Why people like Apple’s new privacy labels, despite their flaws

Why people like Apple’s new privacy labels, despite their flaws

2021-02-19 15:00:00

Apple's privacy & # 39; nutrition labels & # 39; have been on the App Store for just over two months now. Privacy advocates generally welcomed these easy-to-read versions of apps' privacy policies; informing users about the mysterious workings of their apps is almost always a positive development.

The labels are just one of Apple's new policies to give users more privacy at the expense of the app economy, which largely depends on the collection and sale of covertly obtained user data. In the early spring, Apple will release iOS 14.5, which will force apps to get user consent to track users across apps for ad targeting, a move Facebook vocally opposes – and the extraordinarily long labels may be a good clue as to why. But that update only applies to user tracking in apps; the labels give users more information about the data being tracked while using the app itself. That can be useful information, if done well.

"Any additional transparency that companies, and especially platforms like Apple, can provide in terms of how apps and companies collect and use personal data – that's good," John Davisson, senior advisor at the Electronic Privacy Information Center (EPIC), told Recode . "It's good for consumers to have access to that information."

But in practice, some reviews have said, the labels need some work. Geoffrey Fowler of the Washington Post found it some apps were not truthful about their privacy policies in their labels, and that could create a false sense of security for consumers. Brian X. Chen of the New York Times thought the labels were informative to some extent. The labels gave him an idea of ​​how much data an app was collecting about him, but not what that data was used for.

Those ratings, of course, come from the perspective of tech journalists, who know more about data privacy and data collection than the average person. I wanted to know what normal people, who don't think about Facebook Pixels and the misconception of anonymized data all day, think about the labels. Did they understand them? Did they learn anything from it? Have they changed their behavior in any way? Did they even know the labels existed?

So that's what I asked 12 (relatively normal) people: friends, family and Vox readers. Here's what I found – and where there is room for improvement.

The labels only work when people know they are there

Many of the people I spoke to were not even aware that the privacy labels existed, which is a problem for a feature intended to provide information.

The labels are displayed on the app's page in the App Store, and you have to scroll down through different sections – past What's New, Preview and Ratings & Reviews – to get to them. Then you have to tap on "see details" to get the full label. If you're just updating an app you've already downloaded to your device, you probably won't even go to that app's page to see the label.

"I think they make downloading so easy that you don't scroll down to read all the fine print," said Tyana Soto, a packaging designer in New York. “I've never scrolled further down than that download button. If it's an app I really want, I'm not reading all the details or researching further – and now I realize I should. "

Reza Shamshad, a New Jersey college student, knew the labels existed (he's been waiting to check them out since they were first announced last June) and says he likes them, except for their placement.

"I fear the average consumer will not have any incentive to scroll down far enough to actually use them, as they are primarily only interested in downloading the app quickly, especially if it is free," said he.

Even the simplest presentations can get complicated

The labels are meant to be as easy to understand and use as possible, but the app data collection industry is complex and secret. Data brokers want to collect as much information about you (even data you didn't even know was possible) without you even realizing they are doing it.

Apple's labels must strike a balance between giving the general user enough information to understand what an app does with their data, but not so much that the labels become as compact and complex as the privacy policy they are supposed to summarize. If apps have only collected a few types of data, that seems to work pretty well on the labels. But apps that collected a lot of data ended up with very long lists that people found less informative.

For example, the privacy labels for the Facebook and Instagram apps ticked off seemingly every data collection box that Apple offered. The result was a CVS reception length privacy label that basically says that Facebook can collect any category of data about you, including anything that doesn't fall into a category. Here's Facebook's full label – get ready to scroll:

Facebook's privacy label is very long.

The labels of Facebook's other apps – WhatsApp, Messenger and Facebook Gaming – show that they also collect a lot of data, although they said they don't use it to track users, such as Facebook and Instagram. That is a special one bad look for WhatsApp, which has promoted itself as a personal encrypted messaging app.

"Facebook had 'different data types' for all data categories," said Christine Sica, a Connecticut account manager. "Anything not listed above may fall into that category of data they collect. They also use your physical address for all data categories. . I don't remember giving that information unless they rely on the location of your phone. It also seems like they use "sensitive information" for different categories. What is sensitive information? Who would I ask that question? even ask? "

According to Appleincludes sensitive information & # 39; racial or ethnic data, sexual orientation, information about pregnancy or childbirth, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information or biometric data & # 39 ;.

Sica was not alone in being confused about what data was collected by the app without your permission and what could only be collected if you chose to provide (or allow access to) this data. When Sica saw that Facebook was collecting audio data, she wondered if that meant the app was listening to her. But that should only happen if you give Facebook audio permission and actively use your microphone, such as if you use Messenger's Rooms feature for a video chat. Facebook isn't listening to you any further (at least that's what the company and independent researchers say).

