If YOUR iPhone app has been rejected by Apple in an unusual or unfair way, please write about it on your blog / news / etc, and send a link to @redglassesapps on Twitter

ACCEPTED: Dragon Dictation – despite uploading your Address Book

This has bothered me for almost 12 months now: Apple has no protection against apps uploading your entire AddressBook to the web, and selling your friends’ email addresses for cash. Or worse. Dragon Dictation is a high-profile app that just got spotted doing an AddressBook upload (names only):

Dragon Dictation for the iPhone goes through your contact list on your iPhone and uploads the names to our server. We do this for a pretty simple reason: we found that people are often dictating names from their address book and expect the names to be recognized.


…bearing in mind that we’re still not allowed to fix the major flaws in Apple’s ugly Camera Picker controls, seemingly because of privacy concerns.

Nuance’s explanations …

Incidentally, I noticed two funny things about Nuance’s PR excercise on their blog, where they try to fend off the bad PR from this upload. And, lets be clear, they provide no warning to users about what they’re about to do / just did, so I’m not impressed by the PR drive. If they really want to fix it, they’ll rush out an update to the app that adds a UIAlert saying “OK to upload your addressbook? Ok/Cancel”…

  1. “we still treat all of this information with the highest privacy standards. All of our servers are located in the United States and meet the most stringent privacy and security standards.”
  2. “We take this information and create an anonymous user profile for your device…there is no personally identifying information”

Sounds great, but…

Firstly: unless a new law has come in recently that I’ve missed, the USA has weaker privacy controls than we do here in Europe. It’s not necessarily a *good thing* that your servers are located in the USA…

Secondly, Nuance is bending the truth to breaking point. I understand what they’re trying to say “we didn’t mean any harm, and we don’t do anything bad, promise”, but the truth is simple:

Nuance is generating personally identifiable information and storing it in an EXTREMELY easy-to-access manner; taking advantage of this is childs-play

From their direct quotes, it sounds like they’re mapping iPhone UDID’s to collections of names. I’ve already seen examples of individual’s UDID’s being broadcast over the net (any developer can do it!) … UDID-based privacy is extremely weak.

But, more importantly … Off the top of my head, the first research showing how easy it is to take “the names of your friends” and work out “who are you?” was done over a decade ago. In many cases, it’s very very easy. Nowadays, with Facebook Connect and LinkedIn, it’s even easier.

So, while I *100% believe* that Nuance is doing nothing bad with the data, and that their intentions are entirely good, their claims that gathering the data itself (without user permission) is safe and fair … are simply wrong.

What did they take out to get their 4+ rating?

No blog post from the developers, but some interesting experiments in profanity suggest that this app may have had a few rounds of rejection before Apple allowed it through. Sigh.

Post to Twitter

This entry was posted on Tuesday, December 15th, 2009 at 2:41 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

 

Summary of this site

There are now approx. 100,000 iPhone applications available on the App Store. Apple has a secret, undocumented, unquestionable, semi-random process for deciding which applications to “allow” onto the deck.

This site aims to document and share all known examples of what is ACTUALLY rejected