Apple Privacy Labels: Free VPN App Investigation

We analyzed the privacy labels displayed by the 20 most prominent VPN apps in each of the US, UK, Australian and Canadian iOS App Stores and found that just 12% were completely accurate.
App Store screenshot for privacy labels for VPN apps investigation
Simon Migliano

Key Findings

  • 49 unique VPN apps appear in the top 20 apps displayed by Apple in each of the US, UK, Canada and Australia App Store locales for generic VPN searches
  • Compliant VPN apps: just 6 VPNs (12%) displayed privacy labels that adhered to Apple’s guidelines
  • Inaccuracies: 34 VPN apps (69%) had inaccurate privacy labels on their App Store listings. 19 apps (39%) had two or more incorrect labels.
  • Missing labels: 9 VPN apps (18%) lacked privacy labels as they had failed to submit any details to Apple
  • IP address collection: 14 VPN apps (29%) failed to properly disclose collection of this data point
  • US version of the App Store: 19 (95%) of the 20 top-ranked VPN apps had inaccurate privacy labels

Introduction

All eyes may be on Apple’s latest iOS 14.5 software upgrade and its shiny new App Tracking Transparency privacy tool but the jury’s still out on the headline-grabbing privacy feature from the update a few short months ago.

Apple introduced mandatory privacy labels in its App Store at the end of 2020 to make it easier for consumers to get insight into individual apps’ data collection practices.

Broadly analogous to “nutrition facts” for app privacy, the easy-to-understand labels have been hailed as a big step forward for privacy.

Apps that collect personal data are required to self-submit information which Apple uses to award any combination of three labels:

  • Data Not Linked To You
  • Data Linked To You
  • Data Used To Track You

Apps that claim not to collect any personal data, or where they meet certain criteria to not disclose collection, instead display a No Data Collected label.

Any developer who has submitted an update to their app since the labels were introduced has been required to provide the necessary information to display them as part of the approval process.

In light of the fact that these privacy labels are based on self-submitted information that isn’t audited by Apple or a third party, we decided to investigate just how accurate they actually are for mobile VPN apps. This felt particularly pertinent given Apple’s questionable record in properly managing this category of apps where privacy is paramount.

We identified the 20 top apps shown by Apple in its App Store results for generic VPN searches in each of the US, UK, Australia and Canada locales. We analyzed the resulting 49 unique apps to determine the accuracy of their privacy labels.

We cross-referenced the apps’ privacy labels with their privacy policies and the results of testing their traffic. We conducted our tests with mitmproxy, an open source HTTPS proxy.

What’s most disturbing about our findings is not that so many VPN apps have inaccurate or missing privacy labels but that Apple still ranks them so highly in its search results.

Our investigation also highlighted further flaws in Apple’s system even beyond the fundamental problem posed by self-certification.

One loophole is that while privacy labels are “mandatory”, developers whose apps are already in the App Store are only required to submit the required information when they update those apps. The result? Almost 20% of the apps we analyzed had simply not been updated since the labels were introduced.

Another relates to Apple’s rules around “optional non-disclosure” of data collection in certain circumstances.

These rules permit developers to avoid disclosing the collection of personal data that meets the following criteria:

  • The data collected is not linked with third-party data for advertising purposes or shared with a data broker
  • The data is not used for third-party ads, or for the developers’ own ads or marketing purposes
  • The data collection is infrequent, optional and not part of the app’s core functionality
  • The data is directly submitted by the user within the app

In our view this creates too much wriggle room for developers, as the more transparent operators skew to greater levels of disclosure, while the rest take maximum advantage of the permitted exemptions. This inconsistency makes it more difficult for consumers to compare apps on the basis of privacy.

There is also little incentive for developers to be fully transparent and risk alienating potential customers while Apple fails to penalize apps that don’t follow its privacy rules and continues to reward them with such prominence in its search results.

Our Key Findings at the top of this report have been calculated on the basis of the proportion of the 49 unique apps in the study found to be accurate or otherwise. The detailed results of our analysis of those apps are available as a datasheet.

