Congressmen Asking iOS App Developers About Privacy Policies

Following a letter sent to Apple requesting information on the Cupertino-based company’s data collection guidelines for developers, Congressional Representatives Henry A. Waxman (D-CA) and G.K. Butterfield (D-NC) have sent out letters to 34 different app developers, asking several questions about how the developers collect user information and what they do with it.

Letters were sent to developers of apps in Apple’s “iPhone Essentials” Social Networking category, including Twitter, Tweetbot, Path, Instagram, LinkedIn, SoundCloud, Foursquare, Turntable fm. and Facebook.

Path, listed above, is the company responsible for the initial inquest after it was found that Path downloaded its users entire address books without permission. When the public became aware of the situation, the congressmen became concerned that Apple’s developer policies and practices weren’t adequately protecting consumer privacy.

Apple has said that applications that collect and transmit personal information without asking permission are in violation of its developer guidelines, and it has vowed to instate a policy (in a future update) requiring explicit user approval before any app can access contact data.

The information request asks developers to reveal the number of times an app was downloaded, any privacy policies that are in place, and whether or not an app has accessed and stored address book information.

Here’s what the full text of the letters the congressmen sent to developers:

Last month, a developer of applications (“apps”) for Apple’s mobile devices discovered that the social networking app Path was accessing and collecting the contents of his iPhone address book without having asked for his consent. Following the reports about Path, developers and members of the press ran their own small-scale tests of the code for other popular apps for Apple’s mobile devices to determine which were accessing address book information. Around this time, three other apps released new versions to include a prompt asking for users’ consent before accessing the address book. In addition, concerns were subsequently raised about the manner in which apps can access photographs on Apple’s mobile devices.

We are writing to you because we want to better understand the information collection and use policies and practices of apps for Apple’s mobile devices with a social element. We request that you respond to the following questions:

(1) Through the end of February 2012, how many times was your iOS app downloaded from Apple’s App Store?

(2) Did you have a privacy policy in place for your iOS app at the end of February 2012? If so, please tell us when your iOS app was first made available in Apple’s App Store and when you first had a privacy policy in place. In addition, please describe how that policy is made available to your app users and please provide a copy of the most recent policy.

(3) Has your iOS app at any time transmitted information from or about a user’s address book? If so, which fields? Also, please describe all measures taken to protect or secure that information during transmission and the periods of time during which those measures were in effect.

(4) Have you at any time stored information from or about a user’s address book? If so, which field? Also, please describe all measures taken to protect or secure that information during storage and the periods of time during which those measures were in effect.

(5) At any time, has your iOS app transmitted or have you stored any other information from or about a user’s device – including, but not limited to, the user’s phone number, email account information, calendar, photo gallery, WiFi connection log, the Unique Device Identifier (UDID), a Media Access Control (MAC) address, or any other identifier unique to a specific device?

(6) To the extent you store any address book information or any of the information in question 5, please describe all purposes for which you store or use that information, the length of time for which you keep it, and your policies regarding sharing of that information.

(7) To the extent you transmit or store any address book information or any of the information in question 5, please describe all notices delivered to uscrs on the mobile device screen about your collection and use practices both prior to and after February 8, 2012.

email

About Juli: Contact me via Twitter: @julipuli