The U.S. Congress has begun requesting more information about how iOS developers comply with Apple’s privacy policies regarding apps, how they gather information from users and what they do with it afterwards. The Next Web has been supplied with a request for information sent to developer Tapbots by House Energy & Commerce Committee Chairman Henry Waxman and Chairman Fred Upton.
This letter was also sent to 33 other iOS developers in addition to Tweetbot including Twitter, Foodspotting, Turntable.fm,, Trover, Instagram’s Burbn, Path, Facebook, SoundCloud and more. The committee says that “The apps were selected for the inquiry based on their inclusion in the “Social Networking” subcategory within the “iPhone Essentials” area of Apple’s App Store.”
The request details information that that the house would like to have supplied to it. This is likely related to the letter that Congress sent to Apple just last month about the app Path, which was storing Address book data without notice. We investigated apps storing and using data in our article “What iOS apps are grabbing your data, why they do it and what should be done“, which is quoted as a source by Congress in the letter.
The letter opens with an introductory segment that details how the issue was raised and how the story developed. Then the representatives detail the point of the letter:
We are writing to you because we want to better understand the information collection and use policies and practices of apps for Apple’s mobile devices with a social element. We request that you respond to the following questions regarding the Tweetbot app:
- Through the end of february 2012, how many times was your iOS app downloaded from Apple’s App Store?
- Has your iOS app at any time transmitted information from or about a user’s address book? If so, which fields? Also, please describe all measures taken to protect or secure that information during the transmission and the periods of time during which those measures were in effect.
- Have you at any time stored information from or about a user’s address book? If so, which field? Also, please describe all measures taken to protect or secure that information during storage and the periods of time during which those measures were in effect.
- At any time, has your iOS app transmitted or have you stored any other information from or about a user’s device — including, but not limited to, the user’s phone number, email account information, calendar, photo gallery, WiFi connection log, the Unique Device Identifier (UDID), a Media Access Control (MAC) address, or any other identifier unique to a specific device?
- To the extent you store any address book information or any of the information in question 5, please describe all purposes for which you store or use that information, the length of time for which you keep it, and your policies regarding sharing of that information.
- To the extend you transmit or store any address book information or any of the information in question 5, please describe all notices delivered to users on the mobile device screen about your collection and use practices both prior to and after February 8, 2012.
- The iOS Developer Program License Agreement detailing the obligations and responsibilities of app developers reportedly states that a developer and its applications “may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising.
(a) Please describe all data available from Apple mobile devices that you understand to be user data requiring prior consent from the user to be collected.
(b) Please describe all data available from Apple mobile devices that you understand to be device data requireing prior consent from the user to be collected.
(C) Please describe all services or functions for which user or device data is directly relevant to the use of your application.
9. Please list all industry self-regulatory organizations to which you belong.
The representatives request that the information be delivered no later than April 12, 2012. You’ll notice that the February 8th date also coincides with the day after developer Arun Thampi first discovered that personal diary app Path was gathering users Address Book data and storing it on servers locally.
If Congress was preparing for a hearing on app privacy involving Apple, this kind of information gathering would be a first step. Apple had until February 29th to respond to the previous request for information, which covered many of the same areas of interest.
We have reached out to Apple for a comment and will update this story if we receive one.