What we learned from Apple’s new privacy labels

by



[ad_1]

We all know that apps collect our data. Yet one of the few ways to find out what an app is doing with our information is to read a privacy policy.

Let’s face it: no one does this.

Late last year, Apple introduced a new requirement for all software developers who publish apps through its App Store. Applications should now include so-called privacy labels, which list the types of data collected in an easily scanned format. The labels look like a nutritional marker on food packaging.

These labels, which started appearing in the App Store in December, are the latest attempt by tech designers to make data security easier for all of us to understand. You may be familiar with previous iterations, such as the padlock symbol in a web browser. A locked padlock tells us that a website is trustworthy, while an unlocked padlock suggests that a website may be malicious.

The question is whether Apple’s new labels will influence the choices people make. “Once they read or watch it, does it change the way they use the app or prevent them from downloading the app?” asked Stephanie Nguyen, a research scientist who has studied user experience design and data privacy.

To put labels to the test, I studied dozens of apps. Then I focused on the privacy labels for the WhatsApp and Signal messaging apps, Spotify and Apple Music streaming music apps, and, for fun, MyQ, the app I use to open my door to. remote garage.

I learned a lot. Privacy labels have shown that apps that appear identical in function can differ significantly in how they treat our information. I’ve also found that a lot of data collection happens when you least expect it, including in-house products you pay for.

But while the labels were often illuminating, they sometimes created more confusion.

To find the new labels, iPhone and iPad users with the latest operating system (iOS and iPadOS 14.3) can open the App Store and search for an app. In the app description, search for “App privacy”. This is where a box appears with the label.

Apple has divided the privacy label into three categories so that we can get a complete picture of the types of information an app collects. They are:

  • Data used to track you. This information is used to track your activities on apps and websites. For example, your email address can help identify that you were also the person using another app where you entered the same email address.

  • Data related to you: This information is linked to your identity, such as your purchase history or contact details. Using this data, a music app can see that your account has purchased a certain song.

  • Data not linked to you: This information is not directly related to you or your account. A mapping app can collect data from motion sensors to provide step-by-step directions to anyone, for example. It does not save this information in your account.

Now let’s see what these labels revealed about specific apps.

At first glance, WhatsApp, which is owned by Facebook, appears to be almost identical to Signal. Both offer encrypted messaging, which scrambles your messages so that only the recipient can decrypt them. Both also rely on your phone number to create an account and receive messages.

But their privacy labels immediately reveal how different they are under the hood. Below, on the left, the privacy label for WhatsApp. On the right is the one for Signal:

The labels immediately indicated that WhatsApp uses a lot more of our data than Signal. When I asked companies about this, Signal said it strives to take less information.

For group chats, the WhatsApp privacy label showed that the app has access to user content, which includes group chat names and group profile photos. Signal, which does not do this, said it has designed a complex group chat system that encrypts the content of a conversation, including the people participating in the chat and their avatars.

For people contacts, the WhatsApp privacy label showed that the app can access our contact list; The signal does not. With WhatsApp, you have the option to upload your address book to company servers so that it can help you find your friends and family who are also using the app. But on Signal, the contact list is stored on your phone and the company cannot touch it.

“In some cases it’s harder not to collect data,” said Moxie Marlinspike, founder of Signal. “We went further to design and build technology without access.”

A spokesperson for WhatsApp referred to the company’s website explaining its privacy label. The website said WhatsApp could access user content to prevent abuse and ban people who may have broken laws.

I then took a close look at the privacy label of a seemingly harmless app: MyQ from Chamberlain, a company that sells garage door openers. The MyQ app works with a $ 40 hub that connects to a Wi-Fi router so you can open and close your garage door remotely.

Here’s what the label says about the data collected by the app. Warning: it is long.

Why could a product that I paid to open my garage door track my name, email address, device ID and usage data?

The answer: for publicity.

Elizabeth Lindemulder, who oversees connected devices for the Chamberlain Group, said the company has collected data to target people with advertisements on the web. Chamberlain also has partnerships with other companies, such as Amazon, and data is shared with partners when people choose to use their services.

In this case, the label managed to stop me and think: Yuck. Maybe I’ll go back to my old garage remote, which doesn’t have an internet connection.

Finally, I compared the privacy labels of two music streaming apps: Spotify and Apple Music. This experience unfortunately took me into a rabbit hole of confusion.

Just look at the labels. Below, on the left, the one for Spotify. On the right is the one for Apple Music.

These are different from the other labels shown in this article because they are only previews – the Spotify label was so long that we couldn’t see all of it. And when I delved into the labels, both contained terminology so confusing or misleading that I couldn’t immediately connect the dots on our data usage.

A piece of jargon in the Spotify etiquette was that it collected “gross location” from people for advertising. What does it mean?

Spotify said this applies to people with free accounts who receive ads. The app extracts information from the device to get approximate locations so that it can serve ads relevant to where those users are. But most people are unlikely to understand this from reading the label.

Apple Music’s privacy label has suggested associating data with you for advertising purposes, even if the app does not serve or read advertisements. It wasn’t until Apple’s website that I found out that Apple Music was reviewing what you were listening to so that it could provide information on upcoming releases and new artists that match your interests.

Privacy labels are especially confusing when it comes to Apple’s own apps. Indeed, while some Apple applications have appeared in the App Store with privacy labels, others have not.

Apple said only some of its apps – like FaceTime, Mail, and Apple Maps – could be removed and re-uploaded to the App Store, so these can be found with privacy labels. But its Phone and Messages apps cannot be removed from devices and therefore do not have privacy labels in the App Store. Instead, the privacy labels for these apps can be found in hard-to-find support documents.

The result is that Apple’s app data practices are less straightforward. If Apple is to lead the conversation about privacy, it can set a better example by making the language clearer – and its labeling program less interested. When I asked why all apps shouldn’t be subject to the same standards, Apple didn’t address the issue further.

Ms Nguyen, the researcher, said a lot has to happen for privacy labels to be successful. Besides behavior change, she said, companies need to be honest in describing their data collection. More importantly, people must be able to understand the information.

“I can’t imagine my mom would ever stop to look at a label and say, ‘Let me look at the data related to me and the data that is not related to me,” she said. “What does it mean?”

[ad_2]

Source link