What we learn from Apple’s new security labels

We all know that apps collect data from us. However, one of the few ways to find out what apps do with our information is to read the privacy policy.

Be realistic: Nobody does it.

Late last year, Apple made a new requirement for all software developers to publish apps through its App Store. Applications must now include so-called security labels, which list the types of data that are being collected in an easily scanned format. Labels are like a nutritional marker on food packaging.

These labels, which started appearing in the App Store in December, are the technology designers’ latest effort to make data security easier to understand for all of us. You may be familiar with previous iterations, like a padlock icon in a web browser. A locked padlock tells us that a website is trustworthy, while an unlocked padlock suggests that a website might be malicious.

The question is whether Apple’s new labels will affect people’s choices. “After they read or view it, does it change the way they use the app or prevent them from downloading the app?” Stephanie Nguyen, a research scientist who has studied user experience design and data privacy, asked.

For testing labels, I have mulled dozens of applications. Then I focused on the privacy labels for the messaging apps WhatsApp and Signal, the music streaming apps Spotify and Apple Music and jokingly was MyQ, the app I use to open the garage door of me from afar.

I learned a lot. The security labels suggest that apps that look functionally identical can differ greatly in how they process our information. I’ve also noticed that a lot of data collection is going on when you least expect it, including the internal products that you pay for.

But while labels usually light up, they sometimes create more confusion.

How to read the Apple Privacy Label

To find new labels, iPhone and iPad users with the latest operating systems (iOS and iPadOS 14.3) can open the App Store and search for apps. Inside the app’s description, look for “App Privacy”. That’s where a box comes in with a label.

Apple has divided privacy labels into three categories so we can get a full picture of the types of information an app collects. They are:

• Data is used to track you. This information is used to track your activities across apps and websites. For example, your email address can help determine that you’re also someone using another app for which you entered the same email address.

• Data associated with you: This information is tied to your identity, such as your purchase history or contact information. Using this data, a music app can know that your account has purchased a certain song.

• Data is not linked to you: This information is not directly related to you or your account. For example, a mapping application can collect data from motion sensors to provide people with turn-by-turn directions. It does not save that information in your account.

Now let’s see what these labels reveal about specific applications.

WhatsApp vs. Signal

On the surface, WhatsApp, owned by Facebook, appears to be almost identical to Signal. Both offer encrypted messaging, which will scramble your messages so only the recipient can decrypt them. Both also rely on your phone number to create an account and receive messages.

But their privacy label immediately reveals how different they are. Below left is the security label for WhatsApp. On the right is the one for Signal:

The labels immediately made it clear that WhatsApp exploits more of our data than Signal. When I asked companies about this, Signal said they were trying to get less information.

For group chats, the WhatsApp privacy label shows that the app has access to the user’s content, including the group chat name and group profile photo. Signal, which doesn’t do this, says it has designed a sophisticated group chat system to encrypt the content of a chat, including chat participants and their avatars.

For everyone’s contacts, WhatsApp’s privacy label shows that the app can access our contact list; Signals no. With WhatsApp, you have the option of uploading your address book to your company’s servers so that you can help you find your friends and family who are also using the app. But on Signal, the contact list is saved on your phone and the company can’t tap it.

Moxie Marlinspike, founder of Signal, said: “In some cases, it’s harder not to collect data. “We’ve gone the extra mile to design and build technology that doesn’t have access.”

A WhatsApp spokesperson mentioned the company’s website to explain its privacy label. The website says WhatsApp may have access to user content to prevent abuse and to ban people who may have violated the law.

When you least expect it

I then scrutinized the privacy label for a seemingly harmless app: MyQ from Chamberlain, a company that sells garage door openers. The MyQ app works with a $ 40 hub that connects to a Wi-Fi router so you can open and close your garage door remotely.

This is what the label says about the data the app has collected. Warning: It’s long.

Why does a product I paid to open a garage door track my name, email address, device identifier and usage data?

The answer: for advertising.

Elizabeth Lindemulder, who oversees connected devices for Chamberlain Group, said the company collects the data to target people with web advertisements. Chamberlain also has partnerships with other companies, such as Amazon, and data is shared with partners when people choose to use their services.

In this case, the brand was so successful that I stopped and thought: Wow. Maybe I’ll switch back to the remote in my old garage, which doesn’t have an internet connection.

Spotify vs. Apple Music

Finally, I compared the privacy labels for two music streaming apps: Spotify and Apple Music. Unfortunately, this experiment has brought me down a bewildered hole.

Just look at the label. Below left is the one for Spotify. On the right is the one for Apple Music.

These labels look different from the others featured in this article because they’re just previews – Spotify’s labels are too long for us to show them all. And when I delve into the labels, both contain terms that are so confusing or misleading that I can’t immediately connect the dots about what our data is used for.

A jargon in Spotify’s label is that it collects people’s “raw locations” for advertising. What does it mean?

Spotify says this applies to people with free accounts that have received ads. The app gets device information to get an approximate location so it can play ads related to those users’ location. But most people cannot understand this when reading the label.

The Apple Music privacy label suggests that it associates data with you for advertising purposes – even if the app isn’t showing or playing ads. Only on the Apple website did I find out that Apple Music considers what you listen to so it can provide information about upcoming releases and new artists that are relevant to your interests.

The privacy labels are especially confusing when it comes to Apple’s own apps. That’s because while some Apple apps appear in the App Store with privacy labels, others don’t.

Apple says only some of its apps – like FaceTime, Mail, and Apple Maps – can be deleted and re-downloaded in the App Store, so they can be found there with a security label. But its Phone and Messages app cannot be removed from the device and therefore doesn’t have a privacy label in the App Store. Instead, the privacy labels for those apps are in supporting documents that are hard to find.

As a result, the data practices of Apple apps get less upfront. If Apple wants to lead the conversation on privacy, it could make a better example by making the language clearer – and its labeling program less self-serving. When I asked why all the apps shouldn’t be kept by the same standards, Apple didn’t address the issue further.

Nguyen, a researcher, said a lot must happen for privacy labels to succeed. In addition to changing behavior, she said, companies must be honest in their data collection descriptions. Most importantly, everyone must be able to understand the information.

She said: “I can’t imagine my mom stopping to look at a label and say, ‘Let me look at data that is associated with me and data that is not related to me. “What does that even mean?”