There’s been some controversy over the data that Donald Trump’s campaign app collects. Though the America First app asks before accessing anything on both Android and iOS, it gathers and stores the data from smartphone address books as soon as it is granted permission. The situation probably doesn’t sound like a big deal, especially since the app requests consent, but if you store valuable private information in your contact lists—like security codes, passwords, health information, or social security numbers—it definitely poses a threat.
But if you’re doing that, you’re doing it wrong. People should not be using contact lists to store sensitive data. Ever. It is a seriously bad idea. Don’t do it! Information in address books is stored in plaintext, meaning it doesn’t have any protections. It could be obtained by a hacker in countless ways. Though it’s worth considering that phone numbers, email addresses, and physical addresses are themselves valuable data, they are often pieces of information that are already publicly or widely available. Secrets, on the other hand, demand more specific precautions.
“I have to store that information somewhere!” you might protest. OK. Well, you have options.
First, you could store personal notes and sequences like social security numbers or safe codes in a password manager (which you already have, right?). Most of these services offer a notes feature so you can jot things down at the doctor or store your neighbor’s garage code in a platform that prioritizes security.
If you don’t want to use one of these services, you could store that data in a password-protected file on one of your devices. Look, even writing things down by hand and protecting the paper or book at home is more secure (for most people) than storing data in plaintext. “The absolute worst is a digital file unprotected, not encrypted, that’s on your phone and may be synced with your laptop,” says Jeff Paradise, chief marketing officer at the data management company Dashlane.
Some people try to hide their data in plain sight in their address books by using tricks like making credit card numbers look like phone numbers or integrating passwords into fake addresses. For one or two data points, these techniques can be workable, but experts point out that with more than a few pieces of information they get confusing quickly, because you have to remember where and how you hid things, while still making everything look like plausible contact entries.
Even device manufacturers are up front about the dangers of using a contacts list to keep track of private information. Apple’s Mac Developer Library notes that, “The Address Book framework does not provide any security above what’s provided by [the operating system]. … For that reason, the Address Book may not be an appropriate place to store confidential information, such as credit card numbers.”
Companies that make password managers, like Dashlane and LastPass, are acutely aware that many people still store their data improperly. Both Paradise and Joe Siegrist, the vice president and general manager of LastPass, are sympathetic. They said that people are just trying to keep important data in easily accessible places. “We know far too well that people utilize their contacts for things like passwords and social security numbers,” says Siegrist. “They are solving the problem of synchronizing data they need everywhere, but they don’t think about the security implications.”
They know why people use these shortcuts, but Siegrist and Paradise emphasize that address books and plaintext notes apps put sensitive information at serious risk. And it’s not just some social security numbers, which would be bad enough. The two said that they’ve heard of people using their address books to store passwords, bank PINs, passport ID numbers, photos of passports, confidential work data, credit card numbers, financial account numbers, home security codes, and vault codes.
It’s an address book, folks, not a magic data garden patrolled by dragons. Do yourself a favor and keep all that really important stuff somewhere safer.