Uncategorized

Showyou, Privacy and Our Response to the Congressional Questionaire

A few weeks ago, Congressmen Henry Waxman and G. K. Butterfield sent a letter to the 34 companies (all had apps listed in Apple’s “iTunes Essentials List” in the social networking category) asking about their practices with regard to user data and the collection of address book information. Because Showyou was on the iTunes Essentials list, we were among the companies that received this letter.

This topic, of course, is one we’ve discussed here over the past two months, with blog posts about how our Friend Finder works and changes we’ve made in response to some of the debate and discussion within the industry.

Because this is an important and vital discussion, we wanted to make our response public and have provided the text of our response below; or you can see a full PDF of our response here. As always, we’d love any feedback on the approach we’ve taken, and how it might be improved. Feel free to send us your thoughts: feedback@showyou.com.

Our letter:

Introduction

Remixation makes Showyou, a free application for the iPhone and iPad that launched in April 2011.  Remixation built Showyou to make it easier for people to find, watch, and share videos on their iPhones and iPads.

With Showyou, a user can:

  1. Sign up with a Twitter or Facebook account, to see all videos shared publicly by friends on Facebook, or by people the user is following on Twitter, in one place.
  2. Follow other Showyou users to see the videos they share and comment on publicly.
  3. Browse the most popular videos on Showyou.
  4. Browse videos by category and by channel within a category.
  5. Search the nearly 40 million videos in the Showyou database.

Apple named Showyou the Best Social Networking application for the iPad in 2011 (App Store Rewind 2011).  Showyou has been included in various “Top 10 Apps” and “Must Have Apps” lists from Wired Magazine, ABC News, The Next Web and the Huffington Post, and it has received acclaim from users and critics alike.

Showyou’s Friend Finder

As with many other social networking applications and services, one of Showyou’s features allows a user to find friends who are already using the app so the user can “follow” them.  This feature is called “Friend Finder.”  Friend Finder is optional: a user can skip it when creating a Showyou account, and a user can choose to use Showyou without creating an account at all, which results in no user information being transmitted to Showyou.

If a user decides to use FriendFinder, the app checks if the user’s friends on Facebook (if the user signs up with a Facebook account), or accounts the user is following on Twitter (if the users signs up with a Twitter account), are already on Showyou.  Showyou uses Twitter’s and Facebook’s publicly-available APIs for that purpose.  The app also asks, in a pop-up, whether the user would like Showyou to look for friends already using the app based on matches with email addresses in the user’s iPhone or iPad Contacts list.  If the user taps “yes,” the app transmits email addresses from the user’s contact list to the Showyou servers for the sole purpose of checking for matches with the email addresses of registered Showyou users.  Based on those matches, the app identifies others on Showyou that the user might want to follow.  If matches are found, the user is given the option to follow those users—no “following” happens automatically.

Showyou does not store and has never stored email addresses or any other Contacts information (or, indeed, any data about contacts on Twitter or Facebook) on its servers.  Once the matching described above takes place—and the process takes no more than a few hundred milliseconds—the email addresses disappear from Showyou’s system, and Showyou does not store, have access to, or maintain control over the email addresses used by Friend Finder.

Showyou’s privacy policy, which has been in place since March 1, 2012, provides a detailed list of the data it stores on its servers.  The policy is available at http://showyou.com/privacy, and a printed copy of it is included with this letter.

Showyou’s Commitment to Privacy and Security

With an update to Showyou uploaded to Apple on February 14, and released publicly through the App Store starting February 21, 2012, Showyou added the “opt-in” prompt to the Friend Finder sign-up described above.  The prompt looks like this:

The app added further protections in an update uploaded to Apple on March 26, 2012, and publicly released on April 2, 2012, to secure all data transmitted to its servers using an SSL certificate.

Showyou does not request or transmit, and thus does not store, any other data from a user’s iPhone or iPad, including UDID, phone numbers, email account information, calendar, photo gallery, Media Access Controller (MAC) address, or other identifiers related to a user’s device.[1]  Remixation has followed Apple’s guidelines and terms of service regarding the collection of data by not storing any data from a user’s device or contact list on its servers, and only using data that is temporarily transmitted for essential functions of the app.  In addition to not storing any of this data, Remixation has added other protections described above (opt-in before transmission of email addresses, SSL certificates) for data that is temporarily transmitted and not stored.

Answers to Questions

Through the end of February 2012, how many times was your iOS app downloaded from Apple’s App Store?

Showyou’s download numbers have not been made public.  We are glad to discuss this with you or your staff.

