They don't just know where you are, but your friends too
February 16, 2012 1:06 AM   Subscribe

I'm kinda torn about this. On the one hand, yeah, bonehead move if you're concerned about protecting users' privacy. On the other hand, pretty much any app you install on your computer can do the same thing. And sure, Android apps explicitly list the permissions they're requesting, but then I don't think the average user really pays attention.

Seems like the default should be to only allow access to hashes of contacts (which gets the job done for the most part when it comes to social sites matching you up with your friends).

(Though some would ask why just Apple?)

They allow every app unhindered access to the contact list without the user being informed of this. Android apps at least do you the courtesy of asking.
posted by mullingitover at 1:25 AM on February 16 [2 favorites]

Can't be bothered to find the link, but Apple's closing that loophole in an upcoming OS update, probably due in a few weeks.
posted by DoctorFedora at 1:29 AM on February 16

Kinda funny that Apple was grandstanding about not providing subscriber contact info to the publishers without the user's consent. All the publisher would've had to do is scrape it out of the user's address book. (were they doing this already?)
posted by mullingitover at 1:35 AM on February 16 [2 favorites]

I seem to recall the "previously" thing was largely a tempest in a teapot as well, meant to check antenna performance on the cell phone network rather than to track you (though there was a bug or something keeping the data far longer than necessary?).

Not necessarily defending Apple so much as just pointing out that these articles are generally written by professional panty-bunchers, and Apple just happens to be the most popular show in town and this the easiest (and laziest?) target. The current thing is unlikely to be much of an issue for very long, if it ever really was (I speak in terms of actual impact rather than handwavey But What Ifs).
posted by DoctorFedora at 1:36 AM on February 16 [4 favorites]

I think it says something that we're blaming Apple, not the Apps stealing the contacts. I don't care if the door is locked or not, going inside and taking without asking is theft.

Apple does have a bit to blame -- they should have not allowed these into the app store. Then again, there's so much to check for already. I presume they automate most of it, but still, there's no way they can truly thoroughly review -- esp. when Apple (as part of MobileMe/iCloud syncing) is expecting to see contact info on the wire.

I'm a bit annoyed at Apple by this, but I'm livid at the application developers. Fuck you, sirs, for thinking that everything on my device that you could read is yours.
posted by eriko at 2:12 AM on February 16 [5 favorites]

pretty much any app you install on your computer can do the same thing

The windows on a house are made of transparent glass, but that doesn't mean peepers can't get prison sentences.
posted by justsomebodythatyouusedtoknow at 2:13 AM on February 16 [8 favorites]

It's cool that smartphone app developers can't be trusted to act ethically and now we get more "are you sure you want to hit the yes button to continue?" alerts. No wait, I mean "a pity", not "cool".

Except the perspective the developers are exhibiting here ("People aren't going to mind if we grab the whole contents of their address book") isn't exactly new to the smartphone field, as it wasn't that long ago that social networking services were asking for your (e.g.) Gmail username and password to read your address book to search for your friends, which end-result-wise seems very similar, but holy hell they want my account credentials?

I don't remember any significant uproar over that behaviour, though it seems to have quietly gone away now that there are other authentication methods and APIs.

And I hear tell that there are people using Facebook (and others) who wouldn't see this behaviour as a problem in the slightest. I don't personally know any of them, but the news keeps telling me that they're out there. I'm almost 30, and already I fear the young with the hair and the music and the different outlook on personal privacy.

So maybe it's unfair to state that it's unethical, even if I definitely think that it is.

Everything else (Congresscritters writing letters, etc.) is just comedy. Repetitive comedy.
posted by dumbland at 2:17 AM on February 16 [2 favorites]

There are good things about having just turned 50.

One of them is having enough perspective to realize that putting an expensive little general purpose computer in my pocket is ultimately a very constraining choice to make. I absolutely do not envy my younger colleagues, most of whom seem to be pretty much married to one of these little bundles of electronic suck.

When the iPhone first appeared, and then even more so when the iPad first appeared, the general consensus seemed to be that even if you thought they were stupid before you'd seen one, that once you actually got to hold one in your hand you would want want want want want it.

Nup.

So far, every single one of these toys I've ever had to make do something for somebody else has done pretty much exactly what I expected it to, viz. annoy the crap out of me by being twee and cute and slick.

I'm liking my basic little Nokia phone more and more by comparison. It sucks at everything except being a phone and a micro SD based MP3 player, both of which it's quite competent at. And it cost me $50. And I don't keep a contacts list in it anyway (I use my VoIP provider's speed dial list for that). Even so, the only reason I still have it at all is so that ms. flabdablet can contact me if little miss flabdablet has a medical emergency.

Anyway.

If you're mad as hell and can't take it any more, which increasingly strikes me as the correct response to these high priced, fragile, ecologically dubious, self-obsolescing, voluntarily worn corporate shackles: consider getting rid of it altogether and replacing it with nothing at all. You won't die. You'll have more free time. You'll have fewer worries. And you'll be jerked out of a flow state far, far less often, which will be good for your mental health.

Mobile phones were just a bad idea. If Douglas Adams were writing the Hitchhiker's Guide today, he would have dumped on them instead of on digital watches.

Break your machines before they break you.
posted by flabdablet at 2:40 AM on February 16 [12 favorites]

Mobile phones were just a bad idea.

Not really, no.
posted by New England Cultist at 3:13 AM on February 16 [23 favorites]

"Can't be bothered to find the link, but Apple's closing that loophole in an upcoming OS update, probably due in a few weeks."

Too late for that. Lousy Apple, they just don't care: workers, customers, all grist for the Apple mill.
posted by marienbad at 3:17 AM on February 16 [3 favorites]

/Sprays Glade in the thread.

I'm retired. I love my iPhone, as the best cell phone I've ever had. For being a phone. The fact it's a good PDA as well is also nice.

I also love my iPad. I can keep handy an assortment of reading material, games, and even browse the web while taking trains (I don't drive at all). I especially love it when I really want some Metafilter, but I'm not home.

It's true that my iPhone sees less action since the iPad came along. But really, I don't use them the same. The only real difference is I rarely play any games on the phone, since I usually have my iPad when I'm on a train.

The stealing of contact information is ugly. Especially for Americans who have to pay for incoming calls on their cells! (but that's a con job on y'all anyway). And what, they going to spam the email addresses? Or just use it as new data for other nefarious purposes (matching cell numbers to names, nick-names to numbers, non-cell numbers to cell numbers, etc). All just plain WTF.

But you know, this all started with sites like FB persuading people to provide email account access "to find your friends!", and people accepting that. This is the point at which the lesson should have been given. But while many of us automatically rejected the idea, obviously enough were like, "bah! Bah!" and in internet speak, that's a click on the OK button.
posted by Goofyy at 3:17 AM on February 16 [3 favorites]

There was an amusing study that showed that unauthorized iPhone/iPad apps leak private data less often (4%) than Apple approved ones (21%) (via).

Apple's App store, Facebook, etc. do not exist to protect you from unscrupulous developers but to sell you to unscrupulous developers.

I'd hope if the CyanogenMod App Store ever launches they'll buck this trend by simply requiring open source.
posted by jeffburdges at 3:23 AM on February 16 [2 favorites]

I should say App Stores exist to protect the interests of Apple, AT&T, etc., including selling their consumers information, against their customer's interests, like reducing their phone bill through tethering.
posted by jeffburdges at 3:29 AM on February 16

It will be interesting to see what countermeasures Apple adopts here. Already, Apple is looking at requiring apps to disclose what personal data is sourced/transmitted as part of the approval process for the App Store itself.

One thing to keep in mind is how Apple operates. The best example that I can think of is that of a gated community, a simulacrum of their closed platform. In a gated community (at least in Southern California, and I imagine in other places), there are policies that one agrees to abide by when buying a home. You own the home (the device) however you agree to subscribe to the policies of the community (Apple).

These communities have restrictions that you do not find elsewhere. For example, no visible satellite dishes, or requiring houses to painted in accordance with an approved colour palate. All guests passing in and out of the community must register at the gate. Homeowners pay dues to committees that oversee the operation of these processes.

The result is a less-free community that is maintained to a certain level. In that community, you have fewer choices (your house cannot be orange for example) but nobody else will have an orange house either. Your guests may find entering and exiting inconvenient, however you also have less concern about your neighbour's guests bothering your children.

This is how Apple operates -- especially when it comes to iOS (more so than MacOS). People buy Apple products for a curated experience -- similar to why people move into gated communities. In one case, there is someone approving your software, in another there is someone approving your guests.

One must keep in mind that Apple has two revenue streams: hardware and software. Apple sets the regulations for the community by what drives those revenue streams. The large majority of individuals in the Apple community would rather have a gate-kept computing experience than an open computing experience (like Android). Android is there for people that want an open experience.

