Apple says it won't let apps steal your address book anymore
Apps are displayed on an Apple iPad.
A big part of the enormous strength that Apple has is due to apps for iPhones, iPads and iPod Touch devices. Hundreds of thousands of apps being built by all kinds of companies have led to a sizable new economy where users get to do all kinds of amazing things with their gadgets. You can play a game, stay in touch, plan a vacation and even have your address book stolen.
Wait, what now? You heard me. The Twitter app for Apple devices has a little feature where you can find out which of your friends is also on Twitter. To do that, the app looks through your address book but rather than leave the information on your device, the app exports the data to Twitter's servers where it remains for 18 months. Twitter says it will be more transparent in the future about this practice. Last week we talked about the social network Path doing something similar with address books.
On Wednesday, Apple announced that it will change the policy on apps and will require the app developers to get user permission before grabbing data off the device. Apple also told the tech news site All Things D, that the rules set forth for app developers already forbid the purloining of data, you just have to look deep into the legalese of the agreement to find such language.
But why is it happening in the first place? Why does some app developer want my information about how to get a hold of my friends? "These firms think they can somehow extract value out of this data at some point," says security and privacy researcher Chris Soghoian. "Many offer products to consumers for free -- under a 'fremium' business model. They think that if they get enough data, at some point, they'll figure out how to squeeze a few pennies or dollars out of it. They don't really know how to make money with it yet, so the assumption is let's get as much as we can and we'll figure it out later."
All right, so the data is sitting there on the servers of some app developer somewhere. But if it's been grabbed once, can it not be grabbed again? "Companies get hacked all the time," says Soghoian. "In fact, Twitter is under order with the FTC for the next 20 years because it violated consumers' privacy and didn't adequately protect their data in the past. The company was caught using default passwords and other lax forms of securities. So it's not unheard of for big companies to poorly protect user data, and these contact lists are just a goldmine of information waiting for hackers or law enforcement officials or divorce lawyers."
When everyone is rushing around trying to get a hold of your electronic address book, you begin to realize, hey, there might be something of value in this thing. Sure to you, it's just a way of getting in touch with people. To others, it's data mining, valuable information to figure out what people want to buy so one could sell to them. David Campbell of the security company Electric Alchemy thinks this might have a beneficial effect down the road. "Essentially, end users are going to start to be compensated for sharing their personal information," he says. "It might not be financial compensation, you might get service, you might get premium level service, but the idea here is that you'll have the opportunity to make an informed decision about whether or not you want to share your data and receive some sort of compensation for making a decision to share. And until you start receiving that compensation, more companies will get called out for improper collection of people's personal data."
So there you have it. Instead of having your data taken, you'd have the opportunity to rent it out.
Also in this program, the U.S. Senate has introduced a cybersecurity bill aimed at protecting computer networks in the United States from attack. It's a move that President Obama has been requesting for some time but he's unlikely to ever sign this particular piece of legislation. That's because a lot of people in Washington hate it, arguing it goes too far in regulating business or not far enough. I asked Alan Paller of the SANS Institute, a critic of this bill, what would happen if no bill was passed at all. "Brace for impact," he says. "This is just the discussion about whether we act before a major outage or after one. So the way the first big cyber attack comes will look like a power outage in the Northeast. It will have an impact on a lot of people. Then after that everyone will say, 'Wait! Why didn't you act?!'"
Even though such a major catastrophic event hasn't occurred before, Paller thinks it's more likely than ever. "The number of people who have skills is going up fast. The Anonymous group has some of the more skilled cybersecurity people right now. And if they get really angry, or groups like them get really angry, the techniques are available because we don't have defenses in place, are the same that could be used by nation-states. The reason it's getting more imminent is that there are more groups with more interests with the capabilities to do damaging attack.