Apple promises contact consent, but what about time limits?

Do we still put too much blind faith in big tech companies to do right by our personal information?

That’s one fundamental question raised by the recent revelations that many popular online services and mobile apps have been storing personal address books on their servers without users knowing what was going on.

It started with the controversy over the Path journal service. That was  followed by reports that other major web brands, including Twitter, are engaged in similar practices — storing contact information for extended periods after using the data to help us find our friends on their services.

Today the House Committee on Energy and Commerce sent a letter to Apple CEO Tim Cook (PDF), asking for answers to a series of questions about the issue.

Apple responded to the dustup today by promising to crack down on the practice.

Apple spokesman Tom Neumayr told AllThingsD: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

Asking for permission is important, but consent is only part of the picture. A natural next step would be getting companies to actively disclose and limit the amount of time they store the data.

Eighteen months, just as an example, seems much longer than necessary.

  • http://www.christopherbudd.com Christopher Budd

    True, Apple should have “locked” the door here, that’s bad design on their part. But ultimately the app makers bear the responsibility for wrongdoing here. Just because the app makes could do that, doesn’t mean that they should.

    As regards privacy the two cardinal rules are: notification and consent. You either obtain consent for user’s data, or you notify clearly that using your app gives access to that data. And as you noted, Todd, clear disclosure of what you’re doing with the data is key behind both of those.
    Clearly neither happened here in these apps. There was no notification or consent. They just took the data and kept quiet about it.

    Taking a step back, what this tells me is that most likely none of these app makers have a mature privacy review process to act as a check to balance the business groups’ drive for revenue. By contrast, something like this most likely wouldn’t have happened at Microsoft, because every product goes through a privacy review, and the lack of notice or consent would have been flagged as needing a remedy before the product could ship.

    We can’t know for certain, but this feels like an instance of what I meant when I said (http://bit.ly/yezsLY) that the Microsoft TwC memo gave security and privacy a needed centrality in the development process and that all major companies need to do what Gates did 10 years ago. It doesn’t feel like those app companies have security and privacy enshrined as core principles and they need it.

    One interesting footnote, as part of their “get right” actions, Path promised to delete all the data that they obtained inappropriately. Good for them for that. They did the right thing there and deserve credit.