In terms of personal data, if Apple sees a threat by these apps to its community -- and if the community responds vocally -- it will stop approving apps that source that information. Because that is what drives revenue, servicing the community. Similar to the housing community, you don't get to choose the colour schemes, someone chooses them for you -- and you pay that person to do so.

I don't doubt that Apple will come under fire either way, to some degree. If they restrict apps based on their amount of personal data collection, the protestations will be that Apple is closed and restrictive. If they do not restrict apps, then Apple will receive blowback from people complaining about apps sourcing their personal data.

In the republic of Apple, revenue and sales are votes. Their machine is finely attuned to keeping the most profitable balance, which means the result of this current issue will be that which the largest number of consumers are willing to accept.

For more details on how this gated community concept works, have a read of How Cults Seduce by Plan B (San Francisco).

Finally, there are two sub-issues here. The first is the ongoing realisation by the body politic that personal data is indeed valuable.

And the second is that nerds (like Dave Morin and the rest of the Facebook cabal) operate under the principles of Western medicine. They don't see patients, they see organs. The nerds creating this stuff constantly push the edge of what's possible, regardless of the consequences to their users. That was the Jobsian genius. Steve Jobs understood that you must treat the whole body instead of just the organs.

As Silicon Valley has developed in stature and capability, the arrogance of the nerds has increased to the point where for example, Dave Morin and Path, enacted a George Bush Deuce-era policy of plausible deniability regarding data privacy. "We don't collect that data," he said. And that was true. On that day. They started collecting and processing that data shortly after.

Point being, nerds look at data and systems, and often miss the human consequences. Apple's genius is design, and what is design but taking into account how people feel. It will be a very strange day when the politicians and designers are united to leash the capabilities of the nerds and investors.
posted by nickrussell at 4:01 AM on February 16 [6 favorites]

I can't muster the strength to hold down the power button anymore. I was busy wagging my finger at everybody else for not being like me and choosing the same phone I did. Now my phone mocks me, charging itself.
posted by narcoleptic at 4:13 AM on February 16

The iPhone not only harvests your personal contacts, but also your organs.

It's true! Siri sells them on the black market in Atlantis.
posted by Brandon Blatcher at 4:21 AM on February 16 [4 favorites]

I was all prepared to be holier-than-thou in this thread since permissions on Android are explicit but out of curiosity I just installed an app called Permission Explorer and found that 70 apps on my phone have permission to read the contacts database. Some of these are obvious like Gmail or Dialer but why does Gingerbread Keyboard or Zipcar or god help me V CAST Music need to see my contacts? And the fact that there's a (hidden) app called "HTC Function Test Program 1.02g" that seems to have permission to do anything doesn't really make me very happy.

Note to self: get off arse, root and install Cyanogenmod 7.1 to get rid of all that HTC and Verizon garbage.
posted by octothorpe at 4:47 AM on February 16 [2 favorites]

Yeah, on Android, applications have to ask for specific permission to access your contacts before you install the app. It's almost never requested and you would only expect to see it on custom dialers or software specifically for managing your contacts. On my old phone I got some app that would show you pie charts of who you'd been talking too, but that app had no internet access. So even though it had access to contacts, it had no way of uploading that data anywhere.

For example, I'm not comfortable with random programs knowing my location, so if an app asks for location and internet access I usually won't install it. Usually you can find an alternative. (Supposedly it's to serve context-sensitive ads, but obviously, they could do whatever they want with the data)

I wonder about the legal issues here. If there was no indication at all they were harvesting contact lists, couldn't that have qualified as unauthorized access? Even if it's not criminal, Path, and these other companies have certainly opened itself up to the possibility of a class action lawsuit.

The Path CEO had actually been telling reporters that they didn't collect any data at all. Apparently, they changed this, but didn't tell anyone or notify anyone at all.

Not necessarily defending Apple so much as just pointing out that these articles are generally written by professional panty-bunchers, and Apple just happens to be the most popular show in town and this the easiest (and laziest?) target. The current thing is unlikely to be much of an issue for very long, if it ever really was (I speak in terms of actual impact rather than handwavey But What Ifs).

Dude, these companies were stealing people's phonebooks. You know, all the phone numbers and contact information and addresses and everything you put on your phone? Think about that for a second. Would you really feel comfortable sharing that data with random people? Would you feel comfortable with random people taking that data without permission and without even telling you? You can probably learn an enormous amount of information about someone by correlating a lot of that data from different people.

I'm actually kind of shocked at both the fact apple allowed that and that so many people defended it. It should be completely unacceptable.

It's kind of weird how some people just don't seem to care at all about data privacy. I've seen people say stuff like "what's the harm", but the thing is, people just want privacy, and the loss of privacy is itself the harm. Especially in this case where it was taken without people's knowledge.

If it's google or facebook or someone you can read their privacy policy and decide if you trust them to keep the information secure, keep it out of employees hands, and so on. If, however, the data is being taken without telling anyone, by some random startup, you don't even have the option of deciding if you trust them to hold on to the data and only use it for what they say they use it for (except, they didn't even tell anyone they were taking it, much less what they were using it for)

pretty much any app you install on your computer can do the same thing

They could, in theory do it but it's really, really uncommon for 'legitimate' software. If an app did do that it would be flagged as spyware, removed from any 'legit' download sites and even added to spyware/malware definition files.

And here's the thing -- at least when it comes to tech-savvy people -- users understand that a random program from the internet could seriously mess with your computer. People know to only download from 'trusted' sites (like steam, or sourceforge). I personally hardly ever download anything that's not either open source or from a major company like microsoft/adobe.

When you're in your browser, everything is kept separate. You don't have to worry about websites taking data as a matter of course. If a website did use some hack to steal data, it would only affect people who hadn't updated their browsers and the page would be marked as an 'attack site' by mozilla and google to protect those people as well.

But it seems like people treat the app store more like the web then a collection of random .exe files of unknown providence. Apple approves these apps, so they must be safe, right?

I know I'm actually a lot more comfortable downloading something to my phone then I am to my PC. In part that's due to the android permission system, since I can chose not to install something if it's requesting more permissions then it needs. I've never seen an app ask for contact lists (other then the one I mentioned, which as I said didn't have internet access so couldn't upload that data).

Mobile phones were just a bad idea.

I'd bet that the majority of people in the world have never even seen a landline phone, much less ever had steady access to one. Yet today there are 9 cell phones in use for every 10 humans on earth. (obviously some people have more then one) Mobile phones have connected billions of people to eachother, and soon those people will be upgrading to smartphones with internet access.
posted by delmoi at 4:50 AM on February 16 [7 favorites]

Most app developers don't spend a lot of time thinking about which permissions they need. It is easier just to re-use what worked on the last project.
posted by humanfont at 4:57 AM on February 16

I was all prepared to be holier-than-thou in this thread since permissions on Android are explicit but out of curiosity I just installed an app called Permission Explorer and found that 70 apps on my phone have permission to read the contacts database. Some of these are obvious like Gmail or Dialer but why does Gingerbread Keyboard or Zipcar or god help me V CAST Music need to see my contacts?

I just installed that, I only have 30 apps with contact permission, almost all of them are either parts of Android in or from Google. The exceptions are of Twitter and Facebook, which annoyingly came pre-installed, and my bank's app for some reason, probably for some feature like sending money to your friends or something. Now that I think about it, I do remember seeing it ask for that permission when I installed it.

In your case VCast would have been installed by Verizon, and Gingerbread Keyboard is probably an android component.
posted by delmoi at 5:01 AM on February 16

I think it says something that we're blaming Apple, not the Apps stealing the contacts.


Yes. It says Apple's security model stinks on ice, and should be modified to protect the user from trojans, even if the trojan is written by a fortune-500 social media service.

At the same time, Apple, being the sole curator of their walled garden, need to put the App writers on notice, and kick their data-scraping asses out of the walled garden, if they insist on having their app act like a trojan horse application and stealing information without the user's knowledge or permission.

The closed App Store model means it's Apple's fault, as both system designer and curator of third party software. They didn't do their job on either end.
posted by Slap*Happy at 5:01 AM on February 16 [15 favorites]

For what it's worth, this isn't quite so much a clear-cut "amoral nerds vs. fear-mongering journalists" thing as a couple of comments have suggested. The original story, about Path, was actually written up by a developer who thought it would be cool to port Path to Mac OS X. He started looking around at the commands it was sending, and realized that Path was grabbing and storing names, email addresses, and phone numbers.

What he said sums up a lot of this for me:

"I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service. I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy."

