Developers explicitly can't sell info to third parties. Apple updated its app guidelines last week, and while the biggest news was a widespread ban on cryptocurrency mining, the company also tightened its grip on what developers can and can't do with user info. Specifically, it restricted apps' abilities to collect, harness and share anyone's contact information. Per Bloomberg, app developers have been abusing their access to users' contact info for years. Their apps ask for access first, then harvesting the data for marketing purposes or even selling it outright -- all without permission from the contacts affected. Apple's updates to the App Store guidelines now prohibit developers from making databases of info gleaned from address books, nor can they request access to contact info under one pretense and then use it for something else -- they have to get consent for what they're actually using it for. And selling that data to third parties is now forbidden. Apple isn't making these changes in response to any particular scandal, though its CEO Tim Cook certainly criticized Facebook during the Cambridge Analytica scandal for that company's misuse of user data. (He later rejected the assertion that Apple inappropriately received any personal info from the social media company during this time period.) But following the implementation of the EU's privacy-intensive GDPR last month, restricting third parties' potential access to data sourced from users on Apple's devices seems a smart move anyway.
Apple has patched a little-known App Store loophole that enabled developers to harvest data on iOS users contacts, thereby limiting third-party access to potentially unprotected sources of personal information. Previously announced Apple privacy safeguards applied to the users own data, but not that of their contacts, creating a treasure trove of information that could be used individually or via compositing from multiple users with contacts in common. As explained in a new report from Bloomberg, iOS app developers have been allowed to request a users permission to access address book or contact data, which, if granted, enabled aggregation of multiple types of information about friends, family, and business associates — names, phone numbers, email addresses, profile photos, birth dates, home and work addresses, and information on how recently the contact was created. This information could be transferred virtually anywhere as soon as a user grants permission, without any tracking or other information being sent to Apple. The issue is that unlike the apps user, who has the ability to choose whether her information is shared, the contact is never asked for that permission, nor given any opportunity to withdraw it. Developers are able to sell that information to data brokers and leverage knowledge of your contacts to advertise items to you with endorsements from friends and family, akin to Facebooks your friends already like this product page feature. Some developers have bulk-texted friends of users using contact information to help build user bases for their services. Apples change blocks apps from contacting people using contact- or photo-gathered information, except at the explicit initiative of that user on an individualized basis. Developers are also required to provide a clear advance description of how the contacting message will appear to the recipient. The rules also bar developers from making, sharing, or selling databases of shared contact information, as well as using the information for previously undisclosed purposes. But theres no way to go back and either block or retrieve data previously shared. You can turn off the faucet going forward, but whatevers been given to developers is already out there.