Apple’s new privacy labels
Apps must now list what types of data they are collecting
We all know that apps collect our data. Yet one of the few ways to find out what an app does with our information involves reading a privacy policy.
Let’s be real: Nobody does that.
So late last year, Apple introduced a new requirement for all software developers that publish apps through its app store. Apps must now include so-called privacy labels, which list the types of data being collected in an easily scannable format. The labels resemble a nutrition marker on food packaging.
These labels, which began appearing in the app store in December, are the latest attempt by tech designers to make data security easier for all of us to understand.
You might be familiar with earlier iterations, such as the padlock symbol in a web browser. A locked padlock tells us that a website is trusted, while an unlocked one suggests that a website can be malicious.
The question is whether Apple’s new labels will influence the choices people make. “After they read it or look at it, does it change how they use the app or stop them from downloading the app?” asked Stephanie Nguyen, a research scientist who has studied user experience design and data privacy.
To put the labels to the test, I pored over dozens of apps. Then I focused on the privacy labels for the messaging apps WhatsApp and Signal, the streaming music apps Spotify and Apple Music and, for fun, MyQ , the app I use to open my garage door remotely.
I learned plenty. The privacy labels showed that apps that appear identical in function can vastly differ in how they handle our information. I also found that lots of data gathering is happening when you least expect it, including inside products you pay for.
But while the labels were often illuminating, they sometimes created more confusion.
To find the new labels, iPhone and iPad users with the latest operating system (iOS and iPadOS 14.3) can open the app
store and search for an app. Inside the app’s description, look for “App Privacy.” That’s where a box appears with the label.
Apple has divided the privacy label into three categories. They are:
• Data used to track you: This information is used to follow your activities across apps and websites.
• Data linked to you: This information is tied to your identity, such as your purchase history or contact information.
• Data not linked to you: This information is not directly tied to you or your account. A mapping app might collect data from motion sensors to provide turn-by-turn directions for everyone, for instance. It doesn’t save that information in your account.
Now let’s see what these labels revealed about specific apps.
WhatsApp vs. Signal
On the surface, WhatsApp, which is owned by Facebook, appears to be nearly identical to Signal. Both offer encrypted messaging, which scramble your messages so only the recipient can decipher them. Both also rely on your phone number to create an account and receive messages.
But their privacy labels immediately reveal how different they are under the hood.
The labels immediately made it clear that WhatsApp taps far more of our data than Signal does. When I asked the companies about this, Signal said it made an effort to take less information.
For group chats, the WhatsApp privacy label showed that the app has access to user content, which includes group chat names and group profile photos. Signal does not do this.
For people’s contacts, the WhatsApp privacy label showed that the app can get access to our contacts list; Signal does not.
When you least expect it
I then took a close look at the privacy label for a seemingly innocuous app: MyQ from Chamberlain, a company that sells garage door openers. The MyQ app works with a $40 hub that connects with a Wi-Fi router so you can open and close your garage door remotely.
Why would a product I paid for to open my garage door track my name, email address, device identifier and usage data?
Elizabeth Lindemulder, who oversees connected devices for the Chamberlain Group, said the company collected data to target people with ads across the web.
Chamberlain also has partnerships with other companies, such as Amazon, and data is shared with partners when people opt to use their services.
Spotify vs. Apple Music
Finally, I compared the privacy labels for two streaming music apps: Spotify and Apple Music.
When I dug into the labels, both contained such confusing or misleading terminology that I could not immediately connect the dots on what our data was used for.
One piece of jargon in Spotify’s label was that it collected people’s “coarse location” for advertising. What does that mean?
Spotify said this applied to people with free accounts who received ads.
Apple Music’s privacy label suggested that it linked data to you for advertising purposes — even though the app doesn’t show or play ads. Only on Apple’s website did I find out that Apple Music looks at what you listen to so it can provide information about upcoming releases and new artists who are relevant to your interests.
The privacy labels are especially confusing when it comes to Apple’s own apps. That’s because while some Apple apps appeared in the app store with privacy labels, others did not.
Apple said only some of its apps — such as FaceTime, Mail and Apple Maps — could be deleted and downloaded again in the App Store, so those can be found there with privacy labels. But its Phone and Messages apps cannot be deleted and so the privacy labels for those apps are in hard-to-find support documents.