Lawmaker urges FTC to probe iOS, Android privacy breaches


Sen. Charles Schumer (D-N.Y.) is urging the Federal Trade Commission to investigate recent reports that mobile applications running Apple's (NASDAQ:AAPL) iOS and Google's (NASDAQ:GOOG) Android can access user address books, photos and other personal data without subscriber consent.

In a letter to the FTC, Schumer expressed concern over a recent New York Times report indicating that an iOS security loophole makes images stored on iPhone, iPad and iPod touch devices vulnerable to downloaded applications that can copy the user's entire photo library without any further notification or warning. In addition to giving apps carte blanche access to photos and videos, the loophole allows developers to mine corresponding location data. The first time an app wants to leverage location data for mapping or any other purpose, the iOS device asks the user for permission, generating a pop-up message that notes approval "allows access to location information in photos and videos."

A follow-up NYT report adds that Android applications can access the same user information and copy photos to a secure remote server without securing subscriber permission provided the app has the right to go the Internet. It is still not clear whether any iOS or Android apps have actually exploited the security vulnerabilities.

"When someone takes a private photo, on a private cell phone, it should remain just that: private," Schumer writes to the FTC.

Schumer's letter also makes reference to the recent discovery that some iOS apps can upload entire address books to their servers, complete with names, telephone numbers and email addresses. Last month, Apple said it would upgrade its software so that developers can only access users' contact data after receiving explicit permission to do so. Apple made the announcement after social networking app Path came under fire for collecting and storing user contacts.

"These uses go well beyond what a reasonable user understands himself to be consenting to when he allows an app to access data on the phone for purposes of the app's functionality," Schumer writes. "It is not clear whether or how those terms of service are being enforced and monitored... Smartphone makers should be required to put in place safety measures to ensure third party applications are not able to violate a user's personal privacy by stealing photographs or data that the user did not consciously decide to make public."

Apple and Google are among six leading technology firms that agreed last month to expanded privacy protections for consumers who download mobile applications to their smartphones and tablets. California Attorney General Kamala D. Harris announced that Apple, Google,, Research In Motion (NASDAQ:RIMM), Microsoft (NASDAQ:MSFT) and Hewlett Packard consented to improved privacy principles that bring the mobile ecosystem in line with the California Online Privacy Protection Act, which requires operators of commercial web sites and online services--including mobile apps--that collect personally identifiable consumer data to post a privacy policy. The agreement guarantees consumers the opportunity to review an app's privacy policy prior to download rather than after, and will offer consumers a consistent location for an app's privacy policy on the device screen.

"This agreement strengthens the privacy protections of California consumers and of millions of people around the globe who use mobile apps," Harris said in a statement. "By ensuring that mobile apps have privacy policies, we create more transparency and give mobile users more informed control over who accesses their personal information and how it is used." Harris will convene the six mobile platform providers in six months to assess their progress.

For more:
- read this Reuters article

Related articles:
Report: Apple loophole gives iOS developers access to user photos
Apple, Google consent to mobile app privacy accord
FTC to Apple, Google: Apps for kids must disclose data privacy practices
Amid privacy uproar, Apple promises to detail app permissions
Lawmaker Markey unveils Mobile Device Privacy Act