This is the number one privacy feature Apple should offer iPhone users when it releases iOS 17
When Apple previews iOS 17—the iPhone’s next operating system—at its annual developers conference in June, it would be heartening to see the company introduce one major privacy feature that its users have needed for years: the ability to pick which contacts get uploaded when an app requests access to a user’s contact book. Right now, it’s all contacts or none, and that means that developers large and small can infer intimately personal details about a user’s life if the user chooses to grant the app access to their contact book.
After all, most of us probably have the phone number or email address of a teacher at our child’s school saved in our contacts, revealing where our children spend their days. We also likely have info for therapists or doctors we visit, as well as professional colleagues and financial advisers. Many of us even give these contacts straightforward labels such as “marriage counselor” or “financial adviser” or “oncologist,” revealing explicitly who’s who and how they relate to us, and perhaps even the medical conditions we have. We may even have information saved that reveals our political leaning, religion, or causes we’re passionate about—perhaps we have the contact information of a rabbi or a BLM organizer in our contacts book.
This information is a gold mine for major social media platforms and apps. It helps them build a social graph of who we know, which is then used by tech companies to serve us ads or content we might find interesting, increasing profits and engagement. But this data—which can contain the phone numbers, home addresses, and birthdays of the people we know and love—can also be sold by the app or platform to third parties. And, if the app’s systems are ever hacked, bad actors could find out everyone you know, making spoofing or identity theft much easier.
The weaponization of contact information
One horrible real-world example of how apps have abused a user’s contact information was detailed in a 2021 report from Vice. A man downloaded an instant loan app to get money to help him through a financially tough time. As part of the process, the app requested access to all of his phone’s data, including his saved contacts. He repaid his first loan on time, but when he failed to pay back a second loan on time due to his salary being delayed, a person associated with the loan app began sending embarrassing WhatsApp messages to the people in his contacts book, telling them that the man was a thief.
“I felt like I had been stripped naked in front of everyone,” the victim told Vice.
Incidents like this are probably one of the reasons why Google recently announced that, beginning May 31, 2023, personal loan apps will not be allowed to request access to a user’s contacts. But Google and Apple should go further, getting rid of the all-or-nothing approach completely and letting the user decide which contacts an app can have access to.
There are valid reasons that apps request contacts access, but some apps abuse the privilege
Despite the wealth of information our contact book contains about us and those we know, there are some good reasons that an app may request access to our contacts. Messenger and social media apps frequently do so in order to let the user know, “Hey, your friend is on here, too. Want to connect with them?”
And that’s a good thing. It makes the experience of using that app or service much easier and better. But some apps take advantage of users’ trust.
In WhatsApp, for example, anyone who knows your phone number can send you a message. But if you haven’t given WhatsApp access to your contacts book, WhatsApp only allows you to see the phone number of the person sending the message—and not the sender’s name‚ despite every WhatsApp user being able to set a publicly visible username. There is no reason for WhatsApp to withhold the public username of senders from appearing in the chats list unless the company wants to use such information as leverage, to get the user to give WhatsApp access to their phone’s contacts. It’s a bit shady—and it shows how much Meta wants your valuable contacts data. Plenty of other messaging apps allow the user to see the public usernames of message senders, even if the user hasn’t given the app access to their contacts.
But even when an app like WhatsApp requests access to our contacts book for a helpful reason, like facilitating connections with people we already know, why should it also get to know who our doctors or clients are instead of just our friends? Why shouldn’t we be able to choose to only give them access to specific contacts or groups of contacts instead of every single contact we have?
This granular control would allow us to pick specific contacts each time an app requests access, or entire groups of contacts—for example, our “friends” group but not our “work” group. After all, most contact apps, including the default ones in iOS and Android, allow the user to create groups and sort contacts into them.
Apple has set a precedent for such granular privacy protections in the past
While Google’s Android operating system should also implement such granular control over contacts, I’m specifically calling out Apple for a couple of reasons. The first is that Apple’s brand is privacy, and this lack of granular control over contact access is a big hole in that privacy ethos.
But the second reason is more important: Apple has already implemented a granular system like the kind I am proposing with the Contacts app for another app. When it released iOS 14, in 2020, Apple finally allowed users to give apps access to only select photos in their Photos library, instead of all of them. In iOS 13 and earlier, when an app requested photo library access, the app gained access to every personal photo in the iPhone’s photos library.
The enhanced granular control was an excellent privacy feature from a company that, I believe, truly cares about user privacy. But now it’s time for Apple to use that same feature to plug an even bigger privacy hole, in its Contacts app.
Here’s hoping Apple does just that when it previews iOS 17 at its Worldwide Developers’ Conference on June 5. And yes, here’s hoping Google’s Android follows suit.
(21)