Liz Gannes

Recent Posts by Liz Gannes

Following Path Address Book Uproar, Many Apps Clean Up Their Acts

At first, before apologizing and changing the way his app handles users’ personal phone contacts, Path CEO Dave Morin claimed that Path’s process was “currently the industry best practice.”

That was an overreach, but it’s certainly true that other social and local apps access user contact data, and not always transparently and securely.

Now app makers, including giants like Twitter and Yelp, say they are updating the way they ask for users’ permission to access their contacts.

Twitter told the Los Angeles Times that it plans to change the language in its “Find Friends” feature to “upload your contacts” for iPhone and “import your contacts” for Android. It currently says “scan your contacts,” which would seem to imply Twitter doesn’t store the data — which it does.

To be clear, Twitter does ask for users’ permission to look at their address books. What it does that might be more questionable is store that contact info for up to 18 months.

The main reason for apps to store phone contact information seems to be to connect users with friends who join the service at a later date.

However, many apps could do more to access and store this data in an encrypted and anonymized way, as multiple developers have pointed out. VentureBeat has a nice discussion of matching “hashes” of user contacts.

VentureBeat tracked Foodspotting's transmission of unencrypted address book data (image via VentureBeat)

Many developers and app users have also questioned why Apple doesn’t do more to police contact uploading. Update 1: Two U.S. congressmen are now asking Apple to explain the situation. Update 2: Apple has finally commented, saying it will require apps to ask for explicit permission in the future.

VentureBeat’s Jennifer Van Grove spoke with a group of companies that transmit user contacts about their processes after tracking.

Yelp, Foursquare and Instagram have all updated the latest or upcoming versions of their apps with additional permission prompts around asking for users’ phone contacts. The app makers all said they transmit data securely and don’t store it, but they wanted to be more transparent, in light of what happened with Path.

Other apps are changing more than just a warning message. Foodspotting was transmitting user data over an unencrypted HTTP connection in plain text, as VentureBeat found by using a traffic-monitoring tool. Foodspotting said it would stop doing that in its next app update.

Another social sharing app called Hipster admitted last week that it was automatically uploading users’ phone contacts without asking for their permission, though Hipster said it didn’t store the info.

(Image courtesy of Flickr user ucumari.)


Latest Video

View all videos »

Search »

There was a worry before I started this that I was going to burn every bridge I had. But I realize now that there are some bridges that are worth burning.

— Valleywag editor Sam Biddle