All Your Contact Are Belong to Us
By Dana Tierney, Senior Editor
The mobile addressbook brouhaha just got bigger. Thirteen individuals filed a class action lawsuit in Texas against companies whose mobile applications accessed users' address books without permission. The plaintiffs seek $12,000 each in damages, and any profits the companies made from using the address book data.
You may not know it, but you could be part of it. If you currently have, or have ever had, Angry Birds, Beluga, Cut the Rope, Facebook, Foodspotting, Foursquare, Gowalla, Hipster, Linkedin, Instagram, Path, Twitter or Yelp! installed on a mobile device, then you are now a party to the litigation, unless and until you opt out.
Who are the companies being sued?
These are not obscure names. Beluga is a group messaging application that was just acquired by Facebook. Burbn has since become Instagram. The defendants Rovio and ZeptoLab created the popular games Angry Birds and Cut the Rope respectively. The check-in app Gowalla recently shut down its operation after a number of key employees were recruited by Facebook.
The plaintiffs allege negligence and invasion of privacy as well as fraud, violations of wiretapping law and theft under the Texas Theft Liability Act. They charge Apple with aiding and abetting. Google, Research in Motion and Amazon are not currently defendants, even though they, too, signed a February agreement with California District Attorney Kamala Harris to make privacy policies for the mobile applications sold through their websites available to users. (See my coverage of the agreement with District Attorney Harris.) Jeff Edwards, lead counsel for the plaintiffs, said more defendants may be added later.
A Prevalent Practice
The address book issue first arose when Singapore developer Arun Thampi blogged his discovery that the Path iPhone app uploaded users' address books to Path's servers without permission. Path cofounder David Morin replied in a comment on Thampi's blog post:
We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.
Morin added that using the address book to match friends was considered an industry best practice. The scathing, sarcastic replies to his comment wondered how this could not violate Apple's guidelines and terms of service. An angry Gawker post revealed that Morin had previously denied storing any data at all, and got even more sarcastic over his reply that the denial was true at the time he made it. Other comments on Thampi's blog noted that Morin is a veteran of Facebook, whose record on privacy is hardly sterling.
In a comment on Thampi's blog, and then in more detail on his own blog, developer Matt Gemmell showed that friend-matching features could just as easily use a hash of the contacts' email addresses that would not require uploading the address book.
A New York Times reporter blogging the original disclosure noted that lawyers were telling him that since his address book contained contact information for his sources, it was covered under First Amendment protections for journalists. The reporter added that contact information could be so sensitive that the State Department was promoting a "panic button"
app activists could use to erase all of a phone's contacts if they were arrested; in places like Egypt and Tunisia, state security has been known to use address books for arrests and roundups.
VentureBeat followed up with an article discussing the widespread prevalence of the "unspoken"
practice. Foodspotting, an app that allows users to share pictures of their meals, got caught in a particularly egregious bit of carelessness, uploading user's address books in plain text. A Foodspotting representative said they had not considered the information particularly sensitive since it did not include financial data, but promised to address this in the application's next release.
Ramifications
You might be wondering what the fuss is about. Who cares about mobile privacy? Highly sophisticated users routinely dismiss mobile privacy concerns and many of them are power users of Foursquare. Some of the presenters at recent hacker conferences like DEFCON said that you are certainly entitled to feel this way, but wondered why you don't just save everyone time and trouble and sign up directly at pleaserobme.com.
Apps like Google Latitude, that let you know when you and your friends are in the same part of town, assume that your friends are always overjoyed to see you. It's not hard to imagine scenarios where they might just want to be left alone. Maybe they're shopping for sex toys or attending an AA meeting. Ever think of that that, Latitude Googlers?
Forty people in my social media circles have recently mentioned syphilis, according to my personal results on Google. When I looked at the results, I saw that at least the first few were historic references and technology discussions. Even if those results were not of an omg-could-I-have-this nature, clearly the potential for over-disclosure is there. Not to mention the great incentive to avoid certain topics online, lest you show up in their search results. You can't count on people looking up what you actually said.
Sometimes the payment is not in cash. "You know how everything has seemed free for the past few years? It wasn't. It's just that no one told you that instead of using money, you were paying with your personal information,"
Joel Stein explained in a TIME article titled "
Everything About You Is Being Tracked: Get Over It
"
.
In 2011, Apple described as a bug a reported behavior in which its devices continued to store location information even after location data had been turned off. Yet it had filed a patent for a very similar capability, which, it claimed, allowed faster computation of users' location.
A California judge last year sided with the "who cares"
camp. The plaintiffs charged that Apple devices come with a Unique Device Identifier (UDID), which users can't block, alter, or delete; ad networks use this to track their information. The judge said the plaintiffs' case was poorly documented, but more to the point, he ruled, it failed to show any actual harm, or explain how Apple would still be liable even though the plaintiffs had clicked "Agree"
to its privacy policy.
But the disclosures keep coming. In December, a programmer noticed that Carrier IQ, an app installed on 140 million devices, recorded keystrokes, phone numbers, text messages and Internet searches. Supposedly it enhances user experience, but most users don't know it's installed. It's also very hard to remove. Doesn't it send a little shiver down your spine to hear that CIA chief David Petraeus recently expressed great interest in the "internet of things"
?
The geolocation data from devices their users voluntarily carry with them currently exists in a no-man's-land where the Fourth Amendment may not apply. The Supreme Court ruled in United States vs. Antoine Jones that "the attachment of a Global-Positioning-System (GPS) tracking device to an individual's vehicle, and subsequent use of that device to monitor the vehicle's movements on public streets, constitutes a search or seizure within the meaning of the Fourth Amendment."
How large is the Apple ecosphere?
Apple had sold more than 183 million iPhones and 55 million iPads by the end of 2011. According to the court filing, as of early 2011, mobile users downloaded 25 billion Apple apps, as opposed to ten billion Android apps.
However, it's unclear what this means for location data from your phone, which has become eerily accurate since it stopped relying on tower location and began using satellite GPS. This accuracy can be life-saving when used to originate 911 calls, and 2011 rule changes say that all providers must switch over to satellite GPS by 2019. When you consider the potential for abuse, however, that selfsame accuracy takes on Orwellian overtones.
Apple reportedly allows an application that has been granted access to the iPhone's geolocation capabilities to upload all photos on the device without further warning, an extrapolation the user may not have intended or want. Google's Android operating system allows applications to upload images from the device without asking permission at all. No applications currently use these shortcuts, but they exist. And they exist in an ecosystem where safeguards against misuse of device data appear to be inadequate.
Chris Hoofnagle, who runs the privacy program at the University of California Berkeley School of Law, thinks that if you don't care, you should. He showed an NPR reporter a LexisNexis database called Batch Trace built from information obtained from call centers and pizza delivery companies as well as from other data of unknown origin. He mused, "If consumers knew the extent to which this data was being collected and repackaged, there would be riots in streets."
Dana Tierney is the Senior Editor at House of Fusion, where she causes authors to cry over their once-thought perfect articles. They recover, and their articles are better for it. But still, the sound of grown men weeping...