Plenty of nerds care about getting informed consent about what data is being transmitted about them (especially without being hashed, which wouldn't be hard at all), and are willing to engage with technology while still pushing to keep it as ethical as they can. Likewise, this isn't so much about Apple being an "easy target" as the fact that the original Path app would tell you it was accessing your contact information on Android but not iOS.
posted by Tubalcain at 5:05 AM on February 16 [3 favorites]

Apple does have a bit to blame -- they should have not allowed these into the app store. Then again, there's so much to check for already. I presume they automate most of it, but still, there's no way they can truly thoroughly review -- esp. when Apple (as part of MobileMe/iCloud syncing) is expecting to see contact info on the wire.

Well, when people have made Apple's review process one of the selling points of the iPhone store vs Android market, then people will have expectations. And when apps do shady stuff like this it becomes a bigger deal, and it becomes Apple's deal.

On preview, Slap*Happy said it more eloquently: "The closed App Store model means it's Apple's fault, as both system designer and curator of third party software. They didn't do their job on either end."
posted by inigo2 at 5:07 AM on February 16 [1 favorite]

Some of these are obvious like Gmail or Dialer but why does Gingerbread Keyboard or Zipcar or god help me V CAST Music need to see my contacts

The keyboard probably uses it to help with autocomplete stuff. V Cast Music probably has some "share this song" type feature (which is crap, just like that whole app is crap, but I digress). Zipcar, that's just bizarre.
posted by inigo2 at 5:10 AM on February 16

Except the perspective the developers are exhibiting here ("People aren't going to mind if we grab the whole contents of their address book") isn't exactly new to the smartphone field, as it wasn't that long ago that social networking services were asking for your (e.g.) Gmail username and password to read your address book to search for your friends, which end-result-wise seems very similar, but holy hell they want my account credentials?

I don't remember any significant uproar over that behaviour, though it seems to have quietly gone away now that there are other authentication methods and APIs.

Well, some people complained, but ultimately you have the choice about whether or not to enter your gmail password, and certainly you would be aware of it.

This would be like if facebook offered some 'toolbar' a photo uploader or something that actually hijacked your browser session to read out your contacts.
posted by delmoi at 5:14 AM on February 16

Dude, these companies were stealing people's phonebooks.

OMG, you're right, I just checked my iPhone and my address book was gone!!
posted by Bovine Love at 5:25 AM on February 16

Some of these are obvious like Gmail or Dialer but why does Gingerbread Keyboard or Zipcar or god help me V CAST Music need to see my contacts?

Android user here as well. While I think it's nice to get the alert when you install an application, I don't think it goes far enough. There's no reason I shouldn't be able to un-check "access contacts" when installing something that I don't think should access it.
posted by odinsdream at 5:27 AM on February 16 [2 favorites]

US congress have sent a letter to Apple about its apps and how they access personal data.

Corporations can make money mining your data.

They think they can make even more money if they can figure out your relationships to leverage them.

Congress won't do a damn thing - the propaganda (Oh wait, you young whippersnappers now call that Public Relations because the author of the book Propaganda called a newer addition Public Relations) efforts need to flow. As soon as it looks like a change in the flow of their manna - they'll whisper sweet words into Congress and the effort will end.

In fact - from the latest pile of paperwork from the Doctor:
It starts off with "The privacy of you medical information is important to us" (Yes, it says you. Not your.)
It then goes into 3 pages of "and another group of people who will have access" - so much for privacy. An example:
"we may disclose or use health information for ....(long list) ...for protective services of the President and others"

And in fact - in the interest of 'protecting the country' and 'thinking of the children' the ability of private companies to gather information to sell to the government to create the profiles to be used as part of the defence of the nation and its most vulnerable...the children makes sure nothing will be done.

The final nail in your privacy - you are doing this yourself. You are:
1) Opting to own/use a cell phone
2) Keeping a list of contacts in the phone
3) Downloading the applications to the phone that then copy the data. (all for what? A game - some circus that you didn't pay some bread for.)
posted by rough ashlar at 5:28 AM on February 16 [1 favorite]

Android user here as well. While I think it's nice to get the alert when you install an application, I don't think it goes far enough.

It doesn't go far enough. The notices are vague *AND* the most of the vendors work very hard to keep you from changing the software on the phone so if you want better security or the ability to track what comes and goes from the phone you can't.
posted by rough ashlar at 5:30 AM on February 16 [2 favorites]

The keyboard probably uses it to help with autocomplete stuff. V Cast Music probably has some "share this song" type feature (which is crap, just like that whole app is crap, but I digress). Zipcar, that's just bizarre.

Again it's kinda strange that these kinds of functionality aren't handled in a black-box approach. It wouldn't be hard to make a Sharing API part of Android which applications could call upon, but it wouldn't reveal the contact information itself backwards to them.
posted by odinsdream at 5:30 AM on February 16

Apple does have a bit to blame -- they should have not allowed these into the app store.

Apple has placed themselves as a gatekeeper - Apple has a responsibility.

Your privacy however isn't protected in many cases by law. And I'm rather sure Apple has made no claims they'd actually protect your privacy from 3rd parties.

*wry smile* If this kind of thing offends you get some like minded people together, form a non profit corp that then forms a SuperPAC (call it keep your nose outta my business SuperPAC) and start taking donations for educating people about the need for a Constitutional Amendment (Yea, shoot the moon) to protect privacy. Along the way pay yourself as director a nice salary and drive about in a microbus (Don't want to fly - your 'personal space' violations by the TSA is anti-privacy) giving lectures/talking to state lawmakers. It'd be fun and you'd get to travel on tea-parties dimes. The EU is trying to codify "forget" laws to protect privacy....bring such to the FatherLand! *stops smiling*
posted by rough ashlar at 5:41 AM on February 16

Its not strange. The developer knows they are doing nothing nefarious with the data, so feel no guilt in asking for it. They fact you don't know they are doing nothing nefarious with it is not necessarily at the top of their mind; they are honest* and aren't PR people.

(*) I'm not saying all developers are honest, I'm just saying the honest ones do things which look a little odd to paranoid outsiders. If you put yourself in the place of the honest developer instead of a suspicious outsider, it looks very different.
posted by Bovine Love at 5:42 AM on February 16 [2 favorites]

I'm just glad we have gatekeepers to weed out malware like this.
posted by 0xdeadc0de at 5:50 AM on February 16

They fact you don't know they are doing nothing nefarious with it is not necessarily at the top of their mind; they are honest* and aren't PR people.

As a paranoid outsider, I actually trust that the developers are intending exactly what they say (e.g. Path) and are not intending anything nefarious.

The problem is that once the data is in the hands of their company, it's no longer controlled by the developer's intentions. If the company hires a new CEO, gets bought, takes on investment, etc there are new people in the equation who get dollar signs in their eyes when they learn what's in the database.
posted by device55 at 6:07 AM on February 16 [5 favorites]

Apple responds:

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

posted by DreamerFi at 6:13 AM on February 16 [3 favorites]

Users of jailbroken iPhones have developed some tools for controlling information flow on them - along with ContactPrivacy mentioned in the Forbes article discussing unauthorized iOS software linked by jeffburdges above, there's Firewall iP (which lets you deny internet connections from apps) and Protect My Privacy (which includes the option to send fake location and contact info to apps that want yours). (Jailbroken devices also allowed independent developers to verify Apple's statement about whether iOS included CarrierIQ a few months ago.) [Standard disclaimer that I know these things because I work for Cydia.]

And just-released information about the upcoming OS X Mountain Lion includes news of a feature called Gatekeeper that defaults to disallowing applications from unidentified developers - hard to not see it as a tiny step toward an eventual iOS-like model.
posted by dreamyshade at 6:17 AM on February 16 [3 favorites]

Well, when people have made Apple's review process one of the selling points of the iPhone store vs Android market, then people will have expectations. And when apps do shady stuff like this it becomes a bigger deal, and it becomes Apple's deal.

There are lots of downsides to the curated store, and I'd love to have a secondary source of non-curated apps, but this case is an example of what's good about it not what's bad about it. This is Apple's deal, but at least there's someone to deal with it. This will get fixed and pushed out quickly and almost automatically to a vast majority of users. The fact that nefarious apps like this get out of the ecosystem, and that ecosystem gets repaired quickly, and the fact that almost everyone is on the same identical operating system is a selling point.

Neither Apple nor Google are warm fuzzy bunnies that do no wrong.

Apple makes a boatload of money off of developers and consumers by trading in apps and devices and content. It is heavy handed as hell and would love to do away with computers as we know them.

