Sarah Perez, TechCrunch:
iOS apps that build their own social networks on the back of users’ address books may soon become a thing of the past. In iOS 18, Apple is cracking down on the social apps that ask users’ permission to access their contacts — something social apps often do to connect users with their friends or make suggestions for who to follow. Now, Apple is adding a new two-step permissions pop-up screen that will first ask users to allow or deny access to their contacts, as before, and then, if the user allows access, will allow them to choose which contacts they want to share, if not all.
Kevin Roose, New York Times, in an article with the headline “Did Apple Just Kill Social Apps?”:
Now, some developers are worried that they may struggle to get new apps off the ground. Nikita Bier, a start-up founder and advisor who has created and sold several viral apps aimed at young people, has called the iOS 18 changes “the end of the world,” and said they could render new friend-based social apps “dead on arrival.”
That might be a little melodramatic. I recently spent some time talking to Mr. Bier and other app developers and digging into the changes. I also heard from Apple about why they believe the changes are good for users’ privacy, and from some of Apple’s rivals, who see it as an underhanded move intended to hurt competitors. And I came away with mixed feelings.
Leaving aside the obviously incendiary title, I think this article’s framing is pretty misleading. Apple’s corporate stance is the only one favourable to these limitations. Bier is the only on-the-record developer who thinks these changes are bad; while Roose interviewed others who said contact uploads had slowed since iOS 18’s release, they were not quoted “out of fear of angering the Cupertino colossus”. I suppose that is fair — Apple’s current relationship with developers seems to be pretty rocky. But this article ends up poorly litigating Bier’s desires against Apple giving more control to users.
Bier explicitly markets himself as a “growth expert”; his bio on X is “I make apps grow really fast”. He has, to quote Roose, “created and sold several viral apps” in part by getting users to share their contact list, even children. Bier’s first hit app, TBH, was marketed to teenagers and — according to several sources I could find, including a LinkedIn post by Kevin Natanzon — it “requested address book access before actually being able to use the app”. A more respectful way of offering this feature would be to ask for contacts permission only when users want to add friends. Bier’s reputation for success is built on this growth hacking technique, so I understand why he is upset.
What I do not understand is granting Bier’s objections the imprimatur of a New York Times story when one can see the full picture of Bier’s track record. On the merits, I am unsympathetic to his complaints. Users can still submit their full contact list if they so choose, but now they have the option of permitting only some access to an app I have not even decided I trust.
Roose:
Apple’s stated rationale for these changes is simple: Users shouldn’t be forced to make an all-or-nothing choice. Many users have hundreds or thousands of contacts on their iPhones, including some they’d rather not share. (A therapist, an ex, a random person they met in a bar in 2013.) iOS has allowed users to give apps selective access to their photos for years; shouldn’t the same principle apply to their contacts?
The surprise is not that Apple is allowing more granular contacts access, it is that it has taken this long for the company to do so. Developers big and small have abused this feature to a shocking degree. Facebook ingested the contact lists of a million and a half users unintentionally — and millions of users intentionally — a massive collection of data which was used to inform its People You May Know feature. LinkedIn is famously creepy and does basically the same thing. Clubhouse borrowed from the TBH playbook by slurping up contacts before you could use the app.1 This has real consequences in surfacing hidden connections many people would want to stay hidden.
Even a limited capacity of allowing users to more easily invite friends can go wrong. When Tribe offered such a feature, it spammed users’ contacts. It settled a resulting class action suit in 2018 for $200,000 without admitting wrongdoing. That may have been accidental. Circle, on the other hand, was deliberate in its 2013 campaign.
Apple’s position is, therefore, a reasonable one, but it is strange to see no voices from third-party experts favourable to this change. Well-known iOS security researchers Mysk celebrated it; why did Roose not talk to them? I am sure there are others who would happily adjudicate Apple’s claims. The cool thing about a New York Times email address is that people will probably reply, so it seems like a good idea to put that power to use. Instead, all we get is this milquetoast company-versus-growth-hacker narrative, with some antitrust questions thrown in toward the end.
Roose:
Some developers also pointed out that the iOS 18 changes don’t apply to Apple’s own services. iMessage, for example, doesn’t have to ask for permission to access users’ contacts the way WhatsApp, Signal, WeChat and other third-party messaging apps do. They see that as fundamentally anti-competitive — a clear-cut example of the kind of self-preferencing that antitrust regulators have objected to in other contexts.
I am not sure this is entirely invalid, but it seems like an overreach. The logic of requiring built-in apps to request the same permissions as third-party apps is, I think, understandable on fairness grounds, but there is a reasonable argument to be made for implied consent as well. Assessing this is a whole different article.
But Messages accesses the contacts directory on-device, while many other apps will transport the list off-device. That is a huge difference. Your contact list is almost certainly unique. The specific combination of records is a goldmine for social networks and data brokers wishing to individually identify you, and understand your social graph.
I have previously argued that permission to access contacts is conceptually being presented to the wrong person — it ought to, in theory, be required by the people in your contacts instead. Obviously that would be a terrible idea in practice. Yet each of us has only given our contact information to a person; we may not expect them to share it more widely.
As in so many other cases, the answer here is found in comprehensive privacy legislation. You should not have to worry that your phone number in a contact list or used for two-factor authentication is going to determine your place in the global social graph. You should not have to be concerned that sharing your own contact list in a third-party app will expose connections or send an unintended text to someone you have not spoken with in a decade. Data collected for a purpose should only be used for that purpose; violating that trust should come with immediate penalties, not piecemeal class action settlements and FTC cases.
Apple’s solution is imperfect. But if it stops the Biers of the world from building apps which ingest wholesale the contact lists of teenagers, I find it difficult to object.