The iOS address book row is no longer just a tempest in the internet's teapot: members of the US Congress have just sent a letter to Apple, demanding answers about its app approval process and the privacy and security of data that's accessed or transmitted by iOS apps. The letter follows a wave of complaints and bickering this week that ignited with the revelation that Path was uploading data from iPhone address books without asking for explicit permission. Path has since apologized to its patrons and purged their personal data, but as we've independently confirmed, the problem presented by the faux pas persists — any iOS app has complete access to an ample amount of data that's on your iPhone, including the address book and calendar. And any iOS app can, without getting your permission, upload all of that information stored in your address book to its servers.

Congress says that the Path incident "raises questions about whether Apple's iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts." So it's asking Apple to describe all of its iOS app guidelines concerning data privacy, how Apple determines whether apps meet those criteria, and to describe what kind of data the company thinks is private. Other questions get straight to the point:

  • How many iOS apps in the US iTunes store transmit "data about a user"?
  • How many iOS apps in the US iTunes store transmit information from the address book? How many of those ask for the user's consent before transmitting their contacts' information?
  • You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.

Congress doesn't want to wait long to get answers from Apple: it's asked the company to respond by February 29th. We'll be on the lookout for Apple's response, whether it's in the form of a letter, or iOS 5.0.2.