Google, for its part, makes money by knowing everything you think and do. Android is not some goddamn public service; it's a way for Google to tag along with you everywhere you go. The open source fanatics (which I am) tend to forget that Android is not Linux. It's merely a more hackable OS backed by a company every bit as amoral as Microsoft or Apple or whoever.
posted by pjaust at 6:17 AM on February 16 [5 favorites]

Android is not some goddamn public service; it's a way for Google to tag along with you everywhere you go.

QFT
posted by device55 at 6:20 AM on February 16 [5 favorites]

This is Apple's deal, but at least there's someone to deal with it. This will get fixed and pushed out quickly and almost automatically to a vast majority of users.

Aren't they fixing it by changing the operating system API, which doesn't really have anything to do with the curated store?
posted by smackfu at 6:22 AM on February 16

In other news Apple stock price hits $505.00.
posted by judson at 6:24 AM on February 16

Well, it hit $526 yesterday but now it's down to $491. Ride that roller coaster!
posted by smackfu at 6:32 AM on February 16

Android users, take a look at PDroid, which (assuming you have a compatible ROM/Kernel), will allow you to block certain applications from have access to certain permissions, even if you gave those apps permission during install...
posted by benzo8 at 6:34 AM on February 16

PDroid needs root access benzo8, so you have to be willing to root your phone. It would be nice if stock Android would let you fine-tune App sandboxes yourself, but I suspect the carriers wouldn't wear it.

Alternatively, if you can install CyanogenMod you'll get this kind of API blocking functionality.
posted by pharm at 6:46 AM on February 16 [1 favorite]

The original story, about Path, was actually written up by a developer who thought it would be cool to port Path to Mac OS X

_{Not important, but know the kid. My two-second claim to fame. :)}
posted by the cydonian at 6:49 AM on February 16 [1 favorite]

device55 :The problem is that once the data is in the hands of their company, it's no longer controlled by the developer's intentions.

Oh, I quite agree. And even if the company has the best of intentions, they can be bought by a company which does not. Additionally, of course, the company may involuntarily give up data (whether by legal duress or via nefarious means).

I was addressing how it happens, and why so many apps do it. Developers and many (especially small) companies just aren't thinking in this vein. In fact, in most of these cases they are trying to add value to their app (and, yes, their company, but under ideal circumstances, these go hand in hand, that is the whole idea of capitalism).

I object to the general (or at least common) tone and hyperbole of malicious intent that people cast on the companies and developers involved here. Yes, some companies and developers are bastards, but most have just made an error in transparency and/or data retention. Its a problem that needs solved (and explicit permission is one step to solving it; a better API that provides optional service that reveals less would help too, but they also have their problems; with a very large DB of addresses, hashing for example will reveal most of your addy book).
posted by Bovine Love at 6:55 AM on February 16

I'm expecting that Mac OS X shall become unusable within several years, dreamyshade. You cannot install Xcode without creating an App Store account, or pirating it, already. I'll laugh if Apple gets sued for anti-compeditive practices over Gatekeeper.
posted by jeffburdges at 7:23 AM on February 16

We were talking about this yesterday in my Information and Human Rights class. The current model of privacy permissions (where everything is allowed until the user says "no", or there's spurious gate keeping in the form of an approved app store) is a mine-field. But how else does the free-to-cheap model of Internet services monetize itself? I think one thing that's important to keep in mind, and that should be more widely known by all users, are that these companies aren't in the business of providing you with a search engine, or a video game, or a social networking platform, but instead are all advertising agencies which work more effectively by piecing together a complete picture of you as a consumer. They're ad firms masquerading as public services.
posted by codacorolla at 7:57 AM on February 16 [1 favorite]

OMG, you're right, I just checked my iPhone and my address book was gone!!

Believe it or not, the word "steal" has multiple meanings.
posted by kmz at 8:15 AM on February 16 [2 favorites]

Uh-huh. And 'steal' is almost always used in the context of data copying to make the crime appear more severe then "Your information has been copied without your consent!" which doesn't nearly have the hyperbolic ring to it. Hence why "steal" is used extensively by the RIAA, etc. People often object to the usage of the word in those contexts. This case is not different.
posted by Bovine Love at 8:20 AM on February 16 [1 favorite]

You really think privacy concerns are the same as copyright idiocy?
posted by kmz at 8:22 AM on February 16

See it more like "stole your identity" which no one has a problem with.
posted by smackfu at 8:24 AM on February 16 [3 favorites]

Apple commented on this nearly 24 hours ago and said it will be addressed in an upcoming update. Either you knew this and omitted it deliberately or you didn't really read up on the issue. Flagged.

The focus of the post is what's been done without customers' knowledge over the last three-plus years. "Coverage of the issue has pushed Apple to say they'll do something unspecified about it in the future" is a footnote, at most.
posted by Holy Zarquon's Singing Fish at 8:27 AM on February 16 [2 favorites]

"Believe it or not, the word "steal" has multiple meanings."

I believe most of them are used incorrectly. I like Wikipedia's definition the best:
"In common usage, theft is the taking of another person's property without that person's permission or consent with the intent to deprive the rightful owner of it."

The problem arises when people interpret it this way:
"theft is the taking of another person's property without that person's permission or consent with the intent of earning profits from the possession of it." Which is not technically correct.

Heck, even Dictionary.com give it a shot with this:
"the act of stealing; the wrongful taking and carrying away of the personal goods or property of another; larceny."

Both of which specifically refer to property, which is such a bad term to use. Even Intellectual Privacy laws are not concerned with the "how you get it" as much as they are with "what you do with it once you have it" which means it's less about possession and more about financial ramifications.

We didn't have adequate laws for IP governing multi-million dollar corporations, and now our hope is to be able to use those inadequate laws to govern a couple million individuals?

None of this is good.
posted by Blue_Villain at 8:35 AM on February 16

Hmm, can't find the post you're replying to. Must be a glitch in the matrix.


The focus of the post is what's been done without customers' knowledge over the last three-plus years. "Coverage of the issue has pushed Apple to say they'll do something unspecified about it in the future" is a footnote, at most.

"...as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

Not sure what is unspecified about that. It will act just like the location services permissions. I don't expect to see it in 5.1 in early March, but I wouldn't be surprised to see it in 5.1.1 shortly afterwards.
posted by entropicamericana at 8:38 AM on February 16

Which is not technically correct.

Yes it is, because when you take that profit, you're cheapening the value of the thing. Economically, you're depriving people of the potential value of their personal information. That is theft, though it might be a subtle form of it, in the same way that exploiting labor is in economic terms a form of theft.
posted by saulgoodman at 8:39 AM on February 16

The next time somebody says "[Person X] stole my heart" I'm going to say, "No they didn't! You'd be dead without your heart!"
posted by kmz at 8:42 AM on February 16 [4 favorites]

Hmm, can't find the post you're replying to. Must be a glitch in the matrix.

Yeah, it appears to have been nuked. Hopefully mine will follow suit. Nobody needs to hear the sound of one hand arguing.
posted by Holy Zarquon's Singing Fish at 8:42 AM on February 16

I have come to the conclusion that hiding contact data in this day and age is near impossible.
Even if I am especially vigilant, which I am, my contact information is stored in dozens of my friends/acquaintances/coworkers computers & phones, all of whom apparently have no problem with the idea of sharing it to the world.

Even email addresses I consider mostly private get facebook solicitations, linked-in invites and game requests.

So, yeah, this is evil and bad, but as long as people you know are willing to sell you out for a digital cow, I'm not sure changing permissions will do a whole lot.
posted by madajb at 8:47 AM on February 16 [1 favorite]

"Stealing" is actually a metaphor, albeit a useful and apt one, to cover a lot of ground - The act of reading personal data without permission, and using that personal data for financial gain. It results in a feeling of violation akin to when something is stolen, so the metaphor's meaning is immediately understood. The trouble arises when people can't separate the metaphor from the actions. Much like copyright violation - it's not theft or stealing, ethically or legally - but the metaphor of theft works pretty well to convey the emotion of the aggrieved parties. (So don't do it, kids. Unless the work is out of print or otherwise unavailable, or claims of infringement used to shut down open discourse, etc, etc, etc. Like I said, it's just a metaphor, and it can break if carelessly used.)
posted by Slap*Happy at 8:50 AM on February 16

I am a huge tech fan. In a nutshell: the application world is wildly under-regulated and anything goes. Seriously. What is the crime for writing over-general, customer-approved, access requests to parts of your mobile phone? IANAL, but my guess is, nothing that cannot be washed away. How many apps currently turn on your microphone? Is there a way to find that out? Is there a way to prevent it that is transparent to the consumer?

