Apple’s Privacy Labels : apps with ‘Misleading or Flat-Out Inaccurate’

[Alex5723]

More Than a Dozen Apps With ‘Misleading or Flat-Out Inaccurate’ Privacy Labels Found on App Store

Last month, Apple introduced privacy labels on the App Store, providing users with a broad overview of the data types an app may collect, and whether the information is used to track them or is linked to their identity or device (example : https://www.askwoody.com/forums/topic/apple-a-day-in-the-life-of-your-data/#post-2338415)

The Washington Post‘s Geoffrey A. Fowler recently did a spot check and discovered “more than a dozen” apps with “either misleading or flat-out inaccurate” privacy labels.
One of these apps was a game called “Satisfying Slime Simulator,” which Fowler said was sending his iPhone’s advertising identifier and other device information to companies like Facebook, Google, and Unity, despite its privacy label indicating “No Data Collected.”

Apple’s big privacy product is built on a shaky foundation: the honor system. In tiny print on the detail page of each app label, Apple says, “This information has not been verified by Apple.”

Apple said it “conducts routine and ongoing audits of the information provided” and works with developers to correct any inaccuracies, adding that “apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed from the App Store entirely if they don’t come into compliance.”

3 users thanked author for this post.

DriftyDonN, Nathan Parker, OscarCP

Reply | Quote

[OscarCP]

In case someone here has trouble browsing the Washington Post article quoted by Alex, here is another one from a site that I don’t think is as paywalled as the WaPo:

https://9to5mac.com/guides/app-store/

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[Alex5723]

OscarCP wrote:

In case someone here has trouble browsing the Washington Post article quoted by Alex, here is another one from a site that I don’t think is as paywalled as the WaPo:

https://9to5mac.com/guides/app-store/

Link corrected : https://9to5mac.com/2021/01/29/app-store-privacy-labels/

For accessing Paywalled sites I use Chrome (Firefox) extension : https://github.com/iamadamdev/bypass-paywalls-chrome

• This reply was modified 1 month ago by Alex5723.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[Ascaris]

That’s the kind of thing that kept me away from smartphones for so long.

On Windows, Defender started out as an anti-spyware program. (With the release of Windows 8, it became a full antimalware program.) The message from this is clear: spyware is bad.

On phones, though, there would not be any use in detecting spyware in apps… it’s normal and expected. You’d find it easier to detect the minority of apps that don’t spy on you, and that doesn’t even consider what the OS itself may be collecting. Apple is supposed to be (and best I can tell, actually is) better than Google on this front, but “better” than Google on spying is a low bar.

Many phone users are okay with the normality of data collection on phones. On Android Authority and other Android sites, I’ve seen people not “get” why anyone would want a de-googled Android device. They love the spying; it enables “neat” (for me, it would be “deeply disturbing”) features like the phone issuing an alert mentioning a special deal on Big Macs if you are near a McDonald’s or having it tell you what the traffic will be like on your commute (without you having to ever define what that is explicitly).

These individuals consider privacy a quaint notion and a lost cause, which of course it is if you publish everything you do on social media, a situation they apparently cannot conceive of people not being in. It’s not an all-or-nothing choice, where I either live like a hermit “off the grid” or let it all hang out. I realize that using my credit cards means those purchases are easier to track, and I recognize that a lot of stuff about me is a matter of public record. That doesn’t mean it’s pointless to try to keep Google from assembling a dossier on me that contains enough info to write an unauthorized biography, along with minute by minute location data of where I’ve been any minute of any day.

I don’t use an iDevice, but if I did, I can tell you that I would not consider the above-described situation to be acceptable. It’s not good enough to use the honor system when you’re talking about surveillance capitalism! Honor was out the door the moment selling other people’s personal data became a serious option.

My phone, putatively an Android device, now runs an AOSP derivative called Resurrection Remix. It has no Google account associated, which precludes using the Play store (which is not installed on the device, as that would defeat the purpose of de-Googling) officially. Instead, I use the Aurora store, a Play store alternative that is (for obvious reasons) not available in the Play store itself. It’s available in the F-Droid repository/app, which only allows open source apps. Aurora allows installation of apps from the Play store without a Google account (though you can also sign in with an actual ID if you want). It has a neat feature where it tells you right in the app profile how many trackers any given app has, and which ones they are. If the app’s description says “no tracking,” but Aurora says “Contains 15 trackers,” I know something is amiss.

