The Washington PostDemocracy Dies in Darkness

Lots of apps use your personal contacts. Few will tell you what they do with them.

Our contacts are deeply private, but we don’t have much control over how they’re used

(Washington Post illustration/iStock)

Gabriela Buendia tries to take every precaution when it comes to information about her patients. The therapist uses encrypted video apps for virtual sessions, stores charts in HIPAA-compliant applications and doesn’t reach out to her clients on social media. She said she never saves her patients’ phone numbers on her smartphone either.

“I do that on purpose,” said the 42-year-old marriage and family specialist in Palo Alto, Calif. “It feels like I need to protect that data. I’ve just been trained that way.”

So it came as a shock when Buendia found out recently that Venmo, a digital payment app that patients increasingly use to pay their therapists, was displaying her entire contact list publicly. To her dismay, a combination of contacts imported from her phone and anyone who had paid her through the app — a list of more than 100 people — was visible to anyone on the Internet.

This nightmare scenario is incredibly common, thanks to the number of apps and websites that have access to our digital address books.

Our contact lists are filled with information on all the people who’ve come in and out of our lives going back years, even decades. They reveal relationships, both personal and professional, and most people think of them as a place to store private information — birthdays and physical addresses, but also more sensitive data such as social security numbers, bank account details and door codes.

“Address books are incredibly valuable in terms of revealing information about us to others,” said Ashkan Soltani, former chief technologist for the Federal Trade Commission.

And yet we share our smartphone contacts regularly with third-party apps like Venmo, Facebook, Chase bank, Wayfair and even Samsung’s smart washer without knowing what exactly we’re handing over or how the contacts are being used. An app only needs to get permission once through a quick context-free question that pops up as you’re installing it. And that information can be used to target ads or leaked online, revealing sensitive information about your network to people who might use it in scams.

In the past, digital contacts haven’t drawn as much attention as other types of personal data that tech companies collect and share, such as your location information or browsing histories. But digital contacts contain valuable information about you and the people in your circle. Few major changes have been made to contacts’ privacy options on Android and iOS devices since 2012, when Apple first added an option to control what apps had access to them.

Facebook now has to ask permission to track your iPhone. Here’s how to stop it.

Most recently contacts became a hot-button issue after a report mentioned that President Biden used Venmo to send his grandchildren money, and BuzzFeed News found his public-facing friend list. Venmo, which is owned by PayPal, subsequently added a setting to let people opt out, but many users still aren’t aware their information is exposed.

Venmo declined to comment on its new feature or specify which contact information it pulls from smartphones.

Privacy experts say a major overhaul is long overdue. Changes to mobile operating systems could include listing what contact fields an app takes, letting us always choose which contacts to share, and giving us the ability to divide our address books into sections, making only certain contacts shareable.

What’s Being Accessed?

Consider what you actually store in your contacts app. Each entry has a field for phone numbers, physical addresses, job titles, anniversaries and birthdays, and even a label for how you’re related to a person. Then there’s the “Notes” field, where some people told us they keep passwords, social security numbers, private descriptions of acquaintances and maybe even building access codes.

What you might not know is that apps can potentially see all of that information once you grant them contact access. Right now in iOS, third-party apps with permission can access any contact field, except for the Notes section, which requires additional approval from Apple. The company only added that roadblock in 2019, and it declined to say how many or which apps are cleared to access Notes.

So what exactly is each app taking?

It’s not entirely clear. Many companies we contacted weren’t transparent. We contacted more than 30 companies with third-party apps using contacts to ask what they’re accessing, what it’s for and when they delete the information.

A third of them didn’t reply at all, and of the ones that did, seven including Zoom, LinkedIn and Venmo would not say exactly what contact field information they take. Some pointed us to their privacy policies, but we found the information was rarely listed there. Of the companies that would share details, the majority including Facebook, Skype and Pinterest said they accessed just the basics — such as name, phone number and email address. Others take more. Snap, for example, says it also accesses the last time a contact was updated, whether or not it included an image or birthday, and for Android users, if that person had saved a contact to their favorites, the company said.

