Someone found out that Path — and likely other apps too — was stealing your iPhone and iPad’s address book information without telling you about it. This happened because of Path’s greediness, but also because Apple is not protecting your privacy as it should.
The fact is that any app can do the same right now. And that sucks, even according to what Steve Jobs himself says in this video.
Your iPhone’s privacy problem
To understand the unintended irony of Jobs’s words, you need to fully understand the huge privacy problem that is happening right now in your iPhone, iPad and iPod touch. It goes like this: Path and other apps — we don’t know which — steal your contacts’ information into their corporate servers without telling you about it. These apps use an address book service that Apple provides within iOS, which is similar to the geographic location service also present in the operating system that powers all the iDevices.
The difference is that the iPhone’s GPS service requires you to actively approve that the app can access it. Apple’s operating system asks you for permission every time an application wants to know for your location, not the app itself. This is a barrier that the app can’t bypass. The security system is designed in this way so the app — which could be anything from a game to your typical free flashlight app — can’t spy on you without you noticing it.
This works perfectly fine.
The problem is that the address book service doesn’t use the same mechanism. It’s free for the taking. This is where the privacy clusterf**k ensues. Some app developers — like Path did — are taking advantage of this weakness. The fact is that, at this point, any app can access your address book and steal all your contacts. Just like that. We don’t know which apps may be doing this right now. That is a scary thought and Apple should have thought about it.
“Ask them every time”
The irony comes when you realize that Steve Jobs thought this was absolutely wrong too. In fact, you can tell that he believes that what Apple’s “colleagues in the valley” were doing — companies like Google or Facebook — was despicable. He explains this in full detail in this video, recorded at the D8 Conference in 2010.
He first attacks Silicon Valley companies for, according to him, not taking privacy as seriously as Apple does. Then he details what they are doing to prevent any privacy breaches. It’s a compelling description, like always.
Jobs even says that, before accepting apps in the app store, Apple analyses them so it can detect if they want to steal your contact information data and “suck it up to the cloud”. This is precisely what Path did. If what he said is true, Apple obviously failed to detect it in Path’s case. He also assures the audience that Apple detected some malicious apps and rejected them. That’s one of the “advantages of the curated Apple store”, he claims. One that, as the Path case has demonstrated, is either not true or not as effective as it should be.
Here is the transcript of the video above, what he replied when Mossberg asked if privacy looks that different in Silicon Valley than in the rest of America:
0:53 No, Silicon Valley is not monolithic. We always have had a different view on privacy that some of our colleagues in the Valley. We take privacy extremely seriously.
1:22 As an example we worry a lot about location in phones. And we worry that some 14-year-old is gonna get stalked and something terrible is gonna happen because our phone… so, as an example, before any app can get location data, we don’t make it a rule that they have to put up a panel and ask because they may not follow that rule. They call our location services and we put up the panel saying “this app wants to use your location data, is that ok with you?” Every time they want to use it.
And we do a lot of things like that to insure that people understand what this apps are doing.
2:02 That’s one of the reasons we have the curated app store. We have rejected at lot of apps that wanna take a lot of your personal data and suck it up into the cloud.
So… a lot of people in the Valley think that we are really old fashioned?
[…]
Privacy means people know what they are signing up for. In plain English. And repeatedly. That’s what it means.
I’m an optimist. I believe people are smart and some people want to share more people than other people do. Ask them. Ask them every time. Make them tell you to stop asking if they get tired of you asking. Let them know precisely what you are going to do with their data.
That’s what we think.
Basically, Steve Jobs thinks that anyone who doesn’t follow this privacy model — like Path now or Google and Facebook during 2010 — sucks. He was completely right.
That’s why he must be turning in his grave now, learning how he left this world without taking care of the address book in the iPhone — making sure that it worked exactly the same as it does in the GPS service, with an alert controlled by the operating system and the users. Never the developers.
Because it seems that some developers, as demonstrated by Path, don’t give a rat’s arse about Jobs’s idea of what privacy and sharing personal data should be. And perhaps some people at Apple don’t give a rat’s ass either. Otherwise I can’t understand why this has happened.
What is clear now is that Apple should have made the access to your contacts information as restricted as to the user’s geolocation data. After this, I bet they will. Soon. [Noted via Dave Winer]