All eyes may be on Apple’s latest iOS 14.5 software upgrade and its shiny new App Tracking Transparency privacy tool but the jury’s still out on the headline-grabbing privacy feature from the update a few short months ago.
Apple introduced mandatory privacy labels in its App Store at the end of 2020 to make it easier for consumers to get insight into individual apps’ data collection practices.
Broadly analogous to “nutrition facts” for app privacy, the easy-to-understand labels have been hailed as a big step forward for privacy.
Apps that collect personal data are required to self-submit information which Apple uses to award any combination of three labels:
Data Not Linked To You
Data Linked To You
Data Used To Track You
Apps that claim not to collect any personal data, or where they meet certain criteria to not disclose collection, instead display a
No Data Collected label.
Any developer who has submitted an update to their app since the labels were introduced has been required to provide the necessary information to display them as part of the approval process.
In light of the fact that these privacy labels are based on self-submitted information that isn’t audited by Apple or a third party, we decided to investigate just how accurate they actually are for mobile VPN apps. This felt particularly pertinent given Apple’s questionable record in properly managing this category of apps where privacy is paramount.
We identified the 20 top-ranked VPN apps in each of the US, UK, Australia and Canada locales of the App Store and analyzed their privacy labels to determine their accuracy and compliance with Apple’s new guidelines. This gave us 49 unique apps for analysis.
We cross-referenced the apps’ privacy labels with their privacy policies and the results of testing their traffic. We conducted our tests with mitmproxy, an open source HTTPS proxy.
Our investigation not only revealed the disturbing proportion of apps with inaccurate or missing privacy labels but also highlighted further flaws in Apple’s system even beyond the fundamental problem posed by self-certification.
One loophole is that while privacy labels are “mandatory”, developers whose apps are already in the App Store are only required to submit the required information when they update those apps. The result? Almost 20% of the apps we analyzed had simply not been updated since the labels were introduced.
Another relates to Apple’s rules around “optional non-disclosure” of data collection in certain circumstances.
These rules permit developers to avoid disclosing the collection of personal data that meets the following criteria:
- The data collected is not linked with third-party data for advertising purposes or shared with a data broker
- The data is not used for third-party ads, or for the developers’ own ads or marketing purposes
- The data collection is infrequent, optional and not part of the app’s core functionality
- The data is directly submitted by the user within the app
In our view this creates too much wriggle room for developers, as the more transparent operators skew to greater levels of disclosure, while the rest take maximum advantage of the permitted exemptions. This inconsistency makes it more difficult for consumers to compare apps on the basis of privacy.
Our Key Findings at the top of this report have been calculated on the basis of the proportion of the 49 unique apps in the study found to be accurate or otherwise. The detailed results of our analysis of those apps are available as a datasheet.
However, the locale-specific statistics below are based upon the apps that make up the top 20 in that locale, regardless of any repetition of those apps across other locales.