iPhone apps exposed for downloading users' data Twitter admits copying addresses from smartphones

16 February 2012

Twitter app on Apple iPhone

Twitter app on Apple iPhone

App developers for iPhones have access to smartphone users' personal information, including emails, calendars, photos, contacts, notes, music and films, it has been revealed. And Twitter has admitted to copying data from users' address books.

For an app developer to access this information violates Apple's guidelines, however Twitter is one of several 'social' apps that has admitted to copying entire address books from some smartphones to save on its servers.

It's unclear how widespread the practice of harvesting smartphone users' personal data is, but Apple has now been put under pressure in the US by congress to improve its app developer policies to 'adequately protect consumer privacy'.

Why does Twitter store this information?

Twitter collects contact information when users choose the 'Find Friends' option, allowing users to connect with people in their address book that have Twitter accounts. But instead of immediately deleting this information once it's been used, the LA Times reports that Twitter stores this information on its servers for 18 months. While app users are informed that the app will 'Scan your contacts for people you already know on Twitter', there is no mention that this information will be kept by Twitter for a prolonged period of time. Twitter has announced it will update its privacy policy to be more explicit about this practice.

Rob Reid, Scientific Policy advisor at Which?, said: 'While there is no evidence that Twitter is using harvested data for anything other than finding contacts in the Twitter sphere, the fact that Twitter is gathering the data without the informed consent of users is shocking. It also poses the question: if a reputable developer with a brand presence to protect acts in this way, what might less-reputable or even fraudulent developers be doing? What's also a concern is that Apple isn't always aware of what approved applications are doing.'

Apple has issued a statement in response to this case that first came to light when a developer detected that his address book had been copied by the social network app called Path. Apple said: 'Apps that collect or transmit a users' contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.'

What can I do to protect my data?

App developers only have access to users' personal data when the application is open. An unopened application can't access personal details. In accordance with Apple's policies, app developers need to inform users when they are accessing data. In the case of Twitter the wording isn't very explicit, so users should be extra vigilant and when accessing certain features within applications - especially those with a social, or 'friend-finding' aspect.

Which? spoke to the Information Commissioner's Office (ICO) who offers independent advice on data protect. The ICO said: 'Any company that develops a third party app that involves the processing of personal information must ensure that they comply with relevant data protection legislation. For UK companies this means that they should meet their requirements under the UK Data Protection Act, for example by making sure they are open and up front with the user about how their personal data will be used and for what purpose. If an individual feels that an organisation has failed to comply with the DPA they can complain to the ICO.'

More on this...

  • Stay safe online - our guide to protecting your online ID
  • Mobile phone reviews - find the best smartphone
  • Mobile phone security - our guide with advice on keeping your phone secure and mobile phone insurance