Representatives Henry A. Waxman (D-CA) and G.K. Butterfield (D-NC) have sent letters to thirty-four app developers with a number of questions about their information collection and use practices. This follows on a letter from the Congressmen sent to Apple requesting information on the company's data collection policies it imposes on App Store developers.
The letters were sent to a wide variety of developers, and were selected by the Representatives on the basis of "their inclusion in the “Social Networking” subcategory within the “iPhone Essentials” area of Apple’s App Store." They include Turntable.FM, Twitter, Tweetbot, Path, Instagram, Facebook, and Apple itself.
Last month, a developer of applications ("apps") for Apple's mobile devices discovered that the social networking app Path was accessing and collecting the contents of his iPhone address book without having asked for his consent. Following the reports about Path, developers and members of the press ran their own small-scale tests of the code for other popular apps for Apple's mobile devices to determine which were accessing address book information. Around this time, three other apps released new versions to include a prompt asking for users' consent before accessing the address book. In addition, concerns were subsequently raised about the manner in which apps can access photographs on Apple's mobile devices.
We are writing to you because we want to better understand the information collection and use policies and practices of apps for Apple's mobile devices with a social element. We request that you respond to the following questions:
(1) Through the end of February 2012, how many times was your iOS app downloaded from Apple's App Store?
(2) Did you have a privacy policy in place for your iOS app at the end of February 2012? If so, please tell us when your iOS app was first made available in Apple's App Store and when you first had a privacy policy in place. In addition, please describe how that policy is made available to your app users and please provide a copy of the most recent policy.
(3) Has your iOS app at any time transmitted information from or about a user's address book? If so, which fields? Also, please describe all measures taken to protect or secure that information during transmission and the periods of time during which those measures were in effect.
(4) Have you at any time stored information from or about a user's address book? If so, which field? Also, please describe all measures taken to protect or secure that information during storage and the periods of time during which those measures were in effect.
(5) At any time, has your iOS app transmitted or have you stored any other information from or about a user's device - including, but not limited to, the user's phone number, email account information, calendar, photo gallery, WiFi connection log, the Unique Device Identifier (UDID), a Media Access Control (MAC) address, or any other identifier unique to a specific device?
(6) To the extent you store any address book information or any of the information in question 5, please describe all purposes for which you store or use that information, the length of time for which you keep it, and your policies regarding sharing of that information.
(7) To the extent you transmit or store any address book information or any of the information in question 5, please describe all notices delivered to uscrs on the mobile device screen about your collection and use practices both prior to and after February 8, 2012.
(8) The iOS Developer Program License Agreement detailing the obligations and responsibilities of app developers reportedly states that a developer and its applications "may not collect user or device data without prior user consent, and then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising.";
(a) Please describe all data available from Apple mobile devices that you understand to be user data requiring prior consent from the user to be collected.
(b) Please describe all data available from Apple mobile devices that you understand to be device data requiring prior consent from the user to be collected.
(c) Please describe all services or functions for which user or device data is directly relevant to the use of your application.
(9) Please list all industry self-regulatory organizations to which you belong.
The developers are given until April 12, 2012 to respond.