Did you have a privacy policy in place for your iOS app at the end of February 2012?  If so, please tell us when your iOS app was first made available in Apple’s App Store and when you first had a privacy policy in place.  In addition, please describe how that policy is made available to your app users and please provide a copy of the most recent policy.

Showyou was first made available in mid-April 2011, and its privacy policy was published in early March 2012.  It is available at http://showyou.com/privacy, and a copy is included with this response.

Has your iOS app at any time transmitted information from or about a user’s address book?  If so, which fields?  Also, please describe all measures taken to protect or secure that information during transmission and the periods of time during which those measures were in effect.

As discussed above, use of Showyou’s Friend Finder is optional: a user can skip it when creating a Showyou account, and a user can choose to use Showyou without creating an account at all, which results in no user information being transmitted to Showyou.  If a user decides to use FriendFinder, the app transmits only email addresses from the user’s Contacts to its servers for the sole purpose of checking for matches with the email addresses of other registered users.  Based on those matches, the app identifies others on Showyou that the user might want to follow.  Showyou does not store and has never stored email addresses or any other Contacts information on its servers.  Once the matching described above takes place—and the process takes no more than one or two hundred milliseconds—the email addresses disappear from Showyou’s system; it does not store, have access to, or maintain control over the email addresses used by Friend Finder.  As of April 2, 2012, Showyou secures all data transmitted to its servers using an SSL certificate.

Have you at any time stored information from or about a user’s address book?  If so, which field?  Also, please describe all measures taken to protect or secure that information during storage and the periods of time during which those measures were in effect.

Showyou does not store and has never stored email addresses or any other Contacts information on its servers.

At any time, has your iOS app transmitted or have you stored any other information from or about a user’s device—including, but not limited to, the user’s phone number, email account information, calendar, photo gallery, WiFi connection log, the Unique Device Identifier (UDID), a Media Access Control (MAC) address, or any other identifier unique to a specific device?

No.  As mentioned above, Showyou uses three third-party applications to help track aggregate usage as well as bug reports on Showyou—Flurry, Google Analytics, and HockeyApp—which may have transmitted UDIDs to their respective servers to provide crash reporting and aggregate usage analytics.  Showyou, however, does not receive or keep any of this data on its servers.

To the extent you store any address book information or any of the information in question 5, please describe all purposes for which you store or use that information, the length of time for which you keep it, and your policies regarding sharing of that information.

Showyou does not store and has never stored any such information on its servers.

To the extent you transmit or store any address book information or any of the information in question 5, please describe all notices delivered to users on the mobile device screen about your collection and use practices both prior to and after February 8, 2012.

As noted above, on February 21, 2012, Showyou added the “opt-in” prompt to the Friend Finder, described above.

The iOS Developer Program License Agreement detailing the obligations and responsibilities of app developers reportedly states that a developer and its applications may not collect user or device data without prior user consent, then only to provide a service or function that is directly relevant to the use of the Application, or to serve advertising.”  (a) Please describe all data available from Apple mobile devices that you understand to be user data requiring prior consent from the user to be collected.  (b) Please describe all data available from Apple mobile devices that you understand to be device data requiring prior consent from the user to be collected.  (c) Please describe all services or functions for which user or device data is directly relevant to the use of your application. 

As detailed above, only after a user opts into Friend Finder (and, after the February 21, 2012 update, also gives express permission in a dialog box) does Showyou transmit—but not store—email addresses from the user’s Contacts for the limited purpose of finding friends already using Showyou.  Showyou has complied with Apple’s guidelines and terms of service regarding the collection of data by not storing any data from a user’s device or Contacts on its servers, and only using data that is temporarily transmitted for essential functions of the app.

Please list all industry self-regulatory organizations to which you belong.           

Currently, Remixation does not belong to any self-regulatory organizations.

Conclusion

In developing and updating Showyou, Remixation has taken account of changing norms within the industry, stayed current with best practices, kept its users apprised of its privacy and security policies (through, for example, its blog: https://showyou.wordpress.com/2012/02/09/how-the-showyou-friend-finder-works/ and https://showyou.wordpress.com/2012/04/06/an-update-on-the-showyou-friend-finder/), and has added additional protections and enhancements to Showyou over the past two months, as documented in this letter.  Remixation will continue to do so.


[1] Showyou uses three third-party applications to help it track aggregate usage as well as bug reports on Showyou: Flurry, Google Analytics, and HockeyApp.  These services may have transmitted UDIDs to their respective servers to provide crash reporting (i.e., when Showyou crashes) and aggregate usage analytics.  Showyou, however, does not receive or keep any of this data on its servers.

Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s