What We Learned From Apple’s New Privacy Labels
Let’s be honest: nobody does that.
Late last year, Apple introduced a new requirement for all software developers who publish apps through the App Store. Apps must now include what are known as privacy labels, which list the types of data collected in an easily scannable format. The labels are similar to a nutritional marker on food packaging.
These labels, which will appear in the App Store in December, are the latest attempt by technology designers to make data security more understandable for all of us. You may be familiar with previous iterations like the padlock icon in a web browser. A locked padlock indicates that a website is trusted, while an unlocked lock indicates that a website may be malicious.
The question is, will Apple’s new labels influence the choices people make. “Does it change the way they use the app or does it prevent them from downloading the app after reading or viewing it?” asked Stephanie Nguyen, a researcher who has studied user experience design and data protection.
To test the labels, I went through dozen of apps. Then I focused on the privacy labels for the WhatsApp and Signal messaging apps, the Spotify and Apple Music streaming music apps, and for fun, MyQ, the app that I use to open my garage door remotely.
I learned a lot. The privacy labels showed that apps whose function is identical can differ greatly in how they handle our information. I’ve also found that a lot of data is collected when you least expect it, including the products you pay for.
But while the labels often lit up, they sometimes created more confusion.
Read Apple’s privacy labels
To find the new labels, iPhone and iPad users with the latest operating system (iOS and iPadOS 14.3) can open the App Store and search for an app. Look for “App Privacy” in the description of the app. A field with the label appears there.
Apple divided the privacy label into three categories so we could get a complete picture of the types of information an app collects. You are:
Data that will track you. This information is used to track your activity across apps and websites. For example, your email address can tell you that you were the same person using another app where you entered the same email address.
Data associated with you: This information is tied to your identity, e.g. B. Your purchase history or contact information. Based on this information, a music app can see that your account has purchased a particular track.
Data not associated with you: This information is not directly linked to you or your account. A mapping app can, for example, collect data from motion sensors, for example to provide turn-by-turn directions. This information is not stored in your account.
Now let’s see what these labels revealed about certain apps.
WhatsApp vs. Signal
On the surface, WhatsApp, owned by Facebook, seems almost identical to Signal. Both provide encrypted messages that are used to encrypt your messages so only the recipient can decrypt them. They both also rely on your phone number to create an account and receive messages.
But their privacy labels immediately show how different they are under the hood. Below is the privacy label for Whatsapp. The next is the one for signal::
The labels immediately made it clear that WhatsApp is pulling far more of our data than Signal. When I asked the companies about this, Signal said they tried to get less information.
For group chats, the WhatsApp privacy label showed that the app had access to user content, including group chat names and group profile photos. Signal, which doesn’t, said it developed a complex group chat system that encrypts the content of a conversation, including the people participating in the chat and their avatars.
For people’s contacts, the WhatsApp privacy label showed that the app can get access to our contact list. Signal not. WhatsApp gives you the option to upload your address book to the company’s servers so you can find your friends and family who also use the app. However, Signal stores the contact list on your phone and the company can’t tap it.
“In some cases, it’s harder not to collect data,” said Moxie Marlinspike, founder of Signal. “We have gone to greater lengths to design and build technology that has no access.”
A WhatsApp spokeswoman referred to the company’s website and explained the privacy label. The website said WhatsApp could gain access to user content to prevent abuse and block people who may have broken the law.
When you least expect it
Then I looked closely at the privacy label for a seemingly innocuous app: MyQ from Chamberlain, a company that sells garage door openers. The MyQ app works with a $ 40 hub connected to a WiFi router so you can open and close your garage door remotely.
The label says the following about the data the app has collected. Warning: it’s long.
Why should a product that I paid for to open my garage door track my name, email address, device ID, and usage information?
The answer: for advertising.
Elizabeth Lindemulder, who oversees connected devices for the Chamberlain Group, said the company was collecting data to target people with advertisements on the internet. Chamberlain also has partnerships with other companies such as Amazon and data is shared with partners when users choose to use their services.
In this case, the label successfully made me pause and think: Yuck. Maybe I’ll switch back to my old garage remote that doesn’t have an internet connection.
Spotify versus Apple Music
Finally, I compared the privacy labels for two streaming music apps: Spotify and Apple Music. Unfortunately, this experiment has led me into a rabbit hole of confusion.
Just look at the labels. First is the for Spotify. Next is the one for Apple Music.
These look different from the other labels featured in this article as they are just previews. Spotify’s label was so long that we couldn’t display the entire name. And as I delved into the labels, they both contained terminology so confusing or misleading that I couldn’t immediately connect the dots to what our data was being used for.
One of the jargon on Spotify’s label was that it gathered people’s “rough spot” for advertising. What does that mean?
According to Spotify, this applies to people with free accounts who have received ads. The app pulls device information to get approximate locations so it can serve ads that are relevant to the location of those users. However, it is unlikely that most people will understand this from reading the label.
Apple Music’s privacy label suggested linking data to you for advertising purposes – even if the app doesn’t show or play ads. It wasn’t until Apple’s website that I found out that Apple Music is looking at your music for information on upcoming releases and new artists relevant to your interests.
The privacy labels are especially confusing when it comes to Apple’s own apps. This is because some Apple apps appeared in the App Store with privacy labels, but others didn’t.
Apple said only some of its apps – like FaceTime, Mail, and Apple Maps – could be deleted and re-downloaded from the App Store so that they can be found there with privacy labels. However, the Phone and Messaging apps cannot be deleted from devices, so they do not have privacy labels in the App Store. Instead, the privacy labels for these apps are in hard-to-find support documents.
The result is that Apple’s apps’ data practices are less up-front. If Apple wants to have the privacy talk, it can provide a better example by making the language clearer – and its labeling program less selfish. When I asked why not all apps should meet the same standards, Apple didn’t elaborate on the problem.
Ms. Nguyen, the researcher, said a lot has to happen for the privacy labels to be successful. Behavior changes aside, she said, companies need to be honest when it comes to describing their data collection. Most importantly, people can understand the information.
“I can’t imagine my mom ever stopping to look at a label and say, ‘Let me look at the data that is linked to me and the data that is not linked to me,” she said. “What does that even mean? “