How should it be done? YOU set the parameters on your phone. Share this. Never share this. Prompt me to share this. Then when you get an app, the app recognizes your settings and allows you to capitulate or bargain. "Will you take this $1.99 app for free if we can see how regularly you send SMS messages?" Yes or no. In the fluid world of apps, this price point could be fluid as well. If you said no, maybe they'd offer you X for your data. But at least we would have a value for our data. Currently our data is free. Repeat...it is free. Take it. I give it to you for this bag of beans. Further, what you do with my data is completely unregulated. Once the data is bits...into the ether it goes. Who has it? Nobody? 20 corporate databases? 1 governmental database? 1 insurance company database? Anybody know? Nope. Anybody looking? Well, yeah. Hackers. Folks interested in protecting technology. I don't feel much urgency from the government side of things.

I am still trying to figure out "future privacy". Wow. Brain dump. Apologies.
posted by zerobyproxy at 8:55 AM on February 16 [1 favorite]

1. Write a gimmicky free app.
2. Use tricks like bot downloads to get it to the top of the leader board.
3. Harvest the addresses and phone numbers from the people who download it.
4. Sell those to marketers.
5. Profit!

Makes you wonder if anyone was doing this...
posted by smackfu at 8:58 AM on February 16

I'll laugh if Apple gets sued for anti-compeditive practices over Gatekeeper.

Having read the MacWorld article, that would only happen if Google gets sued over their Android Market, because the two appear to operate with a similar model.
posted by Blazecock Pileon at 9:00 AM on February 16

Having read the MacWorld article, that would only happen if Google gets sued over their Android Market, because the two appear to operate with a similar model.

No they don't. Apple has far more restrictive development requirements. In terms of a development environment, it's XCode or nothing. You have to have an Apple developer account before you can put any self-designed software on your phone, which costs a hundred bucks from Apple. You don't wanna pay the hundred bucks and be subject to Apple's whims? Tough, it's the Apple way or the highway.

Over in Android land, I can download Eclipse and the ADK without giving my email address, or signing up for an account with Google, or paying any money. I can do my software development for Android with Eclipse, Visual Studio or a number of other community supported IDEs. I can put whatever software I want on my Android phone, without having to pay Google any money for the privilege. I can also go and download the Android source, fork it, and develop my own variant if I wanted to. It is a far more open model than iOS.

Anyway, it's not all rainbows and sunshine for Gatekeeper.
posted by Fidel Cashflow at 9:24 AM on February 16 [2 favorites]

Yes, with a 6.45% market share, OS X is clearly a monopoly benefiting from anti-competitive practices.
posted by entropicamericana at 9:32 AM on February 16 [2 favorites]

> Having read the MacWorld article, that would only happen if Google gets sued over their Android Market, because the two appear to operate with a similar model.

You have GOT to be kidding me.

As a developer, the underlying difference is huge - I can give or sell you an Android app without Google being involved or taking a cut (and their Market takes a much smaller cut, if I choose to use it). I can even sell the same app directly and through the Market.

But if I write an iPhone app, I cannot get it to you without Apple being involved, and taking an astonishingly huge 30% cut - unless you jailbreak your phone, potentially voiding the warrantee and destabilizing the unit, which literally eliminates 99% of the market.

And if I try to sell both through the Apple store and directly, Apple will throw me out of their store.

AND Apple can just refuse to sell my App in their store and give me no reason whatsoever.

Fidel Cashflow's $100 dev. kit complaint is also real - but frankly, it's much less of a big deal than those other objections. The developer software is worth a lot more than $100, and Apple's probably losing money on it. If it were just the $100, I wouldn't care - it probably takes you at least 1000 hours of work between starting as a developer from from a blank screen with no knowledge of how iOS works and ending up with a working, production application you can purchase at the Apple store, more if the application is complex, and that $100 is a drop in the bucket - the offensive part is the 30% off the top, in perpetuity that Apple demands off every penny I make from an iphone app - this is almost certainly more money than I personally will net.

This is why I refuse to work on paid software for the iOS system - I'd rather get a bigger chunk of a smaller pie. Right now, the project I'm working on is a cross-platform mobile app but the revenue generation is not on the App so we're OK.
posted by lupus_yonderboy at 9:45 AM on February 16 [2 favorites]

"because when you take that profit, you're cheapening the value of the thing"

"Cheapening the value of a thing" is not theft, it never has been. If I scrape the side of your car in the parking lot, you don't say that I "stole" it, do you?
posted by Blue_Villain at 9:47 AM on February 16

What is interesting to me is that there seems to be a different set of ethics at play in the mobile eco-system. Otherwise ethical desktop developers would never dream of copying your outlook contacts. In this case, the CEO of Path claimed at first that this was "industry best practices"
posted by Ad hominem at 9:47 AM on February 16

No they don't. Apple has far more restrictive development requirements.

If you read the MacWorld article, you'd understand I wasnt talking about Eclipse or Xcode or other IDEs, but about the application distribution mechanism, which would make the user settings of Mountain Lion's Gatekeeper similar to how you don't have to go through the Android Market, with the implication that a non-Market or non-Gatekeeper approved app could do something unsafe, all other things equal.
posted by Blazecock Pileon at 9:47 AM on February 16

Apple requires that users obtain Xcode via the Mac App Store, makes creating disposable App Store accounts difficult, make creating accounts without credit card details difficult, etc. All this I consider highly immoral, infinitely worse than anything Google has ever afaik done.

I'd argue that Gatekeeper represents an anti-compeditive assault on independent developers by restricting distribution for Mac OS X, btw Google ain't relevant here since we're talking Mac OS X. Apple will obviously push developers into App Store distribution using Gatekeeper.
posted by jeffburdges at 9:53 AM on February 16

In fact, I don't even know what Eclipse and Xcode have to do with what I said, since I didn't bring it up, and the linked article didn't mention it, either. I thought I was pretty clearly talking about the security model that was discussed in the piece. Where does MW bring up Eclipse?
posted by Blazecock Pileon at 9:54 AM on February 16

If you read the MacWorld article, you'd understand I wasnt talking about Eclipse or Xcode or other IDEs, but about the application distribution mechanism, which would make the user settings of Mountain Lion's Gatekeeper similar to how you don't have to go through the Android Market, with the implication that a non-Market or non-Gatekeeper approved app could do something unsafe, all other things equal.

But you're still wrong. I can't install apps to my iPhone or iPad that haven't been blessed by Apple via a digital certificate associated with your developer account. I can, and have, run any code on my Android phone all day long without having to have it blessed by Google. Now, I still have to have my Android code signed with a private key, but I generate that key using free tools provided by Google.

I can also run whatever Android code on my PC without having it signed by Google. The newest variant of OS X will allow you to run unsigned code (how nice of them) with Gatekeeper, but it's not possible with iOS. There is no comparison to anything within the Android market and Gatekeeper, unless you consider that they both ostensibly check for malware as part of the marketplace process. I'm not sure why this is hard to understand.
posted by Fidel Cashflow at 10:00 AM on February 16

Sorry if I missed this above, but how do mobile Web browsers fit in here, as far as harvesting phone contacts go?
posted by mrgrimm at 10:05 AM on February 16

There is no comparison to anything within the Android market and Gatekeeper

Except for the critical part about being able to get apps from untrusted developers. That's why they are similar models, and why Apple will only get sued for anti-competitive behavior when Google gets sued for anti-competitive behavior. Which is to say that neither party should be sued, at least over that.
posted by Blazecock Pileon at 10:06 AM on February 16

Except for the critical part about being able to get apps from untrusted developers. That's why they are similar models, and why Apple will only get sued for anti-competitive behavior when Google gets sued for anti-competitive behavior. Which is to say that neither party should be sued, at least over that.

Convenient that you leave out the fact that Google has zero control over what I install on my computer, be it Windows, Linux or Mac OS. Apple, on the other hand, controls everything from the hardware up, including the operating system and the app market place for OS X and iOS. That's where the anti-competitive portion comes in.
posted by Fidel Cashflow at 10:11 AM on February 16

Apple will obviously push developers into App Store distribution using Gatekeeper.

Gatekeeper makes no requirements to buy apps through Apple's app store, and it provides a trust mechanism (of a weak kind) for non-Mac App Store apps, but I do expect that it will create an impression that "untrusted" developers make unsafe software. Do you think the benefits of distributing through the Android Market provide the same motivation to Android developers to avoid end users having to sideload untrusted apps?
posted by Blazecock Pileon at 10:13 AM on February 16

Do you think the benefits of distributing through the Android Market provide the same motivation to Android developers to avoid end users having to sideload untrusted apps?

With Google, as a developer, I can make that choice for myself. I can either distribute it myself, or via the Marketplace, or both. With Apple, if I choose to deliver it myself, they will kick me out of the App Store ecosystem. That is anti-competitive.
posted by Fidel Cashflow at 10:16 AM on February 16

I disagree with the blanket assertion that "when you take that profit you're cheapening the value" just like I disagree with assertions that individuals pirating movies represents a lose to the film studio.

