Sarahah, the anonymous feedback app that’s been going viral for the past couple weeks, may not be as private as it sounds: it turns out, the app uploads users’ phone contacts to the company’s servers, seemingly for no good reason. The behavior was spotted by security analyst Zachary Julian and first reported by The Intercept.
Zain al-Abidin Tawfiq, the app’s founder, said that contact lists are being uploaded “for a planned ‘find your friends’ feature” that was “delayed due to a technical issue.” After The Intercept pointed out the behavior, he tweeted “the data request will be removed on next update” and that Sarahah’s servers don’t “currently host contacts.”
The app doesn’t entirely hide that it’s interested in your contacts. On both iOS and Android, Sarahah asks for permission to access each user’s phone contacts — and even if you say no, you can continue to use the app.
But users who do grant access to their contacts list probably expect it to add some sort of functionality to the app. And as of now, it doesn’t. There’s no friends list inside the app. And while there’s a search feature, you can’t look people up by phone number. Nor is there a section, like in Instagram, to show which of your contacts are already using the service.
Julian discovered the behavior by using monitoring software to see what data Sarahah was sending and receiving from his Android phone. Among those was “all of your email and phone contacts;” the same, he later determined, occurs on iOS as well.
Uploading contact lists is not all that uncommon of a behavior and is often used in legitimately helpful ways. But it’s something that apps really shouldn’t do unless users are getting something out of it. And either way, people tend to be pretty unhappy when their personal data gets used in ways they weren’t made aware of.
Earlier this year, users of the service Unroll.me grew upset when it was reported that the company sold their data to Uber. While this kind of activity is often covered in an app’s terms of service, that certainly doesn’t mean most users are going to be aware of it.
Sarahah’s founder makes it sound like the company isn’t doing anything with the data it collects. But either way, that information seems to be needlessly getting sent to a company’s server when it doesn’t really need to be.
Update August 27th, 6:47PM ET: Sarahah says contacts are being uploaded for an unreleased feature and that the behavior will be stopped in the next update. The article has been updated to reflect this.