Sarahah harvests your phone contacts for a feature that doesn’t exist yet

Sarahah, the anonymous feedback app that’s been going viral for the past couple weeks, may not be as private as it sounds: it turns out, the app uploads users’ phone contacts to the company’s servers, seemingly for no good reason. The behavior was spotted by security analyst Zachary Julian and first reported by The Intercept.

Zain al-Abidin Tawfiq, the app’s founder, said that contact lists are being uploaded “for a planned ‘find your friends’ feature” that was “delayed due to a technical issue.” After The Intercept pointed out the behavior, he tweeted “the data request will be removed on next update” and that Sarahah’s servers don’t “currently host contacts.”

The app doesn’t entirely hide that it’s interested in your contacts. On both iOS and Android, Sarahah asks for permission to access each user’s phone contacts — and even if you say no, you can continue to use the app.

But users who do grant access to their contacts list probably expect it to add some sort of functionality to the app. And as of now, it doesn’t. There’s no friends list inside the app. And while there’s a search feature, you can’t look people up by phone number. Nor is there a section, like in Instagram, to show which of your contacts are already using the service.

Julian discovered the behavior by using monitoring software to see what data Sarahah was sending and receiving from his Android phone. Among those was “all of your email and phone contacts;” the same, he later determined, occurs on iOS as well.

Uploading contact lists is not all that uncommon of a behavior and is often used in legitimately helpful ways. But it’s something that apps really shouldn’t do unless users are getting something out of it. And either way, people tend to be pretty unhappy when their personal data gets used in ways they weren’t made aware of.

Earlier this year, users of the service Unroll.me grew upset when it was reported that the company sold their data to Uber. While this kind of activity is often covered in an app’s terms of service, that certainly doesn’t mean most users are going to be aware of it.

Sarahah’s founder makes it sound like the company isn’t doing anything with the data it collects. But either way, that information seems to be needlessly getting sent to a company’s server when it doesn’t really need to be.

Update August 27th, 6:47PM ET: Sarahah says contacts are being uploaded for an unreleased feature and that the behavior will be stopped in the next update. The article has been updated to reflect this.

Comments

I’m still bitter about the access I gave Apps years ago, before iOS made it clear what they were accessing.

I revoked access both on my devices and on the google servers – I then went to the services websites to delete uploaded contacts (eg with LinkedIn and Facebook). But they didn’t make it easy – and I’m sure there are some services I missed.

I do think there should be a middle ground between allowing access and uploading a full copy of my address book.

I want to grant uber access to my contacts so I can just type ‘Bob’ and see my friends name and click it to get there faster. But I don’t want my contact list uploaded to uber servers for them to spam my friends or sell to their partners or monetize in another way.

Hopefully in the future privacy settings like contacts won’t be limited to all or none – by allowing them access only for user promoted searches. Almost like allow access to GPS while using app only.

*Hopefully in the future privacy settings like contacts won’t be limited to all or none – by allowing them access only for user prompted searches. Almost like allow access to GPS while using app only.

And that is what is truly terrible. And even then, some accounts can’t be disabled, you can only remove personal information from them. It is why I limit the number of accounts I have as much as possible.

Sucking our Phone Contacts up, and Cross referencing them is exactly how Facebook got so big.

Next billion dollar social network will do the same – but off instead of up.

View All Comments
Back to top ↑