Here we go again.
Last month it was discovered that social network Path was collecting and storing address books from Apple (NASDAQ:AAPL) iPhones without their owners’ authorization. A couple weeks later, it was discovered that location-based apps automatically copied and stored iPhone photo libraries to app developers’ servers without user permission.
And then last week, The New York Times discovered, upon consulting with app developers and security experts, that location-data apps on Internet-connected smartphones equipped with Google’s (NASDAQ:GOOG) Android operating system also copy photo libraries without user authorization.
Despite claims by Google that apps for Android phones are required to get permission from users to collect and store personal data like email, address book contacts, or a phone’s location, several developers hired by the Times to investigate Android location-based apps found that the apps don’t notify users that their photos are being collected and stored.
One investigator for the Times, Ralph Gootee, an Android developer and chief technology officer of the software company Loupe, developed a simple app that showed Android developers don’t need user permission to download users’ photo books as long as users authorize the app to connect to the Internet. Once that happens, the app can search the photo library on the phone for the most recent image and post it to a public photo-sharing site.
“We can confirm that there is no special permission required for an app to read pictures,” Kevin Mahaffey, chief technology officer of Lookout, a company that makes Android security software, told the Times. “This is based on Lookout’s findings on all devices we’ve tested.”
Google responded that the lack of restrictions on copying and storing user photos was a “design choice” based on the fact that early Android phones stored data on removable memory cards, which allowed users to decide which cards could be accessed. A spokesman for the company said it is reexamining that approach now that, in newer phones, photo and video data are stored on built-in memory chips.
“We’ve always had policies in place to remove any apps on Android Market that improperly access your data,” the spokesman told the paper.
A sticky issue
Privacy concerns also prompted the White House to announce last week Internet privacy guidelines intended to give social networks, companies that dominate online search, and app developers a chance to weigh in and set rules for the data-collection strategies that are crucial to their growth.
The Times points out that Google’s explanation for the way it handles photo permissions seems to run counter to the company’s earlier pronouncements on Android’s handling of user data, which the company has claimed includes an “industry-leading” permissions system. The reality is, though, that the photo-collecting element of Android location apps is one of many app stumbles the industry will encounter.