Facebook, Apple targeted in mobile app privacy class action suit

Tools

A new class action lawsuit alleges that popular mobile applications like Facebook, Twitter and Instagram routinely steal address book data including names, phone numbers, email addresses, job titles and birthdays without consumer knowledge or consent.

The suit, filed this week in U.S. District Court in Travis County, Texas, claims almost 20 mobile app and game developers--including Facebook, Twitter, Instagram, foursquare, Path, LinkedIn, Yelp, Electronic Arts, Rovio Mobile and ZeptoLab--are in violation of policies put in place by storefronts such as Apple's (NASDAQ:AAPL) App Store, Google (NASDAQ:GOOG) Play and the Amazon Appstore for Android. Citing research that states the user data in question could fetch anywhere from 60 cents to several dollars per contact, the suit alleges invasion of privacy, intentional interception, disclosure or use of wire or electronic communication, breach of computer security, negligence, unjust enrichment and racketeering, among other claims.

Apple is named in the class action suit; Google and Amazon.com are not, although Jeff Edwards, lead counsel for the plaintiffs, told the Austin American-Statesman that more companies could be added. "We're making some fairly serious allegations against the big boys," Edwards said. "We're saying, 'Hey, you took something that didn't belong to you, and you're making a profit off it.' "

Spokespeople for Apple and Facebook declined comment. Electronic Arts, foursquare, Instagram and Yelp did not respond to the American-Statesman's requests for comment.

The class action suit follows reports that Sen. Charles Schumer (D-N.Y.) is urging the Federal Trade Commission to investigate claims that mobile apps can access user data without subscriber consent. In a letter to the FTC, Schumer expressed concern over a recent New York Times report indicating that an Apple iOS security loophole makes images stored on iPhone, iPad and iPod touch devices vulnerable to downloaded applications that can copy the user's entire photo library without any further notification or warning. In addition to giving apps carte blanche access to photos and videos, the loophole allows developers to mine corresponding location data. The first time an app wants to leverage location data for mapping or any other purpose, the iOS device asks the user for permission, generating a pop-up message that notes approval "allows access to location information in photos and videos."

A follow-up NYT report adds that Android applications can access the same user information and copy photos to a secure remote server without securing subscriber permission, provided the app has the right to go the Internet. It is still not clear whether any iOS or Android apps have actually exploited the security vulnerabilities.

"When someone takes a private photo, on a private cell phone, it should remain just that: private," Schumer wrote to the FTC.

Schumer's letter also makes reference to the recent discovery that some iOS apps can upload entire address books to their servers, complete with names, telephone numbers and email addresses. Last month, Apple said it would upgrade its software so that developers can only access users' contact data after receiving explicit permission to do so. Apple made the announcement after social networking app Path came under fire for collecting and storing user contacts.

"These uses go well beyond what a reasonable user understands himself to be consenting to when he allows an app to access data on the phone for purposes of the app's functionality," Schumer writes. "It is not clear whether or how those terms of service are being enforced and monitored... Smartphone makers should be required to put in place safety measures to ensure third party applications are not able to violate a user's personal privacy by stealing photographs or data that the user did not consciously decide to make public."

Apple and Google are among six leading technology firms that agreed last month to expanded privacy protections for consumers who download mobile applications to their smartphones and tablets. California Attorney General Kamala D. Harris announced that Apple, Google, Amazon.com, Research In Motion (NASDAQ:RIMM), Microsoft (NASDAQ:MSFT) and Hewlett Packard consented to improved privacy principles that bring the mobile ecosystem in line with the California Online Privacy Protection Act, which requires operators of commercial web sites and online services--including mobile apps--that collect personally identifiable consumer data to post a privacy policy. The agreement guarantees consumers the opportunity to review an app's privacy policy prior to download rather than after and will offer consumers a consistent location for an app's privacy policy on the device screen.

For more:
- read this Austin American-Statesman article

Related articles:
Lawmaker urges FTC to probe iOS, Android privacy breaches
Report: Apple loophole gives iOS developers access to user photos
Apple, Google consent to mobile app privacy accord
FTC to Apple, Google: Apps for kids must disclose data privacy practices
Amid privacy uproar, Apple promises to detail app permissions