The spy in your wallet: Credit cards have a privacy problem

We also discovered that disabling an app’s connection to your contacts in iOS or Android settings is like shutting off a hose. It can stop that app from getting anything new, but it doesn’t take back data you already let flow into its hands. Almost all of the apps we contacted do not automatically delete any contact information when you revoke access in your smartphone’s settings. To make sure they delete that data, you have to follow each company’s instructions, which might include going into settings or sending an email to customer support. Any additional privacy features, if they exist, are also tucked away in individual app settings.

“Consumers shouldn’t have to dig through their settings and opt in to their privacy. It should be the baseline. It should be when the product is shipped, not something you go back to,” said Kaili Lambe, a senior campaigner at Mozilla, who has pushed for more privacy related to contacts.

A Pattern of Bad Behavior

Tech companies have a long history of mishandling contacts, and the industry has been slow to give people more control.

Path, a social network launched in 2010, settled with the Federal Trade Commission over the way it automatically collected contact information from users’ address books without consent. Google Buzz, a social app launched the same year, also settled with the FTC. It was criticized for automatically having users follow their most common Gmail contacts and showing that list publicly.

More recently, audio-chat app Clubhouse wouldn’t let users send invites unless they handed over access to their contacts. It removed that requirement, but it still turns all uploaded contacts into a list of suggested people to invite, where everyone — from your gynecologist to your defense attorney — is ranked by how many friends they have on Clubhouse, even if they aren’t signed up. Clubhouse declined to comment on privacy concerns around the feature.

Private companies aren’t the only ones accused of misusing contacts. In 2013, documents provided by Edward Snowden showed that the National Security Agency was collecting millions of contact lists, often from email and instant messaging accounts, to find hidden connections and relationships between targets.

Contacts have been leaked in data breaches and hacks, or obtained by malware apps — sketchy apps in the Android or iOS app stores that ask for contacts access — for years, according to cybersecurity researcher Aamir Lakhani.

“The problem is that many applications want to collect and have you share information when there is no real need,” said Lakhani. “App makers use this to collect data, run ads and possibly use that data in other ways. Lots of people are getting used to sharing the data and not realizing the impact it may have.”

Protecting Your Virtual Rolodexes

For now, there are some precautions you can take to protect your virtual rolodexes — from a simple spot check to see who already has access, to changing where you keep your most sensitive information. We break them down here.

A few new features are also slowly being added.

Apple is adding a new privacy report in the next iOS update that tells you how often each app syncs contacts, but no new controls.

Apple declined to comment on its privacy policy related to sharing contacts.

Google has a new setting in its latest mobile operating system, Android 11, that revokes an app’s access to contacts if it hasn’t been used in several months, though it still isn’t on most Android devices.

“We are committed to protecting the privacy of our users, and we have strict policies limiting how developers can access a person’s contacts data,” said Google spokesman Dan Jackson.

Jennifer King, a privacy and data policy fellow at the Stanford Institute for Human-Centered Artificial Intelligence, has been raising red flags about contacts for years, including pointing out what features could help. “It just mystifies me that the companies have never done this. You can’t get these companies to pay attention to it, so they never have.”

Yes, you’re being tracked. The Post’s technology team answers your data privacy questions.

There are also apps that limit what data they take. Workplace chat app Slack, for example, says it saves only information for individuals you choose to invite to the app, instead of using your entire address book.

Dating app Tinder added a feature called Block Contacts in June that lets you use your address book to pick out people you don’t want to see on the app, storing only the contacts you select.

Encrypted chat app Signal, like other messaging apps, requests access to your smartphone’s contacts, but the company said it doesn’t upload anything off a user’s device. It has been criticized for its own use of contact information, such as a feature that alerts users anytime someone in their phone contact list joins Signal for the first time, though there’s now an option to opt out.

Signal founder Moxie Marlinspike said by keeping all the information on our own devices, we actually maintain control instead of letting companies like Facebook own them. It makes it easier to switch between social networks or messaging apps because the key information is still owned by the individual.

As for Buendia, the therapist, she recently spent a few minutes digging through her many Venmo settings to make her contacts and transactions as private as possible and stays alert as much as she can. And she’s sticking to her policy of not saving clients’ names to her contacts.

“If anyone ever got into my phone, they’d just see a number.”