Twitter Stealing Smartphone Contacts

In another blunder by a top social networking site, Twitter has confirmed that its iPhone app copies the entire address book from a users’ smartphone and stores the data on its servers, for up to 18 months, without the users’ permission. As with many privacy breaches, the “need” to take private, confidential data comes wrapped in innocence and convenience. In the case of Twitter it is the “Find Friends” feature. This feature, which uploads names, phone numbers and email addresses, is used to identify possible friends who also use Twitter. Twitter’s blatant privacy blunder has two parts. First the app should notify the user that it will now upload the entire contents of the users’ address book to Twitter’s servers. This is something that isn’t make clear by the app, but it might be written somewhere in tiny print in Twitter’s privacy policy. Secondly the data should never, never be stored. Even if I do want Twitter to snoop around my address book to automatically find my friends and even if I might let them upload my data to their servers to do this, I will never give my permission for this upload to remain on their servers for 18 months. This upload should be temporary and deleted as soon as the find friends search is complete.

What about other social networking sites?
The first time this problem was seen, was not with Twitter but with Path, a social media service which provides a “simple way to keep a journal, or ‘Path’, of your life on the go.” Developer Arun Thampi was looking into the way the Path protocol worked when he noticed that his entire iPhone address book (including full names, emails and phone numbers) was being sent to Path. He blogged about his discovery, this in turn caused the CEO of Path David Morin to issue an apology: “We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.” Path then issued a statement that it had deleted the entire collection of user uploaded contact information from its servers.

This then caused privacy experts to start looking at other socail networking sites including Facebook, FourSquare, Instagram, Foodspotting and Yelp. It turns out that they all send data from your smartphone’s internal address book to their servers. Several do so without first asking permission. Instagram and Foursquare now ask for permission, but only after the issues found at Path.

Apple and Congress

Apple run a very tight ship when it comes to their App Store with apps taking days (even weeks) to be approved before being published. According to Apple’s guidelines: “Apps that read or write data outside its designated container area will be rejected” and “Apps cannot transmit data about a user without obtaining the user’s prior permission.” Unless you are Twitter, Facebook or Path that is! This slip-up by Apple has led two US congressmen to write to Tim Cook, the CEO of Apple, asking why the company allows the practice on the iPhone. In the letter they ask if “this incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts.”

Back to Twitter

Path issued new versions of their app (for iPhone and Android), as have Instagram and Foursquare. It seems that Twitter will do the same:

“We want to be clear and transparent in our communications with users. Along those lines, in our next app updates, which are coming soon, we are updating the language associated with Find Friends – to be more explicit,” Twitter spokeswoman Carolyn Penner said to the BBC.

Leave a Reply