Η απάντηση της Apple στο ζήτημα περί αλίευσης δεδομένων του τηλεφωνικού καταλόγου από 3rd party εφαρμογές
#1
Δημοσίευση 15/02/2012 - 23:40
Το Path φρόντισε ώστε να περιορίσει, όσο γίνεται, την ζημιά διαθέτοντας άμεσα αναβάθμιση στην εφαρμογή η οποία πλέον απαιτεί την έγκριση του χρήστη ώστε να ανεβάσει τα δεδομένα του τηλεφωνικού καταλόγου στους servers της εταιρείας. Το ζήτημα ωστόσο είναι πολύ μεγαλύτερο από την τακτική μίας και μόνο εταιρείας καθώς αφορά ολόκληρο το οικοσύστημα των εφαρμογών που διατίθενται μέσα από το App store.
Η Apple απάντησε με καθυστέρηση μίας εβδομάδας, δια μέσω του Tom Neumayr στο AllThingsD, αναφέροντας ότι ετοιμάζεται αναβάθμιση του iOS η οποία θα φροντίζει ώστε τα δεδομένα του τηλεφωνικού καταλόγου των χρηστών να μην είναι διαθέσιμα σε τρίτες εφαρμογές χωρίς την απαιτούμενη συγκατάθεση τους:
Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines.
We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.
Η απάντηση της Apple καλύπτει τις μελλοντικές προσπάθειες αλίευσης προσωπικών δεδομένων από τρίτες εφαρμογές ωστόσο δεν παρέχει σε καμία περίπτωση ικανοποιητικές εξηγήσεις για το πως είχε επιτραπεί εξαρχής μία τέτοια κατάσταση στο App store.
Ήδη η Apple έχει κληθεί από το Αμερικανικό Κογκρέσο να απαντήσει σε μία σειρά ερωτημάτων που αφορούν το ζήτημα, ως τις 29 Φεβρουαρίου:
Mr. Tim Cook
Chief Executive Officer, Apple Inc.
1 Infinite Loop
Cupertino, CA 95014
Dear Mr. Cook:
Last week, independent iOS app developer Arun Thampi blogged about his discovery that the social networking app “Path” was accessing and collecting the contents of his iPhone address book without ever having asked for his consent.[1] The information taken without his permission — or that of the individual contacts who own that information — included full names, phone numbers, and email addresses.[2] Following media coverage of Mr. Thampi’s discovery, Path’s Co-Founder and CEO Dave Morin quickly apologized, promised to delete from Path’s servers all data it had taken from its users’ address books, and announced the release of a new version of Path that would prompt users to opt in to sharing their address book contacts.[3]
This incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts.
The data management section of your iOS developer website states: “iOS has a comprehensive collection of tools and frameworks for storing, accessing, and sharing data. … iOS apps even have access to a device’s global data such as contacts in the Address Book, and photos in the Photo Library.”[4] The app store review guidelines section states: “We review every app on the App Store based on a set of technical, content, and design criteria. This review criteria is now available to you in the App Store Review Guidelines.”[5] This same section indicates that the guidelines are available only to registered members of the iOS Developer Program.[6] However, tech blogs following the Path controversy indicate that the iOS App Guidelines require apps to get a user’s permission before “transmit[ting] data about a user”.[7]
In spite of this guidance, claims have been made that “there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database.”[8] One blogger claims to have conducted a survey of developers of popular iOS apps and found that 13 of 15 had a “contacts database with millions of records” — with one claiming to have a database containing “Mark Zuckerberg’s cell phone number, Larry Ellison’s home phone number and Bill Gates’ cell phone number.”[9]
The fact that the previous version of Path was able to gain approval for distribution through the Apple iTunes Store despite taking the contents of users’ address books without their permission suggests that there could be some truth to these claims. To more fully understand and assess these claims, we are requesting that you respond to the following questions:
- Please describe all iOS App Guidelines that concern criteria related to the privacy and security of data that will be accessed or transmitted by an app.
- Please describe how you determine whether an app meets those criteria.
- What data do you consider to be “data about a user” that is subject to the requirement that the app obtain the user’s consent before it is transmitted?
- To the extent not addressed in the response to question 2, please describe how you determine whether an app will transmit “data about a user” and whether the consent requirement has been met.
- How many iOS apps in the U.S. iTunes Store transmit “data about a user”?
- Do you consider the contents of the address book to be “data about a user”?
- Do you consider the contents of the address book to be data of the contact? If not, please explain why not. Please explain how you protect the privacy and security interests of that contact in his or her information.
