Apple Privacy Labels: Free VPN App Investigation

All eyes may be on Apple’s latest iOS 14.5 software upgrade and its shiny new App Tracking Transparency privacy tool but the jury’s still out on the headline-grabbing privacy feature from the update a few short months ago.

Apple introduced mandatory privacy labels in its App Store at the end of 2020 to make it easier for consumers to get insight into individual apps’ data collection practices.

Broadly analogous to “nutrition facts” for app privacy, the easy-to-understand labels have been hailed as a big step forward for privacy.^[1]

Apps that collect personal data are required to self-submit information which Apple uses to award any combination of three labels:

• Data Not Linked To You
• Data Linked To You
• Data Used To Track You

Apps that claim not to collect any personal data, or where they meet certain criteria to not disclose collection, instead display a No Data Collected label.

Any developer who has submitted an update to their app since the labels were introduced has been required to provide the necessary information to display them as part of the approval process.^[2]

In light of the fact these privacy labels are based on self-submitted information that isn’t audited by Apple or a third party, we decided to investigate just how accurate they actually are for mobile VPN apps. This felt particularly pertinent given Apple’s questionable record in properly managing this category of apps where privacy is paramount.

We identified the 20 top VPNs shown by Apple in its App Store results for generic VPN searches in each of the US, UK, Australia and Canada locales. We analyzed the resulting 49 unique VPN apps to determine the accuracy of their privacy labels.

We cross-referenced the apps’ privacy labels with their privacy policies and the results of testing their traffic. We conducted our tests with mitmproxy, an open source HTTPS proxy.^[3]

What’s most disturbing about our findings is not that so many VPN apps have inaccurate or missing privacy labels but that Apple still ranks them so highly in its search results.

Our investigation also highlighted further flaws in Apple’s system even beyond the fundamental problem posed by self-certification.

One loophole is that while privacy labels are “mandatory”, developers whose apps are already in the App Store are only required to submit the required information when they update those apps. The result? Almost 20% of the apps we analyzed had simply not been updated since the labels were introduced.

Another relates to Apple’s rules around “optional non-disclosure” of data collection in certain circumstances.^[4]

These rules permit developers to avoid disclosing the collection of personal data that meets the following criteria:

• The data collected is not linked with third-party data for advertising purposes or shared with a data broker^[5]
• The data is not used for third-party ads, or for the developers’ own ads or marketing purposes
• The data collection is infrequent, optional and not part of the app’s core functionality
• The data is directly submitted by the user within the app

In our view this creates too much wriggle room for developers, as the more transparent operators skew to greater levels of disclosure, while the rest take maximum advantage of the permitted exemptions. This inconsistency makes it more difficult for consumers to compare apps on the basis of privacy.

There is also little incentive for developers to be fully transparent and risk alienating potential customers while Apple fails to penalize apps that don’t follow its privacy rules and continues to reward them with such prominence in its search results.

Our key findings at the top of this report have been calculated on the basis of the proportion of the 49 unique apps in the study found to be accurate or otherwise. The detailed results of our analysis of those apps are available as a datasheet.

However, the locale-specific statistics below are based upon the apps that make up the top 20 in that locale, regardless of any repetition of those apps across other locales.

Read all of our research into the risks of free VPN services.

IP Address

In a significant black mark against Apple’s privacy label system, 29% of the VPNs (14 apps) we analyzed failed to properly disclose that they collect a user’s IP address.

Your IP address is considered to be personal data under GDPR and under the CCPA.^[6][7] The collection of this data therefore requires a Data Linked To You label.

The failure to properly disclose the collection of user IP addresses breaks down as follows:

• 4 VPNs with the No Data Collected label
• 3 VPNs that failed to submit the necessary information
• 5 VPNs with other data collection labels but no Data Linked To You label
• 2 VPNs with the Data Linked To You label that failed to specify IP address collection

A further two VPNs performed temporary collection or real-time monitoring of the IP addresses of sites visited. Both of these, PlaneVPN and Encrypt VPN, displayed No Data Collected labels.

Wrong Label

Data Not Linked To You is the “least worst” data collection label, so it’s perhaps unsurprising that some VPN developers leaned more toward the use of this label for their apps when the Data Linked To You label would have been more appropriate.

Of the 20 VPNs overall with an inaccurate Data Not Linked To You label, 18 of them suffered from this issue.

Data points that were incorrectly listed under the Data Not Linked To You label included:

• Device ID
• User ID
• Purchase history
• Email address

All of these data points are inherently linked to a user unless appropriately anonymized. Unfortunately, we found no mention or evidence that these privacy practices were being implemented by the apps labeling their data collection in this way.

This kind of data collection should be listed under the Data Linked To You label. However, the majority of the VPNs in question (15 VPNs) failed to display this label at all, resulting in prospective users likely to be misled about what data these VPNs collect.

While an isolated incident, we found a particularly egregious example of mislabeling on the Fast VPN store listing. Ranked third in the UK app store for VPN searches, Fast VPN listed collection of user emails and SMS messages under the Data Not Linked To You label.

Responding to our findings, NordVPN suggested that the nature of Apple’s information submission process, which involves answering a questionnaire that Apple then uses to generate the privacy labels, makes it impossible for developers to have fine-grain control over the final format of the labels.

NordVPN added that this issue was exacerbated by the lack of consensus among the top VPN providers on how to approach certain types of data collection, a view that is borne out by our overall findings.

In a positive development for consumers, both NordVPN and Aura, the parent company of the developers of Hotspot Shield, Betternet and VPN 360, told us that in light of our findings they would be reviewing how this kind of data collection was labeled and look to make improvements where possible.

Update: NordVPN have advised us that they have updated their privacy labels, with User ID and Email Address now under Data Linked To You.

Location Data

We found six unique VPNs to have either omitted or misrepresented the location data collected. Four VPNs omitted that they collected coarse location, ie limited to a broad postcode area or city.

However, we also found one, VPN – Super Unlimited Proxy, to claim that it only collected coarse location data despite a privacy policy that confirmed collection of GPS data. Another, Flash VPN, suggested that its collection of precise location was not linked to a user.

We identified the top 20 apps displayed in Apple’s App Store in the search results for “VPN” in mid-March 2021 for each of the following locales: the US, UK, Australia and Canada. This constituted a cohort of 49 apps for analysis and testing, as many apps appeared in the top 20 results for more than one locale.

We took snapshots of the privacy labels as they stood in mid-March. These can be viewed via the archive links of the store listings in the tables and the datasheets.

The contents of each app’s labels were cross-referenced with that app’s privacy policy and the results of traffic testing using mitmproxy. Any discrepancies were checked against the Apple Developer Guidelines to see whether they met the criteria for optional disclosure.

Additional research by Callum Tennent, David Hughes, Liam Mullally and Luke Williams.

^{[1] https://www.wired.com/story/apple-app-privacy-labels/ ↩}

^{[2] https://developer.apple.com/app-store/app-privacy-details/ ↩}

^{[2] https://mitmproxy.org/ ↩}

^{[4] https://developer.apple.com/app-store/app-privacy-details/#optional-disclosure ↩}

^{[5] https://clearcode.cc/blog/what-is-data-broker/ ↩}

^{[6] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/ ↩}

^{[7] https://iapp.org/news/a/are-ip-addresses-personal-information-under-ccpa/ ↩}