It should be illegal for Apple, Google, Facebook, Zynga, smaller app store based software retailers, etc. to steal your data for basically the same reason it should be illegal for these organizations to sell your homemade movies without a license, namely : they are organizations, not individuals.

Imagine you've an embarrassing drunken photo that keeps appearing on your Facebook, Google+, or LinkedIn account.

Case 1. Your friends upload it.   You may ask them to stop, tell their mother, start uploading photos of them, steal their significant other, punch them in the face, etc. You might even take them to small claims court for defamation, but basically legal recourses are mostly inappropriate until the behavior gets really extreme.

Case 2. Facebook keeps reposting it.   I donno, maybe it generates traffic by being very funny You cannot really even discuss the matter with them, much less tell their mother, or punch them in the face. Ergo, there should be legal recourses that expose Facebook significant penalties for such behavior.

If we turn the tables to discuss piracy, we retain the asymmetry between individuals and organizations because organizations control distribution channels.
posted by jeffburdges at 10:21 AM on February 16

With Apple, if I choose to deliver it myself, they will kick me out of the App Store ecosystem.

I know Mountain Lion is beta and things could change before its release, but there's nothing publicly available so far that suggests Gatekeeper requires selling through the Mac App Store, or indeed any particular app store (Steam, Bodega, etc.). In fact, the screenshots on Apple's own web site contradict your assertion, in that they clearly show radio buttons to allow trusting of apps of varied provenance.
posted by Blazecock Pileon at 10:22 AM on February 16

[Apple] make creating accounts without credit card details difficult

Mine's never had credit card details. (And it's been at least eight years.) Apple have recently forced me to change from a user name to my email address, which I found a bit irritating, as I then had to remember to change the user name elsewhere.
posted by hoyland at 10:22 AM on February 16

I'd argue that Gatekeeper represents an anti-compeditive assault on independent developers by restricting distribution for Mac OS X

You're living in the past, thinking in terms of the way personal computers traditionally operate, where you had a file system, with files and programs living in it, and you had to tailor the program to the system, and the files to the program.

Javascript and HTML 5, dude, backed up by a network database. Added bonus - also deployable to Android and other modern platforms, and the user's data is available from any place they run your stuff.

It's very, very different than the way we used to do things, and there are tradeoffs in certain cases, but it really does represent a step forward.
posted by Slap*Happy at 10:26 AM on February 16

You're living in the past, thinking in terms of the way personal computers traditionally operate, where you had a file system, with files and programs living in it, and you had to tailor the program to the system, and the files to the program.

Javascript and HTML 5, dude, backed up by a network database.

How the heck do you think Javascript runs? It uses a program (an interpreter or just-in-time compiler) and reads data from a disk, which is provided by a filesystem, or ram using functionality provided by the operating system. Those things have not disappeared in any sense, they've just been abstracted away for the majority of developers.
posted by Fidel Cashflow at 10:36 AM on February 16

I haven't discussed phones or tablets here, Blazecock Pileon, I'm discussing "trucks", i.e. laptops and desktops. Android and iOS don't afaik run on "trucks" do they? I'm complaining about Apple's progressively greater restrictions upon Mac OS X.

At present, there isn't any need for anyone to register themselves with Apple to write Mac OS X software, but Gatekeeper's default configuration restricts software to "identified developers". There are many reasons you might not want to identify yourself, maybe you're Satoshi Nakamoto or live in a repressive regime. Any bets on mockingly annotated Quran apps coming out of Saudia Arabia?

Apple doesn't require App Store distribution, but surely they'll make avoiding it harder and harder. "We cannot grant you identified developer status unless you register your bank account with us to receive App Store payments." "Oops, sorry we added that no GPL3 license clause to our identified developers contract." etc.
posted by jeffburdges at 10:36 AM on February 16 [1 favorite]

there are tradeoffs in certain cases

Apple could have said to, say, Steam that they need to start selling their apps through the Mac App Store – not as many play games on OS X as on iOS and other platforms, so some loss of sales probably wouldn't hurt Apple too much – but instead Apple came up with a mechanism to provide trust of third-party apps. Trusting third-party apps doesn't sound anti-competitive, when, as mentioned, they could have shut down non-MAS sales altogether. The devil is in the details, but Gatekeeper seems like a decent "third way" that could have been a lot more restrictive.
posted by Blazecock Pileon at 10:38 AM on February 16

You're living in the past, thinking in terms of the way personal computers traditionally operate, where you had a file system, with files and programs living in it, and you had to tailor the program to the system, and the files to the program.

Javascript and HTML 5, dude, backed up by a network database. Added bonus - also deployable to Android and other modern platforms, and the user's data is available from any place they run your stuff.

Welcome to the future! Here's your terminal to the mainframe.
posted by odinsdream at 10:40 AM on February 16 [2 favorites]

I'm complaining about Apple's progressively greater restrictions upon Mac OS X.

I am looking at the screenshots and reading articles, and there is still nothing that appears to actively prevent an end user from running any OS X code at all, if that end user really wants to. I don't see how a radio button is anti-competitive, for the same reason I don't see sideloading as anti-competitive, but I admit I'm not a lawyer.
posted by Blazecock Pileon at 10:47 AM on February 16

I cannot understand people who trivialize panty-bunching like it is no big deal. When it happens to you it is the biggest deal possible! Nothing else matters until the is opportunity to un-bunch.

[This white knight sympathetic perspective is brought to you by a man who, rarely wears panties, was on the receiving end of far too many underwear elastic destroying wedgies]
posted by srboisvert at 10:50 AM on February 16

I don't see how a radio button is anti-competitive, for the same reason I don't see sideloading as anti-competitive, but I admit I'm not a lawyer.

Oh, then you must agree that bundling a web browser with an operating system isn't anti-competitive because there is nothing preventing the user from going out and downloading another one, right?
posted by Fidel Cashflow at 10:51 AM on February 16 [1 favorite]

Oh, then you must agree that a marketshare of 90% is equal to a marketshare of 6.4%, right?
posted by entropicamericana at 10:56 AM on February 16

For OS X developers apple does have 100% marketshare of computers that can run their software.
posted by Ad hominem at 10:57 AM on February 16

Oh, then you must agree that a marketshare of 90% is equal to a marketshare of 6.4%, right?

I agree that Apple has 100% marketshare of software installed via the App Store, yes.
posted by Fidel Cashflow at 10:58 AM on February 16

Oh, then you must agree that bundling a web browser with an operating system isn't anti-competitive because there is nothing preventing the user from going out and downloading another one, right?

I'm not sure I understand your analogy. Can you clarify how a monopoly engineering an operating system and browser to be interdependent equates or relates to preventing sideloading?
posted by Blazecock Pileon at 10:59 AM on February 16

Sony also has a 100% marketshare of consoles that run Playstation software, what's your point?
posted by entropicamericana at 11:00 AM on February 16 [1 favorite]

Android user here as well. While I think it's nice to get the alert when you install an application, I don't think it goes far enough. There's no reason I shouldn't be able to un-check "access contacts" when installing something that I don't think should access it.

I agree. Or in the case of something like location data, you should be able to set the phone to give fake data to an app.

Its not strange. The developer knows they are doing nothing nefarious with the data, so feel no guilt in asking for it. They fact you don't know they are doing nothing nefarious with it is not necessarily at the top of their mind; they are honest* and aren't PR people.

(*) I'm not saying all developers are honest, I'm just saying the honest ones do things which look a little odd to paranoid outsiders. If you put yourself in the place of the honest developer instead of a suspicious outsider, it looks very different.

Spare me. There is nothing honest about claiming to not collect any data, and then collecting it without telling anyone. That's the opposite of honest.

And secondly, who says these developers are honest? Look at Mark Zuckerburg when he started Facebook? He was collecting usernames/passwords and bragging about it and calling his users 'dumb fucks' for trusting him in IM.

Here's the thing, though. When you can do X with no personal repercussions and at the click of a button suddenly it becomes more difficult to see that it's wrong.

Remember when the story about the Lower Merion School District spying on students via their webcams came out? Obviously most people were shocked, but there was actually a poster who worked as an IT admin in another nearby school with similar tech, basically saying it was no big deal. Turns out it it was a big deal. Obviously. As everyone with a little more distance from the situation could see clearly.

I object to the general (or at least common) tone and hyperbole of malicious intent that people cast on the companies and developers involved here. Yes, some companies and developers are bastards, but most have just made an error in transparency and/or data retention.