This is something that would, as far as I know, not be possible on iOS, since everything has to come through the App Store, and only after Apple permits it. If they’re going to take it upon themselves to prevent the kinds of things that make this possible for the safety of iOS users, they need to do better than what was written about above. If it says “no tracking,” I take that as Apple’s promise to me, as the sole curator of all things I may use on my iDevice.

For what it’s worth, apps can send my advertising ID anywhere they wish. It changes each time it is queried, making it useless. With no Google/Apple account and no effective advertising ID, it’s difficult to establish the persistent ID over time that is needed for the data collection to mean anything. That’s the only reason I have the thing… I bought it specifically to de-Google it (intentionally choosing a model with available aftermarket ROMs and an easily unlocked bootloader).

Group "L" (KDE Neon Linux 5.21.2 User Edition)

3 users thanked author for this post.

Mele20, Nathan Parker, Alex5723

Reply | Quote

[OscarCP]

Ascaris: “I bought it specifically to de-Google it (intentionally choosing a model with available aftermarket ROMs and an easily unlocked bootloader).”

Good on you. I wonder how many among the millions who use a smartphone would know how to do this, or even know what it means? Or, if they knew, would dare do it?

From the point of view of the user’s safety, Apple is not being a good curator of the software it distributes. Let us hope that the claims made in the two critical articles linked at the start of this thread and widely repeated by other publications and specialized Web sites, prompt some necessary improvements back at Cupertino.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[Ascaris]

OscarCP wrote:

Good on you. I wonder how many among the millions who use a smartphone would know how to do this, or even know what it means? Or, if they knew, would dare do it?

In a word, no, and that’s a shame, because there is a market for such a thing… though not as big as the market for the “full” Android. The popularity of Android phones demonstrates that most people simply do not care about privacy issues, or at least not enough to keep them from using one.

I doubt that Google would contractually allow the OEMs that offer the full Google Android on their products to also offer them with another OS, so if that assumption is correct, the OEMs would have to decide to be all Google or no Google, and they obviously chose all Google.

Not all Android phones are candidates for this sort of thing. Without an unlockable bootloader, which many phones do not have, there needs to be some kind of an exploit to get the thing unlocked unofficially, rather like jailbreaking an iOS device. It would rely on a security flaw, which of course would be patched as soon as the responsible party learned about it.

Even if the device has an unlockable bootloader, that in itself does not mean that there is a ready-to-go aftermarket ROM (operating system) for that model. If the device is Project Treble compatible, you can use a GSI (generic system image) version of AOSP, but I have no experience with that. There may be things that don’t work with these, since they are not tailored to the device in question.

Once you’ve gotten past those two hurdles, there’s the task of installing the recovery mode ROM, and then using that to install the OS ROM. If installing an OS like Linux in place of (or alongside) Windows seems like black magic to some people, doing it on a phone is… I don’t even know of a term that would fit with the analogy. It’s much more daunting than the straightforward task of installing an OS on a PC.

For someone comfortable with computing and use of the command line on a PC (Windows, Mac, Linux), it’s not hard. The method I used requires the use of a PC to send the ‘fastboot’ commands to unlock the bootloader and to boot and install the recovery environment. There are step by step guides (specific to each model of phone) on how to do all of this, which I used, as I was not familiar with ‘fastboot’ or its syntax before attempting all of this.

Installing an aftermarket OS on a phone or tablet carries a risk that doesn’t exist when installing another OS on a PC. There is a risk that the phone could be soft-bricked or even hard-bricked (the latter meaning that short of sending the phone back to its manufacturer or replacing internal parts, there is no way to get the thing working again).

Fortunately, you can buy phones already de-Googled, but they are not (as yet?) available from mass market retailers or your carrier’s local outlet. A man named Rob Braxman has a channel on Youtube where he talks about privacy issues with phones, PCs, and other privacy-related topics (he bills himself as ‘the internet privacy guy’). He has a store that sells de-googled phones, among other things, or you can send him yours (if it is one of the models his company accepts) and they will do it for you. I cannot vouch for his business or how well any of his products work, but his videos do seem to be good as far as information provided.

There are others out there, like the /e/ project, which sells some phones already set up with their own degoogled AOSP variant.

