A bit liberal with user’s data?
I doubt it.
There has recently been a bit of a buzz on the internet surrounding the extremely popular iPhone/iPod touch game Aurora Feint. I am a big fan of Aurora Feint, so I was a bit shocked to hear that apparently some people who have gotten SSH running on their iPhones under the new firmware have discovered that Aurora Feint creates a copy of all the e-mail addresses and phone numbers in your contacts list, and stores them in a “secret” directory on your iPhone (of course, unless you’ve jailbroken your iPhone, pretty much all directories are secret). This in an of itself is a bit suspect, but alarm bells really began to go off when someone noticed that AF was sending that information (unencrypted) to the Aurora Feint servers as well.
Above: If you do this, you will be sending all your friend’s e-mail address and phone numbers to Aurora Feint. But do you care?
We’ve received some e-mails from people asking how their personal data is used in relation to the community feature.
The short answer: All personal data is used on ONLY an Opt In basis to support the community features of Aurora Feint. That’s it. Period. We never rent, sell, or otherwise do anything with that data that you would not want us to do.
The long answer: Personal data is only used for the Community Feature. We store the e-mail and phone number that you enter in the Community Tab on our web servers, IF you explicitly type it in, so that other people may find and compare their stats with your character.
Some people have noticed that on your iPhone’s hard drive we make a local copy of the email and phone numbers from your contact list. This data is sent to our web servers when you press “Refresh Your Friends” on the community page. It is used ONLY to find other players who you know that have opted in to the community feature of Aurora Feint. This data is NOT saved on our web server. It is saved locally on YOUR iPhone so the game can optimize fetching that friend’s data in the future.
Please be assured that we are only storing data that you directly type in to our game on the community page and not taking any personal info without your explicit knowledge. We are not using it for ANY other purpose.
Above: Aurora Feint’s homepage this morning (left), vs. this afternoon (right). Hey look! A “Privacy” page!
So basically, AF creates a list of all your Contact’s e-mails addresses and phone numbers, but only stores them locally. When you sign up for the AF Community, AF’s servers store only THAT info, not your friend’s info. Then, when you hit “refresh Friends”, AF checks the contacts you have stored locally against the community members info it has collected (with the voluntary consent of the players) and notifies you of matches, but it does not store your friend’s contact information on the severs after making the check.
Macenstein: Does Aurora Feint create that list of contacts (phone, e-mail) when you play the game no matter what, or only if you sign up for the community feature? If so, why?
DC: That local list is created no matter what. The list is used to keep track of our internal account ids for friends whom are matched against the server. It speeds up future requests for your friend’s data. So, you could say, it’s an optimization.
Macenstein: When you say the information is stored on your servers only if the user explicitly enters it, does Aurora Feint tell you that, and tell you that it will be looking through your contacts?
DC: The text associated with the community features says “Supply your phone number and email to automatically locate your friends!”. We assumed people would guess that meant we used their contact list. We’ll add a more detailed disclosure in the next release with information on how the information is used and stored.
Macenstein: Is there a way for a user to remove that information that is sent to the servers if you decide you no longer wish to be part of the community?
DC: Currently no. However, this feature has already been implemented and will be available in our first update.
Macenstein: Is there a reason why simply signing up with a community forum screen name and leaving it up to the players to send that to their friends would not have worked? I understand the desire to make things easier for the end user in finding friends online, but obviously with privacy concerns running high these days, you can see how someone might be worried when a computer program sends their friend’s info out without their knowledge.
DC: Yup! We wanted to make it really easy to discover your friends who are playing the game. We added this contact list integration because we thought users would be delighted to discover that their friends are playing the game. We spent a lot of time getting this community feature streamlined so its easy to use. The notion that this is spyware is really upsetting to us. We’re rather disappointed that our hard work is being cast in such a negative light. As an aside, the community feature has been disabled since Friday. We decided that enough people were using it that we wanted to make sure we spent a little more time making the data secure. In our next update you’ll see all the usual industry standard techniques for securing sensitive data. We didn’t include this in our initial release due to time constraints. It’s only the two of us coding our butts off to make a fun game for everyone!
Feel free to contact us if you have more questions.
So, is Aurora Feint SpyWare?
Well, what is SpyWare? Is it anything that collects data without your permission/knowledge, or does it have to be used for evil? I happen to believe Aurora Feint when they say what the collected information is and is not being used for, but unfortunately we have no way to know for sure, and that’s where the problem lies. Even if you believe Danielle, as I do, this opens up a whole new issue we as iPhone users need to be aware of, namely, just because an app makes it to the iTunes store, don’t think it is 100% secure. It is very tempting when a great looking, addictive, and not to mention FREE app comes along to want to install it on your iPhone, but there are of course risks.
Three cheers for Jailbreaking
Given how much work it must be for Apple to sort through every submitted app to the iTunes store, one could certainly make the argument that Apple actually benefits from hackers cracking the iPhone’s firmware and jailbreaking the iPhone. As illustrated here, if it weren’t for the eagle-eyes of a few iPhone hackers, we may not have even known to be wary of iPhone apps transmitting our sensative info across the interweb to God only knows who, to be used for God knows what. And again, while I personally believe Aurora Feint’s developers acted in good faith, this certainly makes me think twice about downloading every free app I see on the iTunes App store, even if it does have Christopher Walken asking for More Cowbell.