Lax photo permissions on iOS, Android may lead to FTC investigation

By on March 5, 2012, 6:30 PM

Just last week, the New York Times discovered that iOS apps can silently access and copy photos from a user's photo library to a remote server with little to stand in the way. As it turns out though, it's not just iOS this time -- Android apps can do it too and perhaps even more easily than their iOS counterparts. 

In light of this discovery, U.S. Senator, Chuck Schumer (NY - D), issued a statement on Sunday where he described the lack of security as "disturbing" and "potentially unfair". The senator has called on the FTC to investigate both Apple and Google. Schumer has asked specifically for a comprehensive investigation to explicitly determine whether or not copying or distributing personal information from a user's phone without their consent constitutes an unfair or deceptive trade practice.

"When someone takes a private photo, on a private cell phone, it should remain just that: private," said Schumer. "Smartphone developers have an obligation to protect the private content of their users and not allow them to be veritable treasure troves of private, personal information that can then be uploaded and distributed without the consumer’s consent."

Source: senate.gov

A couple weeks prior to this latest privacy faux pas, Apple was lambasted for allowing apps to silently access, copy and upload users' contacts to a remote server. This alarming privacy blunder was brought to light by a developer who took a very close look at Path, a popular photo-sharing app. He inadvertently discovered that Path was uploading contacts to their servers without any indications or warnings. Not surprisingly, other apps are doing it too.

As for Android, users were at least offered a warning during install time, but this rudimentary barrier isn't sufficient for most users.

Apple issued a response in the following weeks that it would resolve this issue in a future update.

The new issue is very similar to the contact list debacle, only this time it involves photos. With iOS this time, users are protected up until they allow the app access to location data services. It's unintuitive from a security standpoint, but it does provide some sort of barrier for apps that users don't completely and totally trust.

If you're an Android user though, any Internet-enabled app has full read access to your photo library and can upload your photos to a third party server without any additional warnings. Schumer believes this is a scary thing and perhaps rightfully so.

According to reports by independent technologists, two separate loopholes, one in the Apple operating system and one in the Android operating system, allow apps to gather users’ photos. In the case of Apple, if a user allows the application to use location data, which is used for GPS-based applications, they also allow access to the user’s photo and video files that can be uploaded to outside servers. In the case of Android-based applications, the user only needs to allow the application to use Internet services as part of the app for third parties to gain access to photo albums.

Although many would agree that the contents of our phones should be private, do such issues truly fall under the realm of the Federal Trade Commission?

Schumer's invocation of the FTC may actually be more for purposes of expediency than anything. Judicial determinations can take a very long time but the FTC has the power to act in relatively short amount of time. By appealing to the FTC, the senator may have lit a fire under Google and Apple, prompting them to act more quickly.

Interestingly, we see multi-national companies appeal to the FTC frequently, rather than courts, in order to resolve intellectual property disputes for this very reason.




User Comments: 8

Got something to say? Post a comment
Scshadow said:

So, I'm kinda curious, how does this compare to PC and mac applications? Do desktop OS's sufficiently protect user data? Or can you make an application that will extract photos on them too? I just always thought it was the end user responsibility to sufficiently research applications before allowing them on your computer.

Guest said:

It's an interesting dichotomy, for sure.

I think the distinction is that android/ios is a closed box by which we directly insert personal data (contacts/sms/calendar..). Also, because all these actions are taken through the phone APIs.

If nothing else, Android and Apple should have learnt from the lesson from Microsoft that developers should rarely be trusted. The simple solution is for the phone to provide mock data (eg empty contact list, sms and calendar) to apps, unless it has explicitly been authorised. These all-or-nothing permissions are stupid, and only encourages users to throw away their privacy.

I know there are some custom firmwares that allow this, but it really should be an aspect of the official software.

Guest said:

So it is your responsibility? Yes the same way it is your responsibility to lock a door not present in a house. You would not sell a house without a door so why would you sell a phone without one. The ftc should also force imac maker apple to put a camera cover on i macs. Just like the peep hole cover so we don't get the indian tech guy look at my naked wife getting ready for shower.

Guest said:

I think the senator needs to STFU.

A flaw found in technology does not require a massive investigation to take place.

When will people learn that technology is never perfect. If it is, then why are there still developments happening right now. Us human's created this technology and we all know how perfect humans are.

And the example above about selling the house with no doors was the worst analogy. Of course no one is going to buy a house without any doors. But that's not even a close analogy to this situation. It's more like creating a massive mansion, so big in fact that people get lost in there. But someone who purposely went searching for a fault found a tiny hole that he can slip a picture through the wall. Where 99% of the people living in the castle would and will never find where it is even if they wanted too.

I'm sure IOS and Android still have many faults. In fact I hope they do because it would be terrible if they have already reached their peak.

Guest said:

The answer is yes. Apple iTunes and PC Windows both have been doing it for years. People just stopped caring. Google Android at least told you it could happen.

Timonius Timonius said:

Hmmm...this thought just occurred to me; 'they' grab information whether it be an app, super-cookie, sneaky advertising, or anything involving collecting data on us against our wishes (ie privacy violation) and many of 'us' have the nerve to go and grab a file or two that doesn't really belong us. Hmmm... hypocrites much?

Guest said:

@Timonius

Fail point is EPIC FAIL!

Tygerstrike said:

Tim youre half right on your comment. Some ppl do "take" files (movies, music, ect) and some dont. What the article is stating is that a good chunk of android/IOS phones do take and send your pics. I feel bad for those ppl who have erotic pics on their phone of them and their significant other. They have been collecting data on us for many many years. Just take photos that youre not willing to share with strangers. They still make digital cameras...so that might be away to get around them taking your photos. Just dont use your phone camera lol.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.