This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

'Path-Gate' Teaches Hard Lessons in Mobile Privacy

Many iOS apps have been silently uploading users' address-book data. The resulting privacy debacle holds lessons for business.

Many iOS apps have been found to upload users' address-book data silently. They've stopped, and after Congressional questions Apple is plugging the hole that allowed it.

It began last week when a blogger in Singapore discovered that the iOS photo-sharing application Path was, without asking permission, uploading the complete address books of users and storing the data on their servers. It sure sounds like personal, and personally identifiable, information -- all the names, phone numbers, and email addresses of everybody on your contact list.

A firestorm ensued on the Internet and in the tech press. Momentum in the backlash built when Path's CEO referred to the practice of uploading address books as an "industry best practice." What he meant was "common practice," but the sentiment poured kerosene on the firestorm. The next day Morin issued an actual sincere apology and said that Path had deleted all of the user data from its servers and would ask permission in the future before grabbing address books.

It soon came out that many other iOS apps were doing the same or similar things. The companies identified included Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp, and Gowalla. (Not all of them failed to ask permission, and not all of them were storing the users' data.) In all cases the point of the uploading was to help the application locate the user's friends so they could be invited to the service -- but still, users had no guarantees about what became of their data once it was exfiltrated from their systems.

All the companies that had been uploading address-book data in any form have now publicly backed away from the practice.

Attention next shifted to Apple, whose iOS operating system and App Store guidelines did not forbid the privacy violations in which many apps had been engaged. Two members of Congress sent a list of nine questions to Apple CEO Tim Cook. While working on a formal reply, Apple let it be known that they would be instituting changes that will require app developers to get user permission before touching anyone's address book.

Lessons for business
While Path-Gate has played out mainly in the B2C space, B2B businesses should not ignore the implications of the story as they develop their mobile strategies, whether for external or internal consumption. Mobile privacy is a hot-button issue to a large segment of the public, far larger than expresses concern about privacy in general. There is something so personal about your smartphone. It is always with you; it knows your location; you may live a large fraction of your life on it and store the traces there.

And data such as an address book can literally be a life-and-death matter in certain contexts, as a New York Times piece points out: the State Department is supporting the development of a "panic button" application to erase smartphone contacts with one click in case the owner is arrested during a protest.

Mobile devices paradoxically embody extreme privacy sensitivity along with the temptation of uniquely useful data. Location, contacts, browsing history, camera, accelerometer, unique device ID -- these data would be massively useful in many business contexts. Advertising is only the beginning. Just make sure that, when crafting a mobile strategy, you keep your privacy antenna tuned beyond ultra-sensitive.