VPN Compliance with Apple's New Privacy Rules
All eyes may be on Apple’s latest iOS 14.5 software upgrade and its shiny new App Tracking Transparency privacy tool but the jury’s still out on the headline-grabbing privacy feature from the update a few short months ago.
Apple introduced mandatory privacy labels in its App Store at the end of 2020 to make it easier for consumers to get insight into individual apps’ data collection practices.
Broadly analogous to “nutrition facts” for app privacy, the easy-to-understand labels have been hailed as a big step forward for privacy.
Apps that collect personal data are required to self-submit information which Apple uses to award any combination of three labels:
Data Not Linked To You
Data Linked To You
Data Used To Track You
Apps that claim not to collect any personal data, or where they meet certain criteria to not disclose collection, instead display a
No Data Collected label.
Any developer who has submitted an update to their app since the labels were introduced has been required to provide the necessary information to display them as part of the approval process.
In light of the fact these privacy labels are based on self-submitted information that isn’t audited by Apple or a third party, we decided to investigate just how accurate they actually are for mobile VPN apps. This felt particularly pertinent given Apple’s questionable record in properly managing this category of apps where privacy is paramount.
We identified the 20 top VPNs shown by Apple in its App Store results for generic VPN searches in each of the US, UK, Australia and Canada locales. We analyzed the resulting 49 unique VPN apps to determine the accuracy of their privacy labels.
We cross-referenced the apps’ privacy labels with their privacy policies and the results of testing their traffic. We conducted our tests with mitmproxy, an open source HTTPS proxy.
What’s most disturbing about our findings is not that so many VPN apps have inaccurate or missing privacy labels but that Apple still ranks them so highly in its search results.
Our investigation also highlighted further flaws in Apple’s system even beyond the fundamental problem posed by self-certification.
One loophole is that while privacy labels are “mandatory”, developers whose apps are already in the App Store are only required to submit the required information when they update those apps. The result? Almost 20% of the apps we analyzed had simply not been updated since the labels were introduced.
Another relates to Apple’s rules around “optional non-disclosure” of data collection in certain circumstances.
These rules permit developers to avoid disclosing the collection of personal data that meets the following criteria:
- The data collected is not linked with third-party data for advertising purposes or shared with a data broker
- The data is not used for third-party ads, or for the developers’ own ads or marketing purposes
- The data collection is infrequent, optional and not part of the app’s core functionality
- The data is directly submitted by the user within the app
In our view this creates too much wriggle room for developers, as the more transparent operators skew to greater levels of disclosure, while the rest take maximum advantage of the permitted exemptions. This inconsistency makes it more difficult for consumers to compare apps on the basis of privacy.
There is also little incentive for developers to be fully transparent and risk alienating potential customers while Apple fails to penalize apps that don’t follow its privacy rules and continues to reward them with such prominence in its search results.
Our key findings at the top of this report have been calculated on the basis of the proportion of the 49 unique apps in the study found to be accurate or otherwise. The detailed results of our analysis of those apps are available as a datasheet.
However, the locale-specific statistics below are based upon the apps that make up the top 20 in that locale, regardless of any repetition of those apps across other locales.
However, for the highest levels of VPN privacy and security, we strongly recommend using the highest-rated mobile VPN apps.