Decoding the privacy labels of popular apps

Chennai

Requiring that app makers list the data they collect reveals a lot about what some apps do with our information (ahem, WhatsApp) but creates confusion about others. We all know that apps collect our data. Yet one of the few ways to find out what an app does with our information involves reading a privacy policy. Let’s be real: Nobody does that. So late last year, Apple introduced a new requirement for all software developers that publish apps through its App Store. Apps must now include so-called privacy labels, which list the types of data being collected in an easily scannable format. The labels resemble a nutrition marker on food packaging.

These labels, which began appearing in the App Store in December, are the latest attempt by tech designers to make data security easier for all of us to understand. You might be familiar with earlier iterations, like the padlock symbol in a web browser. A locked padlock tells us that a website is trusted, while an unlocked one suggests that a website can be malicious. The question is whether Apple’s new labels will influence the choices people make. “After they read it or look at it, does it change how they use the app or stop them from downloading the app?” asked Stephanie Nguyen, a research scientist who has studied user experience design and data privacy. To put the labels to the test, I pored over dozens of apps. Then I focused on the privacy labels for the messaging apps WhatsApp and Signal, the streaming music apps Spotify and Apple Music and, for fun, MyQ, the app I use to open my garage door remotely. The privacy labels showed that apps that appear identical in function can vastly differ in how they handle our information. I also found that lots of data gathering is happening when you least expect it, including inside products you pay for. But while the labels were often illuminating, they sometimes created more confusion.

How to read Apple’s print

To find the new labels, iPhone and iPad users with the latest operating system (iOS and iPadOS 14.3) can open the App Store and search for an app. Inside the app’s description, look for “App Privacy.” That’s where a box appears with the label.

Apple has divided the privacy label into three categories so we can get a full picture of the kinds of information that an app collects. They are: Data used to track you. This information is used to follow your activities across apps and websites. For example, your email address can help identify that you were also the person using another app where you entered the same email address.

Data linked to you: This information is tied to your identity, such as your purchase history or contact information. Using this data, a music app can see that your account bought a certain song.

Data not linked to you: This information is not directly tied to you or your account. A mapping app might collect data from motion sensors to provide turn-by-turn directions for everyone, for instance. It doesn’t save that information in your account.

The privacy labels are especially confusing when it comes to Apple’s own apps. That’s because while some Apple apps appeared in the App Store with privacy labels, others did not.

Apple said only some of its apps — like FaceTime, Mail and Apple Maps — could be deleted and downloaded again in the App Store, so those can be found there with privacy labels. But its Phone and Messages apps cannot be deleted from devices and so do not have privacy labels in the App Store. Instead, the privacy labels for those apps are in hard-to-find support documents.

The result is that the data practices of Apple’s apps are less upfront. If Apple wants to lead the privacy conversation, it can set a better example by making language clearer — and its labelling program less self-serving. When I asked why all apps shouldn’t be held to the same standards, Apple did not address the issue further.

Brian X Chen is the lead consumer technology writer for NYT©2020

The New York Times