letter, Waxman and Butterfield expressed their displeasure in an additional request delivered earlier this week.
The congressmen suggested that the March 2 reply from Apple did not address a number of fundamental questions raised and reminded Cook that new mobile security concerns regarding online tracking have come to light in the interim. To avoid any future misunderstanding, Waxman and Butterfield have requested a delegate from the company appear before the Energy and Commerce Committee to discuss the issues at hand.
If congressional pressure were not enough, Apple now finds itself joining 17 other companies on the list of defendants in a class action lawsuit.
"[Smartphone address books] include contact names, phone number, physical and email addresses, job titles, birthdays and other similar personal information amassed over the owners' lifetimes, are some of the most personal data that owners carry on their wireless mobile devices," the plaintiffs stated. "The defendants – several of the world's largest and most influential technology and social networking companies – have unfortunately made, distributed and sold mobile software applications that, once installed on a wireless mobile device, surreptitiously harvest, upload and illegally steal the owner's address book data without the owner's knowledge or consent."
The plaintiffs are seeking a permanent injunction against such data collection practices and are asking for the secure destruction of all personally identifiable information gathered by mobile application vendors to date.
Security News from SimplySecurity.com by Trend Micro