The address books fiasco finally comes to an end as Apple says it will make developers ask for permission first

Apple says it will require developers to ask for permission first before they access a user’s address book.

It’s the culmination of a very strange weeklong media blowout that started when a Singapore-based developer discovered that Path was uploading personal contact information from users’ address books without their knowledge. Path apologized and said it would delete all of the user data it had collected this way. That spiraled into a discussion in The New York Times about whether Silicon Valley entrepreneurs have become too cavalier about privacy, by pushing the envelope first and then asking for forgiveness later.

That then escalated into a tangentially related discussion of the flaws in tech media as Path investors rushed to defend the company. Yesterday evening, both VentureBeat and the Verge returned to the core issue by looking at other apps like Foursquare and Twitter that were also sending address book information to their servers. This morning, House Energy & Commerce Committee Chairman Henry Waxman and Commerce Manufacturing and Trade Subcommittee Chair G.K. Butterfield sent a letter to Apple asking the company to explain the situation.

Apple finally responded today in an interview with AllThingsD, saying that it would change its policy around address book access:

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines*,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

The way this entire story played out was pretty odd. Developers have long had access to address books on iOS and if they do store data, it’s usually to suggest friends when new users come on board. While the intentions are usually harmless, it is true that a malicious developer could do much worse with this data access.

However, hashing has been a fairly well-known tactic to preserve user privacy while making it easy to suggest friendships. Beluga, the group messaging startup Facebook acquired last year, hashed contact lists. To hash a contact, the developer assigns a unique code to each name and stores that instead of the original information. When it scans an address book and finds other names that produce the same hash code, the app can recommend a friend connection. It seems Path, whose chief executive was one of the key early Facebook employees that built out the company’s platform, was merely careless in not hashing contact information.

There have been many privacy flaws in the design of the iOS platform over the years, including the use of UDIDs. The address books issue has existed for years, and yet it was only until one tiny blog post from a single developer emerged, that a firestorm finally ensnared Congress and Apple.

Strange times, indeed.

Here’s the House committee letter to Apple:

Mr. Tim Cook
Chief Executive Officer, Apple Inc.
1 Infinite Loop
Cupertino, CA 95014

Dear Mr. Cook:
Last week, independent iOS app developer Arun Thampi blogged about his discovery that the social networking app “Path” was accessing and collecting the contents of his iPhone address book without ever having asked for his consent.[1] The information taken without his permission — or that of the individual contacts who own that information — included full names, phone numbers, and email addresses.[2] Following media coverage of Mr. Thampi’s discovery, Path’s Co-Founder and CEO Dave Morin quickly apologized, promised to delete from Path’s servers all data it had taken from its users’ address books, and announced the release of a new version of Path that would prompt users to opt in to sharing their address book contacts.[3]