Now Twitter admits 'harvesting' users' phone contacts without telling the owners as Apple announces crackdown



Highly private contact information is taken from smartphones and sent to remote computer

Users puzzled over why app retains contacts for 18 months

Twitter engulfed with comments from fearful users

Apple says it will stop apps taking data without users' consent

Twitter: The site admitted that its smartphone application transmitted data from users' private address books

Twitter has admitted harvesting contact lists from its customers’ mobile phone address books without telling them.

The website said it copied lists of email addresses and phone numbers from those who used its smartphone application, amid claims it kept them on its database for 18 months.

Its management yesterday agreed to change guidance to users about what it does with their personal information, after a storm of protest from privacy campaigners in the U.S.

The breach occurs when users of the micro-blogging site click the ‘Find Friends’ option to see if any of their contacts are also on it.

Many of them did not know this meant the site then uploaded their entire address book and stored it afterwards.

Twitter spokesman Carolyn Penner said it would now offer users the option to ‘upload your address book’ or ‘import your contacts’ to make it clearer.

She said: ‘We want to be clear and transparent in our communications with users. Along those lines, in our next app updates, which are coming soon, we are updating the language associated with Find Friends – to be more explicit.’

The practice by a giant such as Twitter raises more concerns about the privacy implications posed by social networking sites which are used by an estimated 37million Britons.

There is no suggestion the San Francisco-based firm was using the data – which it said was securely encrypted – for anything other than finding contacts for its customers.

But critics say the lack of ‘informed consent’ raises questions about other less reputable sites which could harvest details to sell on, or potentially leave customers open to identity fraud.



Jack Dorsey, executive chairman of Twitter: The company has said that it will change its apps so they make it clearer when they are transmitting and using private information

Apple iPhone 4S: The company moved to stem controversy over how apps from networks such as Twitter access, transmit and store the highly private information in users' address books

The admission also raises difficult questions for Apple, makers of the iPhone, as to why it had been allowed to happen, after the firm said such harvesting was a violation of its policy.

Two American congressman wrote to Apple about the practice, prompting it to toughen measures to make sure applications did not harvest data without ‘explicit user approval’.

In a letter addressed to Apple Chief Executive Tim Cook, Representatives Henry Waxman of California and G.K. Butterfield of North Carolina, both Democrats on the House Energy and Commerce Committee, asked Apple to clarify its developer guidelines and the measures taken by the company to screen apps sold on its App Store.



Apple CEO Tim Cook: Two U.S. legislators wrote to the CEO to request information on Apple's privacy policies relating to apps which upload and transmit the information in users' address books

WHAT IS TWITTER DOING WITH YOUR CONTACT INFORMATION?

So far, Twitter has not changed the way it uses data, only amended its policy so that new versions of the app will offer a clear warning that data will be transmitted and used.

Twitter's app will still read your address book and transmit and store your data, even now.

Sites such as Twitter process data remotely on their own servers, so it's become common practice for sites to build apps which send data back to their own computers.

The data is often used to 'link' people to other friends using the service.

What has shocked users is that this highly private data is being harvested without their permission.

It's also raised issues about how companies use such private data. None of the networks involved has come clean about why they might need to store data for periods alleged to be up to 18 months - or whether they gain a commercial advantage from storing and using this information.

Instagram and Foursquare have not issued an apology, but have quietly changed their applications.

None of the companies involved has issued a full apology. Apple's move should at least ensure more transparency for consumers about how data is used - although it's clear that social sites will continue to copy, transmit and store this data, just as Twitter has done.



The letter came after Path, a San Francisco start-up that makes a Facebook-like social networking app, attracted widespread criticism last week after a Singaporean developer discovered that Path’s iPhone app had been quietly uploading his contacts’ names and phone numbers onto Path’s servers.

The Path incident 'raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts,' the letter said.



The legislators’ request for information cast the spotlight squarely onto Apple for the first time since an independent blogger, Dustin Curtis, wrote in a widely distributed post last week that 'there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission to remote servers and then store it for future reference.'

Curtis blamed Apple, writing that he could not 'think of a rational reason for why Apple has not placed any protections on Address Book in iOS.'



In their letter to Apple, Waxman and Butterfield, referenced Curtis’ blog post, adding: 'There could be some truth to these claims.'



The legislators had asked Apple to submit its response by February 29.

Apple yesterday announced it would now require iPhone and iPad apps to seek 'explicit approval' before accessing users’ address book data, in a bid to stem the growing storm.