Well, there are two problems with that. Like I said, first is the assumption that they're honest and trustworthy. Path wasn't the only company doing this, and some of the reporters have claimed that startup CEOs had bragged to them about how much data they were getting, reading the contact lists of celebrities, etc. Similar to Harvard era Zuckerburg. It wasn't just one company, it was a lot of them.

We also don't know how secure Path's servers are. If path got hacked, all that contact data could be taken by hackers.

But beyond that, simply believing that you are honest and trustworthy doesn't actually mean you are honest and trustworthy. It just doesn't. People lie to themselves just as much as they lie to others. Especially when money is on the line. Just look at how google started out being all "don't be evil" but gradually slips more and more over time.

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

If the apps were violating guidelines, they should punish people who developed those apps by yanking their developer licenses and kicking them out of the app store.

The open source fanatics (which I am) tend to forget that Android is not Linux. It's merely a more hackable OS backed by a company every bit as amoral as Microsoft or Apple or whoever.

Android is Linux. All it is is the open source Linux Kernel, the open source Dalvik JVM, and some snazzy graphics and UI code, all of which is open source as well.

All the android stuff is open source and there are alternative distros like Cyanogen Mod and MUNI ROM. In terms of the market, you can get alternative app stores even on normal phones without root, and Amazon has one. You can also usually load apps directly onto the phone. An android phone is as open or closed as the carrier and handset maker decide, unfortunately. But you can get phones that are wide open.

In other news Apple stock price hits$505.00.

General Atomics's revenue has gone from 200 million in 2008 to 660 million 2010. So definitely the free market has proven that there is nothing wrong with anything they're doing.

In fact, I don't even know what Eclipse and Xcode have to do with what I said, since I didn't bring it up, and the linked article didn't mention it, either. I thought I was pretty clearly talking about the security model that was discussed in the piece. Where does MW bring up Eclipse?

Actually we were talking about widespread privacy violations on iOS apps, which is something you've always said was a risk on android by pointing to mostly hypothetical or research examples of android malware.
You're talking about gatekeeper OSX, other people are talking about the entire iOS ecosystem, which is locked down. It's not surprising that people are confused, since this thread isn't even about the Macintosh.

But what's really going on is that you're derailing the thread by getting into an argument about something completely tangential to the original point.
posted by delmoi at 11:01 AM on February 16 [1 favorite]

Sony also has a 100% marketshare of consoles that run Playstation software, what's your point?

I can go and buy my Playstation software from where ever the hell I want, I'm not limited to Sony^tm stores.
posted by Fidel Cashflow at 11:03 AM on February 16

I'm not sure I understand your analogy.

I'm pretty sure you understand it fine.
posted by Fidel Cashflow at 11:04 AM on February 16

http://blogs.atlassian.com/2012/02/between-a-rock-and-a-hard-place-our-decision-to-abandon-the-mac-app-store/

Atlassian just pulled their software from the app store.
posted by Ad hominem at 11:04 AM on February 16

I can go and buy my Playstation software from where ever the hell I want, I'm not limited to Sonytm stores.

You have to get your development kit and development console from Sony. If you're a developer, you have to go through Sony. You have no choice in the matter. Sony has 100 percent ownership of the platform, from the perspective of a game developer writing for Sony gear.

I'm pretty sure you understand it fine.

I actually don't see much of a connection. If you want to explain it, I'm listening.
posted by Blazecock Pileon at 11:09 AM on February 16

I can go and buy my Playstation software from where ever the hell I want, I'm not limited to Sony^tm stores.

I can go and buy my OS X software from where ever the hell I want, I'm not limited to the Mac App store or Apple stores.
posted by entropicamericana at 11:09 AM on February 16 [1 favorite]

I can go and buy my Playstation software from where ever the hell I want, I'm not limited to Sonytm stores.

Everyone has to pay a royalty to sell playstation software.

Here's the interesting thing. Everyone roots/jailbreaks cellphones, but have you noticed that it's totally illegal to mod a playstation/xbox. Have you ever wondered why that is?

Well, the answer is that the library of congress explicitly added an exception to the DMCA to allow people to jailbreak their phones. Apple fought it. If Apple had their way, it would be as illegal to jailbreak/root your phone as it is to mod your playstation.

_{(digression: game systems have locked out unlicensed code since the NES, but before the DMCA it was all done with technical measures without any legal protection. Obviously it's easier to do with a cartrage then with an optical disk. It worked fine in the 80s/early 90s, but with the rise of the internet with file sharing and one click shopping from shady hardware dealers in hongkong it was getting easier and easier to pirate games. When I was in highschool I had a friend who had a Z64 for playing pirated n64 games. That's the kind of the thing the DMCA was supposed to stop, and it succeed for the most part)}

You have to get your development kit and development console from Sony. If you're a developer, you have to go through Sony. You have no choice in the matter. Sony has 100 percent ownership of the platform, from the perspective of a game developer writing for Sony gear.

Yeah have fun with your computer game console.
posted by delmoi at 11:17 AM on February 16

Apple's closing that loophole in an upcoming OS update, probably due in a few weeks.

They're "closing the loophole" the same way Android does: By making you click a "This app accesses your address book" before you use the app.

That does nothing to inform users of anything, and it doesn't "close a loophole" in any way. It doesn't tell you what happens when that access occurs, or what the app does with your data afterwards.

Personally, I don't care. But if you DO care, none of the phone makers are doing anything to help you.

Android user here as well. While I think it's nice to get the alert when you install an application, I don't think it goes far enough. There's no reason I shouldn't be able to un-check "access contacts" when installing something that I don't think should access it.

Part of the problem with this is that people don't understand WHY apps need the things they need. Witness, for example, how many people look at the requirements for a new app (say, a podcast player) and say, "WHY THE HELL DOES THIS NEED ACCESS TO MY PHONE CALLS? WHAT ARE THEY HIDING? THIS IS MALWARE!!!11!!!!"

In reality, they need access to the phone functionality to turn themselves off when you're on the phone. But understanding all the use cases of WHY apps need certain access is beyond the ken of most users. That's why Apple hides all this stuff.

Both methods are flawed because users are flawed. There is no solution.
posted by coolguymichael at 11:24 AM on February 16 [2 favorites]

Given the claims that it's fine for an iOS device to be a walled garden and have features locked out because it's just a phone and not a general-purpose computer, it's not entirely far-fetched for the company to make the same argument about OSX if/when Gatekeeper becomes a hard lockdown.
posted by Holy Zarquon's Singing Fish at 11:25 AM on February 16 [1 favorite]

Welcome to the future! Here's your terminal to the mainframe.


Client-server computing has been with us for three decades now - its advantages should be obvious - and the most serious problems have always been with the client side, and not the server.

Have you seen what a typical corporate desktop build looks like, the layers of interdependent and fragile cruft required to do simple things like browse the web and share excel spreadsheets? This is due to serious problems with the application layer not being abstracted anywhere near enough... applications for network security, for anti-virus, for software updating, for file synchronization, for password synchronization, for build compliance, for remote access when one or all of the above breaks. These mostly go away if you move to a web-application model, and issues of security, stability and disaster recovery become server-side issues. You don't gotta give two craps about the client, apart from some tweaks in your HTML or Javascript to get things consistent from browser to browser.

Some categories of software - processor and GPU intensive workstation or gaming stuff - do not (currently) lend themselves to the web application model. Almost anything that relies on client/server, or is simply lightweight data processing, can and should be moved to the cloud.

The only secure and reliable alternative is to move to curated local applications - apps that are carefully tested or come from approved and trusted developers.

If you're a desktop application developer, this is all your fault. You have been ignoring or fighting against measures to increase security and stability and interoperability, and have made PC software a laughingstock, a sick joke consumers aren't willing to laugh along with anymore.
posted by Slap*Happy at 11:31 AM on February 16

> I can go and buy my OS X software from where ever the hell I want

Massive non-sequitur.

OS/X has nothing, zero, zip to do with the the topic of mobile phone apps. If you want iOS software, you DO have to get it from Apple.
posted by lupus_yonderboy at 11:39 AM on February 16 [1 favorite]

They're "closing the loophole" the same way Android does: By making you click a "This app accesses your address book" before you use the app.

That does nothing to inform users of anything, and it doesn't "close a loophole" in any way. It doesn't tell you what happens when that access occurs, or what the app does with your data afterwards.

Sure, but users can just choose not to install it. I mean 99% of the users out there can definitely live without 99% of the apps. I've only installed one app that gets my contact list -- from my bank. I'm already trusting them with my money, and I can use that app to deposit checks, which is helpful since I don't live anywhere near a branch or ATM.

On the other hand, when I got my new phone I was looking for an app to turn on the flashlight, or some task killers and I found one that requested a bunch of permissions. So I just kept looking and found some other ones.

