Mid-way through December 2020, Apple rolled out privacy labels on the App Store. The labels offered up bite-size, nutrition label-like information on the types of data collected by apps. Although the labels can help inform users of the privacy implications of different apps, they also may not be accurate.
The Washington Post’s Geoffrey Fowler did a deep dive on the new privacy labels and found several were false. Fowler highlighted a few apps that collected data despite using privacy labels that say they don’t. For example, ‘Satisfying Slime Simulator’ shared a way to identify Fowler’s iPhone with Facebook, Google and another service called ‘GameAnalytics.’ On top of that, it sent the iPhone’s ID, battery level, free storage space, general location and volume level to Unity, software used to build games.
Fowler also checked a social media app called ‘Rumble,’ which an ID to Facebook and Google that could be used to track his phone. It also sent other data about how he used the app. Fowler did note that Rumble changed its privacy label in mid-January, although the company never responded to Fowler’s emails.
Other apps Fowler pointed out include ‘Maps.Me,’ ‘FunDo Pro,’ ‘PlayerXTreme,’ ‘Instdown’ and ‘Whats Direct Chat and Web.’ Some of these apps have since changed their privacy labels.
Apple doesn’t verify privacy labels
However, it shouldn’t come as a surprise that developers are misleading users with the privacy labels. When Apple introduced the labels, MobileSyrup asked what measures the company would take to ensure accurate reporting from developers. Apple reiterated that developers had to self-report privacy information, but said it would take action if it learned about inaccuracies in the privacy information. It’s unclear if Apple has taken action yet, or what that action would look like.
Apple also said it would block developers from updating their apps unless they added the privacy labels to ensure that developers complied with the new measures.
With all that in mind, there’s a clear incentive for developers to mislead users. For example, look at Facebook. The social media giant added privacy labels for its apps, like Facebook Messenger, and has received tons of bad press over the amount of data the apps collect.
Likewise, Google was accused of withholding updates for its iOS apps so it wouldn’t have to add privacy labels and suffer similar bad press. Google later said that wasn’t the case and that it would update its apps. However, it’s been more than three weeks since then and only a few of the company’s less popular apps have received labels.
Things may improve when Apple’s new app tracking transparency feature arrives on iOS. That feature will force apps to ask users’ permission to allow sharing of their device’s Identifier for Advertisers (IDFA) with other tracking companies. For example, that would prevent Instagram from sharing IDFA data with third-parties, but it could still share data with Facebook since it’s the same company.
Despite these changes, anyone who wants to protect their online privacy would do well to verify all of the App Store privacy labels themselves. The labels can provide a helpful at-a-glance overview, but as they currently exist, users can’t trust them to be completely accurate.