Apple’s Privacy Nutrition Label
In a previous article, I talked about privacy changes coming in iOS14 which will impact tracking, data aggregate companies, advertising etc – in short (but not exclusively) Facebook.
In this article, I wanted to mention some other Apple-related privacy news, and to talk about some of the questions this raises.
Computers, Privacy & Data Protection Conference (CPDP21).
In Jan 2021, Tim Cook (Apple’s CEO) spoke at CPDP21. His short video is very interesting and worth a watch.
Tim mentions three key things in his talk, their:
- App Tracking Transparency (ATT).
- Privacy Nutrition Label
- A Day in the Life of your Data (PDF)
To recap ATT: this is a pop-up which will appear on iOS14 (i.e. Apple’s iPhone) when you open an app, asking if you would like to be tracked or not. As per my previous (lengthy!) article, I doubt many people will click that. However, I did not mention much about the Privacy Nutrition Label, so let’s discuss that….
Privacy Nutrition Label
Apple’s idea here is that each app in the app store has something called a ‘Privacy Nutrition Label‘ which helps explain the data intentions of the app in question. Let’s see what that looks like:
Apple Data Nutrition Label
As you see from the image, we have clear sections for Data Use to Track You, and Data Linked to You – the idea here is to present to consumers a standard view of the privacy and data collection profile of an app so that we can make informed decisions.
Think of it as similar to the food labels we see on (say) boxes of cereal in the supermarket.
However, we should not get lulled into a false sense of security with Apple’s App Privacy approach, as there is a key difference between them and food nutrition labels.
Food Nutrition Labels
Left to their own devices, food manufacturers would probably not print food nutrition labels or, if they did, would come up with exotic designs to help hide how much (e.g.) sugar was in the food. However, food packaging standards & government legislation means that:
- Food nutrition labels must be presented in a certain, defined, consistent way (to make it easier for consumers to understand)
- Products are subject to be tested and, if there are issues, there could be significant sanctions.
With Apple’s Privacy Label, Apple is trusting third-party app creators to truthfully inform them of the data & tracking profile of the app; however, they could lie/conveniently forget ;) People casually looking at an apps Privacy information could be forgiven to think this is Apple certified information.
Indeed, in this article (+ video) by The Washington Post – we see examples of where this privacy label has been found to be incorrect. In both cases mentioned in the video, the app manufacturer took steps (probably because a large newspaper was on to them!) but this does highlight the issue with Apple’s App Privacy feature.
Trust
Because the App Privacy Label looks authentic and concise, users can be forgiven for thinking it is accurate. However, as the previous link shows, this is entirely up to the app producer – at the moment it does not look like Apple are going to police this.
Of course, the card up Apple’s sleeve is that if an App is found abusing this facility; Apple can unilaterally yank it from the App Store but, as other commentators have pointed out – this is a little like shutting the barn door after the horse has bolted.
What can Apple do?
The ATT privacy pop-up which appears gives the user (and Apple) a clear indicator of user intent, which the app must adhere to – indeed (as per my previous article), the apps ability to show device profile targetted ads is now severely limited.
Everything an app does, iOS14 pretty much knows about. If the App directly sends data off to say Google, or Facebook – then Apple will know about it and could use this as a comparison with what the app’s Privacy Label says.
Whether Apple will take a more aggressive stance on enforcing this in future, is anyone’s guess; I would assume though that this is only the start from Apple.
A Day in the Life
In his talk, Tim Cook mentioned the very readable A Day in the Life of your Data. In this PDF, we see how apps can silently and invisibly harvest data from our phones, and our app usage, to help sell ads etc.
The PDF quite rightly points out that once an app has passed your data onto a third party, they too can easily pass that data onto other third parties without you knowing. So something as innocent as playing a balloon game on your iPhone could result in tracking data being sent to all manner of companies, for all manner of purposes without your knowledge. In short, a crummy situation.
The thing is though, both Apple’s App Tracking Transparency pop-up, or it’s Data Nutrition Label / App Privacy Report don’t really help address this point. Because we are simply asking the app manufacturer to be truthful (or, at least, diligent) with their research into how your data is used. Still, that being said, this is a start.
The future
I think it’s going to take the industry a while to unlearn bad habits. Apps (and websites) have all too easily installed code which can pass data without really considering how that data is used downstream, and who that data might then eventually get passed on to. Facebook’s argument* that this is all for the benefit of mom’n’pop small businesses does not hold water – more accountability is required.
Joel
(*Not picking on Facebook here, it’s just they are very vocal – understandably!).
p.s. you might wonder what this has to do with WordPress & websites. The short answer is a lot; the direction of travel for privacy/tracking is for more transparency, greater control, clearer consent, and better accountability. For websites, this will force us to address the situation where we are hit by a jungle of cookie/consent pop-ups when simply trying to read a web article – and this is one reason I’ve decided to strip as much off this Glass Mountains website as possible.