No secrets in cyberia

Connecting with friends in far-flung areas of the globe? The Internet and iPhone help establish these bonds through various services and apps. But would we welcome it if we discovered that strangers had access to our personal data or the content of our address book?

February 29, 2012 07:10 pm | Updated 07:10 pm IST

On February 8, 2012, Arun “I help build Denso” Thampi blogged from Singapore: “…Using the awesome mitmproxy tool, I started to observe the various API calls made to Path's servers from the iPhone app. It all seemed harmless until I observed a POST request to https://api.path.com/3/contacts/add. ...I noticed that my entire address book (full names, emails and phone numbers) was being sent as a plist to Path. Now I don't remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path”, repeated the experiment and… my address book was in Path's hands.” He added a disclaimer: … “I feel quite violated that my address book is being held remotely on a third-party service. I love Path as an iOS app… but this seems a little creepy. I wonder how many other iOS apps do the same…” He signed off with a step-by-step “how-to-do-it”.

Within hours, Tech blogs and Twitter exploded angrily. Dave Morin, CEO, Path, wrote to Arun, “We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly… Nothing more.” Path, however, released a new version, that asks for permission to send address books to its servers.

The matter wouldn't accept the “delete” key. One commenter, Matt Gemmell asked Morin: “1. Why are you uploading the actual address book data, rather than (say) generating hashes of the user's email addresses, and uploading just those hashes? 2. Why wasn't this an opt-in situation to begin with? 3. How can we have our contact information deleted from your servers?” Morin said we could. Said David Smith, Independent iOS developer: App Store guidelines 17.1 and 17.2 specifically forbade such acts. (http://stadium.weblogsinc.com/...) How did the Path app slip through Apple's review process? Within days Apple Inc said app-makers now required users' explicit “yes” for lifting address book data, and old apps would be updated.

Uploading personal data

More skeletons tumbled out. The Los Angeles Times reported that Twitter uploads every address book contact and stores it for 18 months, without permission. The process is now more explicit. Hipster's “Find Friends” feature on smartphone apps vacuums contact lists, said BBC. Now there is an opt-in. Stanford University researcher Jonathan Mayer found that advertisers were able to store cookies on Internet, using computers browsing with Safari. The Wall Street Journal reporting this said many Google services used cookies, say, to remember when someone signed into a service, but they were also used by the firm to help personalise advertising. WSJ added Google and other companies worked around privacy settings designed to restrict cookies.

ISec Partners, a security consulting firm, claims that iPhone developers gather info to check out if other people in someone's address book are also using the same app. According to a VentureBeat report, apps accessing address book information include Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp and Gowalla. It's a data arms race!

“Specialists have been warning mobile users that applications are a source of viruses for the mobile; there is inadequate scrutiny by mobile manufacturers before recommending any applications,” said Na.Vijayashankar (Naavi), Cyber Law expert. Instead of a virus that steals passwords etc, apps steal private data. It is a serious crime in any country, including India.

Internet companies and their investors argue that data collection is essential to their businesses. With that they give consumers better search results, more relevant advertising, and more intimate connections with friends and others. We readily embrace their cool new toys and let our privacy interests be trampled. As Auren Hoffman, CEO, Rapleaf, put it, “I don't like people tracking my location, but I want to know which Italian restaurants my friends have liked.”

Naavi shoots another warning. In India people store bank passwords in their mobile address books, he says. “Stealing of an address book will not be merely stealing passive personal information but also sensitive data. There is a larger public duty for the ethical hacker to keep the public informed rather than worry about the adverse impact of such disclosure on the business interests of some organisation whose negligence was the cause of the problem.”

Several questions arise. Are boundaries of what is private information being redrawn? Have our attitudes to privacy changed because of the utility of that information? How do we interpret a phrase like “Add friends”? What about those companies that have no internal checks?

Path says it helps you “share life with the ones you love”. Is it also with those we don't?

POINTS TO PONDER

* In India privacy rights were recognised and protected by Supreme Court rulings on Article 21.

* Information Technology Act 2008 has introduced the concept of “Sensitive personal information”.

* There is a draft law called Privacy Bill 2011 under consideration in the Parliament.

* Privacy India, Center for Internet Society and others organised a conference on “Privacy matters” in Mumbai.

* For more information: >Naavi.org

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.