There are also Linux phones, which have similar limitations as Linux PCs (meaning that most of the software is written for another OS), and there’s no currently no compatibility layer akin to Proton or WINE to bridge the gap and allow them to use Android apps.

 

 

Group "L" (KDE Neon Linux 5.21.2 User Edition)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[OscarCP]

Ascaris: “The popularity of Android phones demonstrates that most people simply do not care about privacy issues, or at least not enough to keep them from using one.”

That is true for many, but I think is not for many others.

How do most people by phones?

Answer: the same way they buy appliances: fridges, stoves, dish-washers, washing machines …

They read about it, asked around, buy the same ones as some in-laws because these say they are  happy with them and like the customer service. Or someone else’s they saw and liked the looks of it.

To many people, a cell phone, smart or not, is an appliance they can carry around and even use outside the house. And, same as a fridge, for example, they do not dream of it doing anything other than what it says right in the name of the thing and is written in its instructions’ manual. The only thing they might ever think of doing with a cell phone, other than using it, is to find a place where to take this appliance to be fixed, preferably a place where having this done there does not break the guarantee. And that is about it. Now and then they might hear about malware and the need to install patches and they do that, if they remember to do it, in the middle of their busy lives, as their own bit of preventive maintenance.

And, the way I see it, that is the actual  problem in many cases and its proper name is: trust. Regardless of whether those people are careful about their privacy or not, or even aware that there might be a problem with keeping their private lives private.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[Alex5723]

Ascaris wrote:

It’s not good enough to use the honor system

I am sure Apple will put its foot on these “none honored” apps.
In couple of months Apple will add ‘opt-out/opt-in’ for tracking.

Attachments:

You must be logged in to access attached files.

3 users thanked author for this post.

Bill C., Nathan Parker, Ascaris

Reply | Quote

[Bill C.]

There are 2 very good articles in the January 31, 2021 issue of the Washington Post on this subject. It gives some good setting tips. Unfortunately WaPO is behind a paywall.

https://www.washingtonpost.com/technology/2021/01/29/how-to-read-iphone-privacy-labels/

https://www.washingtonpost.com/technology/2021/01/29/apple-privacy-nutrition-label/

It is one of the reasons I am not an App-happy person. It has to be truly useful, and I am very judicious and check reviews carefully. It brings to mind the quote by former American President Ronald Reagan about agreements with the former Soviet Union, “Trust, but verify.”

I like how the screen capture by Alex5723 says, “ASK the app not to track.” It should be DO NOT allow this app to track.

Reply | Quote

[Alex5723]

Facebook strikes back against Apple privacy change, prompts users to accept tracking to get ‘better ads experience’

Facebook on Monday will begin urging some iPhone and iPad users to let the company track their activity so the social media giant can show them more personalized ads.
The move comes alongside Apple’s planned privacy update to iOS 14, which will inform users about this kind of tracking and ask them if they want to allow it…

These prompts will appear on Apple users’ screens immediately before the Apple pop-up appears.
No matter which selection users make on the Facebook prompt, if they choose not to allow tracking on the Apple pop-up, that choice will be final and Facebook will honor it.

• This reply was modified 1 month ago by Alex5723.

Attachments:

You must be logged in to access attached files.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[anonymous]

Apple claims to be so interested in privacy these days, that sounds more like a marketing scheme than anything. Facebook is whining about this because they are in fact collecting lot’s of data and tracking us. Probably have just as much on us as Google if you ask me. I don’t use Facebook, haven’t for years. But clearly they are only profitable if they can sell your data online to paying clients. It’s the dirty secret of being offered a free service to users. Somewhere in that business model you have to make money. Apple is hardly a saint when it comes to collecting data on its users. Sorry I don’t buy their small attempt at notifying users when installing apps what information the app collects. Most people click accept and move on. My feeling is that Apple should selling people apps that haven’t been updated in many months or years. Clean house once in awhile and we wouldn’t be concerned about those questionable apps.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[Alex5723]

anonymous wrote:

Apple claims to be so interested in privacy these days, that sounds more like a marketing scheme than anything.

Apple always put users privacy at the highest spot. This is no PR.

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[Paul T]

Of course it’s PR – taking security seriously is good PR.

cheers, Paul

1 user thanked author for this post.

Nathan Parker

Reply | Quote

[Alex5723]

After more than 2 month of no iOS updates Google has updates YouTube app (15.49.6).