However, the locale-specific statistics below are based upon the apps that make up the top 20 in that locale, regardless of any repetition of those apps across other locales.

EXPERT TIP: If you’re considering downloading a free VPN, consider our list of the best free VPN services.

Read all of our research into the risks of free VPN services.

Common Issues

IP Address

In a significant black mark against Apple’s privacy label system, 29% of the VPNs (14 apps) we analyzed failed to properly disclose that they collect a user’s IP address.

Your IP address is considered to be personal data under GDPR and under the CCPA. The collection of this data therefore requires a Data Linked To You label.

The failure to properly disclose the collection of user IP addresses breaks down as follows:

  • 4 apps with the No Data Collected label
  • 3 apps that failed to submit the necessary information
  • 5 apps with other data collection labels but no Data Linked To You label
  • 2 apps with the Data Linked To You label that failed to specify IP address collection

A further two apps performed temporary collection or real-time monitoring of the IP addresses of sites visited. Both these apps, PlaneVPN and Encrypt VPN, displayed No Data Collected labels.

Wrong Label

Data Not Linked To You is the “least worst” data collection label, so it’s perhaps unsurprising that some developers leaned more toward the use of this label for their apps when the Data Linked To You label would have been more appropriate.

Of the 20 apps overall with an inaccurate Data Not Linked To You label, 18 of them suffered from this issue.

Data points that were incorrectly listed under the Data Not Linked To You label included:

  • Device ID
  • User ID
  • Purchase history
  • Email address

All of these data points are inherently linked to a user unless appropriately anonymized. Unfortunately, we found no mention or evidence that these privacy practices were being implemented by the apps labeling their data collection in this way.

This kind of data collection should be listed under the Data Linked To You label. However, the majority of the apps in question (15 apps) failed to display this label at all, resulting in prospective users likely to be misled about what data these apps collect.

While an isolated incident, we found a particularly egregious example of mislabeling on the Fast VPN store listing. Ranked third in the UK app store for VPN searches, Fast VPN listed collection of user emails and SMS messages under the Data Not Linked To You label.

Responding to our findings, NordVPN suggested that the nature of Apple’s information submission process, which involves answering a questionnaire that Apple then uses to generate the privacy labels, makes it impossible for developers to have fine-grain control over the final format of the labels.

NordVPN added that this issue was exacerbated by the lack of consensus among the top VPN providers on how to approach certain types of data collection, a view that is borne out by our overall findings.

In a positive development for consumers, both NordVPN and Aura, the parent company of the developers of Hotspot Shield, Betternet and VPN 360, told us that in light of our findings they would be reviewing how this kind of data collection was labeled and look to make improvements where possible.

Update: NordVPN have advised us that they have updated their privacy labels, with User ID and Email Address now under Data Linked To You.

Location Data

We found six unique apps to have either omitted or misrepresented the location data collected. Four apps omitted that they collected coarse location, ie limited to a broad postcode area or city.

However, we also found one app, VPN – Super Unlimited Proxy, to claim that it only collected coarse location data despite a privacy policy that confirmed collection of GPS data. Another app, Flash VPN, suggested that its collection of precise location was not linked to a user.

Compliant Apps By Country

The following table shows the number of apps in the 20 top-ranked VPN apps in each locale of the iOS App Store that display privacy labels that fully adhere with Apple’s guidelines.

Click the country links to jump down to more detailed findings by country.

Top 20 US Apps

The following table shows the 20 top-ranked VPN apps in the US version of the App Store.

Note on the use of “N/A” in the table: If an app has the “Data Not Collected” label then it can’t also have any other labels. Apps with this label therefore have “N/A” for the presence of labels indicating that the app does collect data.

Similarly, if an app has any of the three labels indicating that it does collect any data at all then it can’t also have the “Data Not Collected” label. These apps therefore have “N/A” for the “Data Not Collected” label.

Apps that failed to submit the necessary data to display privacy labels have been marked accordingly.

For detailed findings on the apps in this table, see the US VPN apps datasheet.