- How many iOS apps in the U.S. iTunes Store transmit information from the address book? How many of those ask for the user’s consent before transmitting their contacts’ information?
- You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.
Please provide the information requested no later than February 29, 2012. If you have any questions regarding this request, you can contact Felipe Mendoza with the Energy and Commerce Committee Staff at 202-226-3400.
Sincerely,
Henry A. Waxman, Ranking Member
G.K. Butterfield, Ranking Member
Subcommittee on Commerce, Manufacturing, and Trade
Ad
#3
Δημοσίευση 15/02/2012 - 23:50
Τελευταία επεξεργασία από: billytilaver, 15/02/2012 - 23:54
#4
Δημοσίευση 15/02/2012 - 23:54
#5
Δημοσίευση 16/02/2012 - 00:03
#6
Δημοσίευση 16/02/2012 - 00:10
Και όμως οι jailbreak συσκευές είναι πιο σίγουρες από εφαρμογές του Appstore σύμφωνα με το Forbesκαι νόμιζα οτι με το κλειστό λογισμικό ανευ jb είσαι καλυμένος αλλά δεν υπάρχει προστασία
“As the scandal swirled this past week over news that the iPhone app Path uploads users’ entire contact lists without permission, I came upon a study (PDF here) released last year by a group of researchers at the University of California at Santa barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users’ private data.
Not only did the researchers find that one in five of the free apps in Apple’s app store upload private data back to the apps’ creators that could potentially identify users and allow profiles to be built of their activities. They also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on “jailbroken” iPhones, tend to leak private data far less frequently than Apple’s approved apps.”
#7
Δημοσίευση 16/02/2012 - 00:14
#8
Δημοσίευση 16/02/2012 - 00:15
Cydia creator Jay Freeman has also had his say on privacy concerns recently, being quoted as saying:
If you care about this kind of thing, you should jailbreak your phone, instead of Apple making decisions about what’s good and bad, you decide. People think jailbreaking is about deciding that things Apple doesn’t like are good. But it also allows you to decide that things Apple likes are bad. We provide you the tools to block the functionality you don’t believe apps should have on your phone."
#9
Δημοσίευση 16/02/2012 - 11:18
Εδώ δεν είσαι πάντα καλυμένος με το ανοιχτό λογισμικό, που τέτοια ζητήματα είναι πιο φανερά (λόγω πρόσβασης στον πηγαίο κώδικα) -άρα και εύκολα διορθώσιμα. Ίσα ίσα που στο κλεισό λογισμικό τέτοιες «τρύπες» κρύβονται πιο εύκολα.και νόμιζα οτι με το κλειστό λογισμικό ανευ jb είσαι καλυμένος αλλά δεν υπάρχει προστασία
#10
Δημοσίευση 16/03/2012 - 16:28
Και όμως οι jailbreak συσκευές είναι πιο σίγουρες από εφαρμογές του Appstore σύμφωνα με το Forbes
“As the scandal swirled this past week over news that the iPhone app Path uploads users’ entire contact lists without permission, I came upon a study (PDF here) released last year by a group of researchers at the University of California at Santa barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users’ private data.
Not only did the researchers find that one in five of the free apps in Apple’s app store upload private data back to the apps’ creators that could potentially identify users and allow profiles to be built of their activities. They also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on “jailbroken” iPhones, tend to leak private data far less frequently than Apple’s approved apps.”
Συνήθως οι χρήστες που κάνουν jb είναι πιο «ψαγμένοι» με αποτέλεσμα να γίνονται εκ των πραγμάτων πιο σπάνια «θύματα». Τα περί ασφάλειας λόγο jb ή όχι, είναι θεωρίες..
#11
Δημοσίευση 16/03/2012 - 16:29
Εδώ δεν είσαι πάντα καλυμένος με το ανοιχτό λογισμικό, που τέτοια ζητήματα είναι πιο φανερά (λόγω πρόσβασης στον πηγαίο κώδικα) -άρα και εύκολα διορθώσιμα. Ίσα ίσα που στο κλεισό λογισμικό τέτοιες «τρύπες» κρύβονται πιο εύκολα.
Ολοκλήρωσε την πρόταση... Βρίσκονται «πιο εύκολο επειδή αν γίνει διαθέσιμος ο κώδικας στον ίδιο αριθμό εξωτερικών παρατηρητών». ;-)
Χρήστες που διαβάζουν αυτό το θέμα: 3
0 μέλη, 3 επισκέπτες, 0 ανώνυμοι χρήστες