So you have some control over the collection of certain data, but you can't stop Facebook's apps, for example, from collecting your device ID or IP address. That's a distinction that might be worthwhile for users who want to know how and what to control.

Waze may collect your health and fitness data, which the company says helps the app determine if you're parking your car.

Some people were also unable to figure out why certain categories of data were collected only on the labels. Waze & # 39; s label says it collects & # 39; Health & Fitness & # 39; information for app functionality, which was one of the many reasons why Maria, a New York teacher, uses the labels & # 39; horrifying – she couldn't see how fitness information helped the app function, or what fitness information was being collected in the first place.

Waze told Recode that the purpose of this is to detect certain movement activity when a user parks their car. Taking Waze to his word, it's not as creepy as the privacy label made it seem, but Maria couldn't have known that from the label alone.

Labels alone may not give you all the information you need

While the people I spoke to found the labels generally informative at the surface level, they weren't sure what else to make of it.

"It seemed easy to understand, but then I found myself thinking," Wait, what does that really mean? "Said Sara Morrison (not me; my sister-in-law).

Apple likes to say that the labels look like food nutrition labels, but there is an important difference. While food nutrition labels associate that information with the daily value percentage, Apple's labels do not make a value judgment about whether certain data collection is good or bad, whether an app is too invasive for the service it provides, or how it compares to others. apps. You have to figure that out for yourself, and you may not have enough knowledge to actually do that.

Davisson said he thought the labels could be most useful if someone were trying to decide which of two similar apps to download. The more privacy-focused app could get a head start there.

"I think it's analogous to checking the weather forecast before you leave tomorrow morning," Davisson said. “If you see a 10 percent chance of rain, you may not be allowed to bring your umbrella. If you see a 90 percent chance of rain, you can bring your umbrella. So if you look at a side-by-side comparison and see that one app is collecting 50 categories of data and the other zero, that's probably a good indication that that app is serious about privacy. "

So most people will have to read beyond the labels if they really want to know and understand what is being collected and how. Be here two Guides that should provide clarity, or you can (shudder) read the app's privacy policy.

You also trust app developers to be honest about their data collection practices because, as the label says, Apple does not verify it (the company says it conducts audits, but those would not apply to every single app) . The developers have to submit the label when they upload a new app or update an existing one, and basically just tick off the boxes that Apple offers. Concerned that developers may not be truthful, the US House Commerce Committee said has asked Apple to explain how and when it checks labels for accuracy. One person I spoke to was surprised to find that Google's Gmail app didn't have a label yet, as it hadn't been updated for months.

That said, businesses run the risk of being kicked out of the App Store and in trouble with the Federal Trade Commission if they lie. You just have to hope this is enough incentive for developers to be honest.

Labels are not perfect, but they are useful

Despite the limitations, everyone I spoke to was happy that the labels were there, even though they personally learned nothing new from them.

Several people said they would check labels before downloading apps now that they knew they existed and where they were. And some were shocked enough by what they saw on the labels that they modified some of their permissions and even removed some of their apps.

Sascha Rissling, a web developer from Germany, told Recode he was "shocked" by the amount of information Twitter said he had collected, so he removed Twitter and Facebook's apps from his phone. Several people told me that they have disabled (or limited) app access to their location data.

A few others were delighted to find that certain apps collected much less data than they expected, such as Microsoft Solitaire Collection, Among Us, and True Coach. And then there's Signal, the private messaging app that says it collects next to nothing. When it comes to making users more aware, at least on a general level, of how much data apps can collect about them, the labels seem to do the job.

But they also show how much work consumers have to do if they want to keep data collection to a minimum. Everyone I spoke to said privacy was important to them, but many of them didn't know what to do about it, or where and when it was invaded, even after reading the labels. Some described privacy as an & # 39; upside & # 39; or & # 39; losing & # 39; struggle, and resigned themselves to having very little of it. And they are not wrong.

At least they'll have a little more control over some tracking when the iOS update with the App Tracking Transparency feature goes live sometime this spring. And it is quite possible that the labels themselves will improve over time; Apple has said they are work in progress.

"It should not be up to the consumer to check all this for themselves and try to find out exactly what is being collected, how it is used and whether they consider the developers' statements reliable," said Davisson. "We do not expect people to regulate their own food supplies; we cannot expect individuals to regulate the use of their personal data by companies and third parties."

Awareness is good, but empowerment is better. The labels promote the former. I'm not so sure about the latter.

Or, as Maria complained, "This information has made me a little more paranoid than I already am."

Open source is powered by Omidyar Network. All open source content is editorially independent and produced by our journalists.


Leave a Reply

Your email address will not be published. Required fields are marked *