YouTube Privacy Labels :

Data Used to Track You
The following data may be used to track you across apps and websites owned by other companies:

Contact Info
Physical Address
Email Address
Phone Number
Identifiers
User ID
Device ID

Data Linked to You
The following data, which may be collected and linked to your identity, may be used for the following purposes:

Third-Party Advertising

Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data

Developer’s Advertising or Marketing

Purchases
Purchase History
Location
Coarse Location
Contact Info
Physical Address
Email Address
Name
Phone Number
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data

Analytics

Purchases
Purchase History
Location
Coarse Location
Contact Info
Email Address
User Content
Audio Data
Customer Support
Other User Content
Search History
Search History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types

Product Personalization

Purchases
Purchase History
Location
Precise Location
Coarse Location
Contact Info
Email Address
Contacts
Contacts
User Content
Audio Data
Other User Content
Search History
Search History
Browsing History
Browsing History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Other Data
Other Data Types

App Functionality

Purchases
Purchase History
Location
Precise Location
Coarse Location
Contact Info
Email Address
Name
Phone Number
Contacts
Contacts
User Content
Photos or Videos
Audio Data
Gameplay Content
Customer Support
Other User Content
Search History
Search History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Other Usage Data
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types

Other Purposes

Purchases
Purchase History
Location
Coarse Location
Browsing History
Browsing History
Identifiers
User ID

https://apps.apple.com/us/app/youtube-watch-listen-stream/id544007664

Reply | Quote

[Alex5723]

Google has update Gmail with Privacy Labels :

Data Linked to You

The following data, which may be collected and linked to your identity, may be used for the following purposes:

Third-Party Advertising

Location
Coarse Location
Identifiers
User ID
Usage Data
Advertising Data

Analytics

Purchases
Purchase History
Location
Coarse Location
Contact Info
Email Address
User Content
Photos or Videos
Audio Data
Customer Support
Other User Content
Search History
Search History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types

Product Personalization

Contact Info
Email Address
Contacts
Contacts
User Content
Emails or Text Messages
Audio Data
Search History
Search History
Identifiers
User ID
Device ID
Usage Data
Product Interaction

App Functionality

Purchases
Purchase History
Location
Coarse Location
Contact Info
Email Address
Name
Contacts
Contacts
User Content
Emails or Text Messages
Photos or Videos
Audio Data
Customer Support
Other User Content
Search History
Search History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types

Compare to Apple Mail Privacy Labels :

Attachments:

You must be logged in to access attached files.

1 user thanked author for this post.

OscarCP

Reply | Quote

[OscarCP]

Well, that is interesting and for me, looking at that long list of items that are vacuumed off my privacy motivates this simple question: Since they collect all that information about me, why are they so bad at targeting my personal preferences? All I can say is: Frankly, Google, you really disappoint me.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

Reply | Quote

[Alex5723]

OscarCP wrote:

why are they so bad at targeting my personal preferences?

I was never targeted by Google and don’t know what it means.
On-the-other-hand I am receiving daily suggestions in mail from Amazon & eBay (I am avid buyer on both platforms).

Reply | Quote

[Alex5723]

Updated Gmail 6.0.210124 Privacy labels :

App Privacy

Data Linked to You
The following data, which may be collected and linked to your identity, may be used for the following purposes:

Third-Party Advertising

Location
Coarse Location
Identifiers
User ID
Usage Data
Advertising Data

Analytics

Purchases
Purchase History
Location
Coarse Location
Contact Info
Email Address
User Content
Photos or Videos
Audio Data
Customer Support
Other User Content
Search History
Search History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Advertising Data
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types

Product Personalization

Contact Info
Email Address
Contacts
Contacts
User Content
Emails or Text Messages
Audio Data
Search History
Search History
Identifiers
User ID
Device ID
Usage Data
Product Interaction

App Functionality

Purchases
Purchase History
Location
Coarse Location
Contact Info
Email Address
Name
Contacts
Contacts
User Content
Emails or Text Messages
Photos or Videos
Audio Data
Customer Support
Other User Content
Search History
Search History
Identifiers
User ID
Device ID
Usage Data
Product Interaction
Diagnostics
Crash Data
Performance Data
Other Diagnostic Data
Other Data
Other Data Types

Reply | Quote

[Author]

Posts