Headline Stats

  • Compliant apps: just 1 app (5%) displayed privacy labels that adhered to Apple’s guidelines
  • Inaccuracies: 16 apps (80%) had inaccurate privacy labels on their App Store listings. 11 apps (55%) had two or more incorrect labels.
  • Missing labels: 3 apps (15%) lacked privacy labels as they had failed to submit any details to Apple

Top 20 UK Apps

The following table shows the 20 top-ranked VPN apps in the UK version of the App Store.

Note on the use of “N/A” in the table: If an app has the “Data Not Collected” label then it can’t also have any other labels. Apps with this label therefore have “N/A” for the presence of labels indicating that the app does collect data.

Similarly, if an app has any of the three labels indicating that it does collect any data at all then it can’t also have the “Data Not Collected” label. These apps therefore have “N/A” for the “Data Not Collected” label.

Apps that failed to submit the necessary data to display privacy labels have been marked accordingly.

For detailed findings on the apps in this table, see the UK VPN apps datasheet.

Headline Stats

  • Compliant apps: just 4 apps (20%) displayed privacy labels that adhered to Apple’s guidelines
  • Inaccuracies: 12 apps (60%) had inaccurate privacy labels on their App Store listings. 8 apps (40%) had two or more incorrect labels.
  • Missing labels: 4 apps (20%) lacked privacy labels as they had failed to submit any details to Apple

Top 20 AU Apps

The following table shows the 20 top-ranked VPN apps in the Australian version of the App Store.

Note on the use of “N/A” in the table: If an app has the “Data Not Collected” label then it can’t also have any other labels. Apps with this label therefore have “N/A” for the presence of labels indicating that the app does collect data.

Similarly, if an app has any of the three labels indicating that it does collect any data at all then it can’t also have the “Data Not Collected” label. These apps therefore have “N/A” for the “Data Not Collected” label.

Apps that failed to submit the necessary data to display privacy labels have been marked accordingly.

For detailed findings on the apps in this table, see the Australian VPN apps datasheet.

Headline Stats

  • Compliant apps: just 2 apps (10%) displayed privacy labels that adhered to Apple’s guidelines
  • Inaccuracies: 16 apps (80%) had inaccurate privacy labels on their App Store listings. 9 apps (45%) had two or more incorrect labels.
  • Missing labels: 2 apps (10%) lacked privacy labels as they had failed to submit any details to Apple

Top 20 CA Apps

The following table shows the 20 top-ranked VPN apps in the Canadian version of the App Store.

Note on the use of “N/A” in the table: If an app has the “Data Not Collected” label then it can’t also have any other labels. Apps with this label therefore have “N/A” for the presence of labels indicating that the app does collect data.

Similarly, if an app has any of the three labels indicating that it does collect any data at all then it can’t also have the “Data Not Collected” label. These apps therefore have “N/A” for the “Data Not Collected” label.

Apps that failed to submit the necessary data to display privacy labels have been marked accordingly.

For detailed findings on the apps in this table, see the Canadian VPN apps datasheet.

Headline Stats

  • Compliant apps: just 5 apps (25%) displayed privacy labels that adhered to Apple’s guidelines
  • Inaccuracies: 12 apps (60%) had inaccurate privacy labels on their App Store listings. 5 apps (25%) had two or more incorrect labels.
  • Missing labels: 3 apps (15%) lacked privacy labels as they had failed to submit any details to Apple

Methodology

We identified the top 20 apps displayed in Apple’s App Store in the search results for “VPN” in mid-March 2021 for each of the following locales: the US, UK, Australia and Canada. This constituted a cohort of 49 apps for analysis and testing, as many apps appeared in the top 20 results for more than one locale.

We took snapshots of the privacy labels as they stood in mid-March. These can be viewed via the archive links of the store listings in the tables and the datasheets.

The contents of each app’s labels were cross-referenced with that app’s privacy policy and the results of traffic testing using mitmproxy. Any discrepancies were checked against the Apple Developer Guidelines to see whether they met the criteria for optional disclosure.

Additional research by Callum Tennent, David Hughes, Liam Mullally and Luke Williams.

The authors of all our investigations abide by the journalists’ code of conduct.