SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 218: Reading the Privacy Nutrition Labels

Posted on February 11, 2021

Privacy Labels have landed in the App Store for a number of apps. We’ll cover:

Read those labels

At last year’s Worldwide Developers Conference, Apple introduced a new privacy feature for the App Store called Privacy Labels. Privacy Labels are self-reported summaries of an app’s privacy practices, available on each app’s product page in the App Store. Apple has compared these labels to the nutrition labels found on food packaging: They let you know “what’s inside” so that you can make an informed choice about whether or not it’s good for you!

So what’s actually on these app product pages? As it turns out, the most important information about app privacy is actually on the “details pages”, which can be viewed by clicking See Details. Here’s what Apple says you’ll find there:

The details pages include information on the types of data that the app collects such as photos, location, and contact information. The pages also … provide users with additional details about how each kind of information is used by the app developer, including whether it is used for tracking, and whether the data is linked to the user. All app developers, including Apple, are required to self-report information regarding their privacy practices.

Let’s break all that down to see what it really means:

Data linked to you

This refers to data collected by the app that can be linked to your identity in some way: either to your account, or to your device, or to personal details such as your phone number.

Data used to track you

This category concerns data that can be linked to data collected by other apps, sites, or even non-digital services, which is then used for advertising purposes, or is shared with third parties who monetize the data. In other words, Data used to track you covers things like targeted ads shown to you based on data collected by another app; apps that share your location data with data brokers; or apps that share your advertising ID or email address with a third party that helps other developers serve you targeted advertising.

Apple apps and Privacy Labels

Apple doesn’t exempt its own apps from the requirement, although finding privacy information for pre-installed apps (i.e. apps that don’t have App Store product pages) can be difficult. If you want to review the privacy practices for something like Health, Messages, or Camera, you can find the information on this Apple support page, under the heading Apple apps and privacy information.

That, in a nutshell, is how Privacy Labels are supposed to work. But as we saw last week with App Tracking Transparency, getting developers to implement these changes can be a slow process.

The good news is that Privacy Labels are now mandatory for all Apple platforms (and have been since December 8). At this point, any developer who doesn’t provide the required information about their app’s privacy practices runs the risk of not being able to update their app in the future.

Is Google dragging their feet?

The December 8 deadline for submitting self-reported Privacy Label information has come and gone, but there’s an important qualification to mention: Developers who don’t provide this information may not be able to update their apps … but it’s also possible to just not update your app!

As some observers have noted, Google appears to be intentionally delaying their update (and thus the requirement to submit privacy data) for one their biggest iOS apps: Gmail. The app was last updated over 2 months ago, and some users are even starting to see notifications warning them that the app may be out of date.

One suspects, though, that this can’t go on forever — and in fact, Google just recently added privacy information for its YouTube app after a similarly long delay (spoiler alert: It turns out that YouTube collects a ton of your data!). Still, the reluctance of some big tech companies to tell users about their privacy practices is concerning. And as we’ll see, it’s also a good reason to take these “self-reported” Privacy Labels with a grain of salt.

So…what happens if they lie?

We’ve already mentioned that the information in Privacy Labels is self-reported by app developers. But this raises an obvious question: What happens if an app developer is, to put it delicately, “slightly less than honest”?

Unfortunately, it looks like this may already be happening with some apps. A recent Washington Post report found evidence that a number of apps which claimed not to collect any user data were, in fact, doing just that. Other apps said that they only collected limited data, and weren’t engaged in user tracking, but were actually sending unique user IDs to third party companies. As the journalist who wrote the piece remarked:

Apple’s big privacy product is built on a shaky foundation: the honor system.

We’re not quite as skeptical as the Post journo about Apple’s motivations for allowing developers to self-report their privacy practices, but we agree that possibility of bad actors making it into the App Store is definitely something to be aware of. We’ve talked before about how malicious apps can slip past Apple’s internal safeguards, and how developers can’t always be trusted to follow the App Store’s policies and rules. In Apple’s defense, we’ve seen the company take swift action on shady development practices before, such as when they cracked down on Clearview AI and Facebook for abusing Enterprise Developer certificates.

We hope that most developers will do the right thing and accurately report their privacy practices, and that, failing that, Apple will respond decisively to user reports of inaccurate Privacy Labels. But as is so often the case in the world of digital security and privacy, you are your own best defense against the bad guys. The good news here is that iOS makes it pretty easy to control what an app can do in terms of data collection (regardless of what their Privacy Label says):

Go to Settings > Privacy and you’ll see a long list of permissions categories, including:

  • Location Services
  • Contacts
  • Calendars
  • Reminders
  • Photos
  • Bluetooth
  • Local Network
  • …and more 

If you click on any one of these, you’ll see a list of apps that have asked for access to that type of data in the past — and you’ll also see a convenient toggle switch that lets you grant or revoke data access on an app-by-app basis. These transparency and control tools are a great way to make sure that you stay in charge of your data, no matter what the apps on your phone try to do!

Do you have a question about data privacy, or about digital security? Write to us! We’d love to answer your questions on a future edition of The Checklist. If you want to read the show notes for past shows, or download and listen to full episodes, you’ll find what you’re looking for in our Checklist archives.

Join our mailing list for the latest security news and deals