Smartphone apps dial up privacy worries

A new furor has erupted over digital privacy concerns following disclosures that Twitter Inc. and other social networking companies are reaching into people’s smartphones and retrieving their personal contact information without getting explicit permission.

Twitter acknowledged this week that anyone who used its “Find Friends” feature on iPhones and Android phones was also sending every phone number and email address in his or her address book to the company, something that was not made clear to users.

The San Francisco company said it would clarify that policy, but its actions triggered fresh concerns from privacy advocates and lawmakers over what they said was an unconscionable intrusion into personal information.


“People care about their privacy, and they should be told when their information is being collected and given some choice in the matter,” Rep.Henry A. Waxman(D-Beverly Hills) said in an interview Wednesday.

The latest privacy concerns emerged as online services dig deeper into users’ habits, including where they go, which websites they visit and what they read and watch online. Analysts say these firms are now building large databases of personal contact information that can help them expand the reach of their services — and eventually leverage that private information into advertising dollars.

The mining of personal contacts lists came to light last week after an iPhone developer in Singapore discovered that an iPhone app called Path was downloading iPhone users’ entire address book without alerting them. After the developer, Arun Thampi, posted his finding on his blog, Path quickly issued an apology and said it would stop the practice.

In the wake of Path’s apology, other popular social media app companies acknowledged that they too retrieved users’ address books. Social networking services Twitter, FourSquare, Instagram and FoodSpotting all said they would update their services soon to make the process clearer to users.

Twitter said Wednesday that it plans to update its apps to clarify that user contacts are being transmitted and stored.

“We want to be clear and transparent in our communications with users,” Twitter spokesperson Carolyn Penner wrote in an email to The Times.

The company declined to say whether it would reach out directly to existing users to alert them that the company may have downloaded their address books.

Though Waxman cited Twitter and other social networking services, he directed his concerns toApple Inc., which approves all applications that are used on its iPhones. Apple has said it forbids apps from gathering personal information without permission.

In a letter to Apple, Waxman and Rep. G.K. Butterfield(D-N.C.), ranking members of the House Energy and Commerce Committee, asked Apple if its “policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts.”

Apple acknowledged that apps that gather address book information without permission are “in violation of our guidelines,” and said that in a future software release it would require apps to get users’ permission before they accessed contact data.

But some privacy researchers said Apple has long exercised rigorous control over the apps it makes available to its iPhone users and was unlikely to have been ignorant of the practice.

Apple has “basically left the barn open, and people are surprised that companies have run into the barn and stolen everything,” said Chris Soghoian, a privacy researcher and former technologist at the Federal Trade Commission’s division of privacy and identity protection.

Indeed, Path creator Dave Morin, while agreeing to provide better disclosure, responded to criticism by saying that collecting user address book data was an “industry best practice.”

The tapping of contact lists is just the latest controversy to ensnare social networking companies and smartphone makers.

Last April, researchers discovered that the iPhone kept a detailed log of its precise whereabouts, storing up to a year’s worth of user location data. Saying bugs were causing the device to store too much information, Apple modified the software to store only a week’s worth of locations, which it said helped the phone find local cellular towers more easily.

And in December, an amateur security analyst discovered that a little-known company called Carrier IQ Inc. had the ability to log huge amounts of data from smartphones of AT&T,T-Mobileand Sprint users, including every key they pressed and the content of text messages. The company said that although that data was technically available to it, it did not use it.

Privacy analysts say the value of user behavior data is difficult for technology companies to ignore, and in the absence of clearly drawn laws protecting users’ data privacy, firms often err on the side of collecting as much information as they can.

“App developers are like, this data is there; I’m going to use it until someone tells me otherwise,” said Ashkan Soltani, an independent privacy analyst. “People are going to continue to push the boundaries, especially as long as these boundaries are blurry.”