Sarahah, the anonymous feedback app that’s been going viral for the past couple weeks, isn’t quite as private as it sounds: it turns out, the app uploads users’ phone contacts to the company’s servers, seemingly for no good reason. The behavior was spotted by security analyst Zachary Julian and first reported by The Intercept.
The app doesn’t entirely hide this behavior. On both iOS and Android, Sarahah asks for permission to access each user’s phone contacts — and even if you say no, you can continue to use the app.
But users who do grant access to their contacts list probably expect it to add some sort of functionality to the app. And as of now, it doesn’t. There’s no friends list inside the app. And while there’s a search feature, you can’t look people up by phone number. Nor is there a section, like in Instagram, to show which of your contacts are already using the service.
Julian discovered the behavior by using monitoring software to see what data Sarahah was sending and receiving from his Android phone. Among those was “all of your email and phone contacts;” the same, he later determined, occurs on iOS as well. Sarahah has yet to respond to a request for comment.
Uploading contact lists is not all that uncommon of a behavior and is often used in legitimately helpful ways. But it’s something that apps really shouldn’t do unless users are getting something out of it. And either way, people tend to be pretty unhappy when their personal data gets used in ways they weren’t made aware of.
Earlier this year, users of the service Unroll.me grew upset when it was reported that the company sold their data to Uber. While this kind of activity is often covered in an app’s terms of service, that certainly doesn’t mean most users are going to be aware of it.
It’s not clear what, if anything Sarahah is doing with the data it collects. But either way, that information seems to be needlessly sitting around on the server of a company that doesn’t truly need it.