Man unboxing Apple iPhone showing challenges of new privacy labels

Independent Investigation Reveals That Apple’s New Privacy Labels May Not Always Be Correctly Applied; Some Apps Collecting Data Without Notification

Apple now requires that app publishers include privacy labels that indicate at a glance what sort of personal data they’re accessing, which is a boon for consumer privacy when it works as intended. Some early investigation indicates that it may not be.

Led by a report in the Washington Post, a number of media sources have done independent analysis of a sampling of Apple apps and have found that the privacy labels were not accurately representing how much information they were collecting. Some apps that claim to share no personal data are communicating with multiple third-party networks and sharing items such as the unique device identifier, general location and battery level. Others have labels that are misleading, using the wrong data usage classifications to make them seem more innocuous than they are.

“Honor system” for Apple privacy labels already being abused

At the core of the issue is the fact that Apple is not checking each and every app submitted to the store for compliance. Publishers are expected to honestly represent the scope of the app’s data collection on the privacy labels; Apple’s enforcement appears to consist of random testing. According to an Apple spokesperson: “Apple conducts routine and ongoing audits of the information provided and we work with developers to correct any inaccuracies. Apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed from the App Store entirely if they don’t come into compliance.”

Many publishers appear to be either slow to come into compliance, or are actively testing Apple’s capacity to enforce its own rules. Post reporter Geoffrey Fowler examined a number of apps by using Disconnect’s “Privacy Pro” software, which forces apps to route their remote connections through a local virtual private network that can identify and block connections to trackers. Among the apps that Fowler found fudging their privacy labels was the Satisfying Slime Simulator, which claimed to traffic in no personal data at all yet was sharing device properties with at least four outside parties (Google and Facebook’s ad networks among them). The social network Rumble, the game Match 3D, travel app, smartwatch accessory app FunDo Pro, media player PlayerXtreme, video downloader InstDown and Whats Direct Chat and Web all had similarly inaccurate privacy labels. About half of these have since updated their privacy labels or promised that they were in the process of doing so, while others did not respond to Fowler.

While Apple’s policy of periodic audits of privacy labels gives app publishers some significant wiggle room, Fowler points out that there are some other elements of the policy that are more open to direct abuse. The privacy labels became mandatory in mid-December, but apps are not required to implement them until their next update. It is unclear if apps that are still active but no longer updated will ever be subject to adding labels. Fowler also notes that while apps are required to tell you when they share data, they do not have to tell you who they share it with. And Apple’s definition of “tracking” seems to leave out sharing with certain entities, such as government agencies.

Will Apple’s privacy labels rely on community policing?

With two million apps on the store, and given that it can be difficult to tell which SDKs are embedded in app code (and whom they are communicating with), it is beginning to look like Apple’s new privacy labels may rely strongly on “community policing” to be truly effective; in other words, individuals checking apps independently using methods similar to those employed by Fowler and other journalists. The situation also throws into question how serious Apple really is about user privacy.

One big indication may come with the required ad tracking opt-in pop-ups that are tentatively scheduled to roll out sometime in the spring. App publishers are supposed to ensure that consent for the use of the device identifier (the IDFA) is collected if any tracking for the purposes of personalized or targeted advertising is done. But the example of the privacy labels would seem to indicate that this will also be on the “honor system” with only sporadic testing as a check against cheating. Given that some app developers are reportedly considering running the risks of using device fingerprinting methods as an alternative to secretly track users in spite of a ban by Apple, it seems reasonable to assume that many apps will similarly flout the consent law once it goes active. It may also embolden app developers in their schemes to use hidden device fingerprinting methods; though this behavior could get them banned from the app store if it is uncovered, if it is hidden well enough in the app’s code it may well never be found by Apple.