Part of the problem with this is that people don't understand WHY apps need the things they need. Witness, for example, how many people look at the requirements for a new app (say, a podcast player) and say, "WHY THE HELL DOES THIS NEED ACCESS TO MY PHONE CALLS? WHAT ARE THEY HIDING? THIS IS MALWARE!!!11!!!!"

What are you talking about? That's a good thing! If people are getting mad about apps demanding more permissions then they need, then developers will learn to stop asking for them.

I mean, why would a a podcast player need access to your phone calls? Obviously, there are going to be a million different podcast apps out there.

It would be nice if we could see how all the apps used the data, but that would only be a promise, not a guarantee. There is no way for a phone to control what an app does with the data once it gets it, other then to cut it off from the network entirely.

If you're a desktop application developer, this is all your fault. You have been ignoring or fighting against measures to increase security and stability and interoperability, and have made PC software a laughingstock, a sick joke consumers aren't willing to laugh along with anymore.

I'd say it's more Microsoft's fault for not putting in a sensible security model in windows 2000/XP. Up until android all OS security models were based on protecting users from each other. Which is completely pointless since most machines were only used by one person. With Vista and 7, apps run as 'you' rather then 'administrator' by default so while they can't fuck up your machine, they can still get all your personal data.

Android gets it because on android the developer is the 'user'. That's the correct way to model it, and the permissions that the real user grants to the developer are the ones it should run as. (unfortunately, you also have the carriers, who get to install whatever they want before you even get the phone in your hands...)
posted by delmoi at 11:43 AM on February 16 [1 favorite]

OS/X has nothing, zero, zip to do with the the topic of mobile phone apps. If you want iOS software, you DO have to get it from Apple.

Which is why BP made a concerted effort to change the topic to OSX and this gatekeeper security model thing, which has nothing to do with the topic of the post.
posted by delmoi at 11:46 AM on February 16

I mean, why would a a podcast player need access to your phone calls?

coolguymichael did answer that -- so that the player can stop the podcast when a call comes in, and then restart it when the call ends.
posted by inigo2 at 12:01 PM on February 16 [1 favorite]

You don't need access to 'phone calls' to do that, you can determine if the phone is off hook using a PhoneStateListener, and only requires the READ_PHONE_STATE permission. Maybe the dev messed up and requested the PHONE_CALLS permission group, which includes the ability to read the phone state but also 'intercept' outgoing calls and hang up the phone (but not place calls)
posted by delmoi at 12:13 PM on February 16 [1 favorite]

Which is why BP made a concerted effort

I did no such thing, delmoi. Several people brought up and discussed Gatekeeper before I said anything, and they continue to do so, without my involvement.
posted by Blazecock Pileon at 12:16 PM on February 16

Man, someone uses the word "Apple" on here and suddenly the place turns into some right-wing site discussing Obama.
posted by DoctorFedora at 1:16 PM on February 16 [2 favorites]

You don't need access to 'phone calls' to do that, you can determine if the phone is off hook using a PhoneStateListener, and only requires the READ_PHONE_STATE permission.

Interesting, thanks for this info.
posted by inigo2 at 1:21 PM on February 16

Twitter has said it will update its privacy policy to be more explicit.

Solving the problem once and for all!
posted by antonymous at 1:38 PM on February 16 [1 favorite]

Man, someone uses the word "Apple" on here and suddenly the place turns into some right-wing site discussing Obama.

WE'LL SEE WHO IS LAUGHING WHEN APPLE ROUNDS YOU UP INTO A TASTEFUL ALUMINUM AND GLASS CAMP. GOOGLE UBUNTU, SHEEPLE.
posted by entropicamericana at 1:41 PM on February 16 [4 favorites]

GOOGLE GOOGLE
posted by DoctorFedora at 1:57 PM on February 16 [1 favorite]

Entropicamericana wins the thread.
posted by to sir with millipedes at 1:57 PM on February 16 [1 favorite]

I disagree with the blanket assertion that "when you take that profit you're cheapening the value" just like I disagree with assertions that individuals pirating movies represents a lose to the film studio.

Well, if I offer to sell my personal information to someone who trades in the stuff, are they going to pay what I think it's worth if they can get it for free or at a market rate that doesn't take my interest in the economic value of that property into account? Maybe it's not strictly speaking theft, but it definitely in practice has the effect of depriving the party who (IMO) has the strongest claim to an interest in recovering the economic value of the information of their practical ability to claim that economic value for themselves.

Marketers don't even offer to buy my personal information from me first. They bypass me and go to other parties without even giving me notice they plan to buy it. It honestly seems like a violation of my rights to me that I'm deprived of the economic value that's locked up in that info, when other parties are literally making it their entire business model.
posted by saulgoodman at 2:33 PM on February 16

Okay--maybe not "property" but information. Either way. It's stuff people are buying and selling all around me. Maybe it's not literally property, but it sure behaves that way in the marketplace.
posted by saulgoodman at 2:34 PM on February 16

Yes, but the underlying legal issue should turn upon the power imbalance between individuals and organizations, hence my remarks being qualified by the phrase "blanket assertion".
posted by jeffburdges at 2:40 PM on February 16

Mobile phones were just a bad idea.

The phone part, yes, but the mobile part, no.

You won't die. You'll have more free time. You'll have fewer worries.

You must not commute more than 20 minutes per day on public transit. ^_^

I'm no smartphone lifestyle booster, and I almost never use the phone part of my smartphone (why would I when I have free sms with google voice).

I have two young kids, and my wife and i both work full-time jobs, so my schedule is pretty tight. I can't even guess how much time my smartphone has saved me, not to mention how many times it's kept my wife from driving around the city with two kids in tow, calling my name out, looking for my wandering drunk ass.

I also can't tell you how much more I've been able to read once I got a smartphone. Chacun ses goûts.

1. Write a gimmicky free app.
2. Use tricks like bot downloads to get it to the top of the leader board.
3. Harvest the addresses and phone numbers from the people who download it.
4. Sell those to marketers.
5. Profit!

Makes you wonder if anyone was doing this...

Lots of people are. There is a whole Black Hat SEO industry around it. Sometimes I think the entire modern Internet publishing industry is built on click fraud.
posted by mrgrimm at 3:10 PM on February 16 [1 favorite]

If one wants to actually point out Apple and privacy I bring you Cracked:
It's called geo tracking, and it means that, once you agree, Apple is able to see your precise location. Basically, the location data your phone has been storing is sent to a hidden database file and syncs it to your computer whenever you connect your phone. This means that somewhere hidden on your computer is a log of everywhere you've been with a longitude/latitude coordinate and a time stamp. ..... Even turning the built-in GPS off probably won't help matters, because Apple's terms never explicitly state that they'll stop tracking you once the GPS is turned off. And it's been proven that they don't.

If one wants to get their Apple hate on - by all means - hate on 'em for not following their own contract.
posted by rough ashlar at 4:42 PM on February 16

All the android stuff is open source and there are alternative distros like Cyanogen Mod and MUNI ROM

Which is useless if your phone is not supported/not on the rootable list
posted by rough ashlar at 5:00 PM on February 16 [1 favorite]

I was content to leave this thread the hell alone. I'm not going to apologise for and excuse stupidity. I'm going to let them fix this and get on with my life but I'm not going to get in the way that people who need to vent. Because I do it too. People could get their GRAR on and the outrage would eventually run itself down. But now we're venturing into fucking retarded territory. Cracked? Really? Because if I'm looking for accurate and up-to-the-minute information on IT privacy snafus I know and trust Cracked.

Once upon a time they did log everything and it was a massive file on an iOS device. Some engineer probably didn't think about the privacy implications of crowdsourcing GPS for coordinates of Wi-Fi hotspots beyond "well it's anonymised so who cares?". But when it all came bubbling to the surface they fixed the reservations people had with it in the next release of iOS. And Apple would have gotten away with it if it weren't for those meddlin' kids.

These days...

If Location Services is on, your device will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple, to augment the crowd-sourced database of Wi-Fi hotspot and cell tower locations.

It's quid pro quo. If you use Location Services you contribute to the crowdsourcing and you get to use the service. If you don't like it turn it off.

Back to your regularly scheduled outrage.
posted by Talez at 5:05 PM on February 16

I'm complaining about Apple's progressively greater restrictions upon Mac OS X.

I am looking at the screenshots and reading articles, and there is still nothing that appears to actively prevent an end user from running any OS X code at all,

Way to talk past each other.

One poster 'I don't like where this is going'. Other poster 'things are fine now, what ya complaining about?'.
posted by rough ashlar at 5:10 PM on February 16

"Steve Jobs understood that you must treat the whole body instead of just the organs."

Too soon.
posted by mr_crash_davis at 5:12 PM on February 16