Class action filed over mobile privacy

Eighteen mobile application providers, including Path, Instagram, Facebook, Twitter and Apple, have been taken to task in a class action suit over the “Address Book-gate” saga.

While Path was the first app to be exposed for automatically uploading users' address book information to its servers, numerous other iOS apps were found to be using a similar practice.

The suit was filed last week by 13 plaintiffs from Austin, Texas, and seeks class action status. The defendants named in the suit are: Path, Twitter, Apple, Facebook, Beluga, Yelp, Burbn, Instagram, Foursquare, Gowalla, Foodspotting, Hipster, LinkedIn, Rovio, Electronic Arts, Chillingo, ZeptoLab UK and Kik.

The suit states: “The defendants - several of the world's largest and most influential technology and social networking companies - have unfortunately made, distributed and sold mobile software applications that, once installed on a wireless mobile device, surreptitiously harvest, upload and illegally steal the owner's address book data, without the owner's knowledge or consent.”

According to the suit, it aims to halt and prevent these “unconscionable, illegal practices” and mandate fixes to mobile devices and apps to prevent future invasions of users' privacy and the unauthorised access to and transfer of unencrypted address book data.

The suit also calls for all wrongfully collected data to be purged and for unspecified damages to be paid out by each of the defendants, as well any profits made from the use of the data.

It is yet to be proven that any of the companies named in the suit were in fact using the collected data for anything other than the functionality of their apps. Path and Hipster both publicly apologised at the time and deleted all data that had been collected, while reiterating that their intentions had not been malicious.

In the 152-page filing, the plaintiffs claim they have experienced damages around a long list of offenses including invasion of privacy, negligence, theft, intentional deception, disclosure or use of electronic communications and the violation of the Electronic Communication Privacy Act. The plaintiffs are said to be seeking actual damages, economic damages, statutory and treble damages for intentional wrongdoing.

Apple CEO Tim Cook reportedly grilled Path co-founder Dave Morin after first hearing of the privacy violations. At the time, Apple distanced itself from the controversy by issuing a statement saying the collection and transmission of personal information without express user permission was a violation of its guidelines.

It also made a promise to consumers that it would impose a mandatory requirement for user consent before apps could access contact data. Two US congressmen, however, sent a letter to Cook seeking answers over the issue and Apple's stance on user privacy.

Web and digital media lawyer Paul Jacobson says that, generally speaking, the central issue is the fact that users were not warned that their contacts were being uploaded to the services' servers.

“If a user selects the option to have a service or app check an address book for other friends, I think consent to access to that data is implied by selecting that option. Even in the absence of a privacy policy detailing this behaviour, I think a pretty compelling argument could be made that the users consented to that sort of access even if the precise means of obtaining that access isn't specified.”

Jacobson says companies that use this mechanism should advise users explicitly how they go about accessing the personal data they are given access to and what they do with it.

“This would be more consistent with the trend towards informed consent in privacy frameworks worldwide (including in the Protection of Personal Information Bill),” says Jacobson.

“The one concern is the data's security when it leaves a user's control and this is something these services should inform their users about and focus on. Data shouldn't be stored longer than necessary even when there is consent.

“Users are custodians of that personal data. It is other people's personal information and their consent is not necessarily obtained for this level of access. This is an issue waiting to blow up,” concludes Jacobson.