Apps like the official Facebook and Twitter clients are among the list. Energy and Commerce Committee Ranking Member Henry A. Waxman and Commerce, Manufacturing, and Trade Subcommittee Ranking Member G. K. Butterfield have requested that the developers behind such apps reveal how Apple imposes its privacy standards and how the standards are implemented.
In case you’ve been living under a rock for the last few weeks, it was discovered that many apps in the App Store uploaded personal user information without consent. In most cases, the activity went against Apple’s guidelines. Many of the offenders have updated their apps with new dialogs that ask permission to share your contacts and other data. Apple has even added the warning to desktop apps in the latest developer preview of OS X Mountain Lion. In an official comment, Apple recently said that it will be implementing more straightforward rules for how an app can access a user’s personal data in a future iOS update.
Last month, a developer of applications (“apps”) for Apple’s mobile devices discovered that the social networking app Path was accessing and collecting the contents of his iPhone address book without having asked for his consent. Following the reports about Path, developers and members of the press ran their own small-scale tests of the code for other popular apps for Apple’s mobile devices to determine which were accessing address book information. Around this time, three other apps released new versions to include a prompt asking for users’ consent before accessing the address book. In addition, concerns were subsequently raised about the manner in which apps can access photographs on Apple’s mobile devices.
We are writing to you because we want to better understand the information collection and use policies and practices of apps for Apple’s mobile devices with a social element. We request that you respond to the following questions:
(1) Through the end of February 2012, how many times was your iOS app downloaded from Apple’s App Store?
(3) Has your iOS app at any time transmitted information from or about a user’s address book? If so, which fields? Also, please describe all measures taken to protect or secure that information during transmission and the periods of time during which those measures were in effect.
(4) Have you at any time stored information from or about a user’s address book? If so, which field? Also, please describe all measures taken to protect or secure that information during storage and the periods of time during which those measures were in effect.
(5) At any time, has your iOS app transmitted or have you stored any other information from or about a user’s device – including, but not limited to, the user’s phone number, email account information, calendar, photo gallery, WiFi connection log, the Unique Device Identifier (UDID), a Media Access Control (MAC) address, or any other identifier unique to a specific device?
(6) To the extent you store any address book information or any of the information in question 5, please describe all purposes for which you store or use that information, the length of time for which you keep it, and your policies regarding sharing of that information.
(7) To the extent you transmit or store any address book information or any of the information in question 5, please describe all notices delivered to uscrs on the mobile device screen about your collection and use practices both prior to and after February 8, 2012.
(8) The iOS Developer Program License Agreement detailing the obligations and responsibilities of app developers reportedly states that a developer and its applications “may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising.”;
(a) Please describe all data available from Apple mobile devices that you understand to be user data requiring prior consent from the user to be collected.
(b) Please describe all data available from Apple mobile devices that you understand to be device data requiring prior consent from the user to be collected.
(c) Please describe all services or functions for which user or device data is directly relevant to the use of your application.
(9) Please list all industry self-regulatory organizations to which you belong.