The privacy controversy following the public blowup over Path's uploading of user data to its servers has now grabbed the attention of Congress, which is now looking to Apple for answers. US House Representatives Henry A. Waxman (D-CA) and G. K. Butterfield (D-NC) sent a joint letter on Wednesday to Apple CEO Tim Cook to inquire about the incident and whether Apple is making it too easy for iOS developers to collect user data without users' permission or knowledge. Apple, for its part, has acknowledged the problem and says it plans to issue a software update that will help address the issue of user consent.

The straw that broke the camel's back

Path is a social networking app that, for lack of a better description, is somewhat of a mishmash between Facebook and Instagram. The app allows users to post status updates and photos like they would for most other social apps, and one of the app's features involves finding other Path users via the contact list stored on your iPhone.

As it turns out, in order for Path to find contacts on your phone, the app first uploads your entire contact list to its servers. The problem, once this behavior was discovered by Singapore-based developer Arun Thampi, was that the app was doing so without users' knowledge—it didn't ask for permission and certainly didn't let anyone know that the data was being transmitted and stored somewhere else. Doubly bad was the fact that Path wasn't hashing or encrypting the data at all—it used a secure connection for the upload, but that's pretty much it.

The outrage over Path cooled after the company apologized, wiped all of its stored user data from its servers, and updated its app to ask for explicit permission before uploading the contact list again. However, that's when other developers began to speak out, pointing out that numerous other iOS apps were in fact practicing the exact same behavior. Apple's developer guidelines insist that "Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used," but the company provides no technological limitation on accessing or uploading that data. Essentially, developer access to your address book is virtually unfettered, and there is nothing more than an honor system when it comes to making users aware of what will be done with the information therein.

Congress wants answers

"This incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts," Waxman and Butterfield wrote to Cook on Wednesday. They went on to cite several other reports from around the Web that discuss other developers confessing to the ease with which they can take and use the same information without user permission. (Dustin Curtis, for example, claims to have surveyed 15 popular iOS app developers, with 13 saying that they have built contacts databases "with millions of records.")

"The fact that the previous version of Path was able to gain approval for distribution through the Apple iTunes Store despite taking the contents of users’ address books without their permission suggests that there could be some truth to these claims," Waxman and Butterfield wrote.

The Congressmen list nine questions that they want Apple to answer before February 29, including how Apple determines whether an app meets Apple's guidelines, how many iOS apps are currently transmitting data about users, and whether Apple even considers the address book data to be data about a user. The final question asks why Apple provides an easy-access way to turn off location services, but no way to perform a similar block on address book data.

This year's "Locationgate"?

This certainly isn't the first time members of Congress have questioned Apple after something blew up among users and the press. Last year, Apple faced scrutiny from several senators over why it allowed DUI checkpoint apps to be downloadable from the App Store. Apple also faced repeated questions and even attended several hearings related to its allegedly inadvertent tracking of users' locations—the company eventually issued a software update that deleted the location file from within iOS whenever users turned off location services.

Is the Path user data controversy going to be this year's "Locationgate" for Apple? So far, it certainly looks like it, but Apple has already begun to work on the damage control. In a comment sent to All Things D on Wednesday, Apple spokesperson Tom Neumayr spelled out that apps transmitting contact data without user permission are in violation of the company's guidelines.

"We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release," Neumayr said.

It sounds as if Apple plans to add an element to the API that forces developers to ask users for permission when accessing that data—right now, any apps that ask permission are doing so purely out of goodwill. That was a nice, if not overly optimistic, way of handling things up until this point, but it's clear that users don't like finding out after the fact that their information—location, address book, or otherwise—has already been copied and saved somewhere else.

Apple's impending update to iOS may not be enough to appease Waxman and Butterfield, though. Even though the most pertinent parts of their questions will be addressed by such an update (the user permission part), they'll likely still want answers to some of their other inquiries, especially the ones concerning how many apps have transmitted user data so far.