The Washington PostDemocracy Dies in Darkness

I checked Apple’s new privacy ‘nutrition labels.’ Many were false.

Apple’s plan to make iPhone apps be transparent about the data they take falls short of being helpful — or even accurate

(Cathryn Virginia for The Washington Post)

You can trust Apple … right?

You go to your iPhone’s App Store to download a game. Under a new “App Privacy” label added last month, there’s a blue check mark, signaling that the app won’t share a lick of your data. It says: “Data not collected.”

Not necessarily. I downloaded a de-stressing app called the Satisfying Slime Simulator that gets the App Store’s highest-level label for privacy. It turned out to be the wrong kind of slimy, covertly sending information — including a way to track my iPhone — to Facebook, Google and other companies. Behind the scenes, apps can be data vampires, probing our phones to help target ads or sell information about us to data firms and even governments.

As I write this column, Apple still has an inaccurate label for Satisfying Slime. And it’s not the only deception. When I spot-checked what a couple dozen apps claim about privacy in the App Store, I found more than a dozen that were either misleading or flat-out inaccurate. They included the popular game Match 3D, social network Rumble and even the PBS Kids Video app. (Say it ain’t so, Elmo!) Match and Rumble have now both changed their labels, and PBS changed some of how its app communicates with Google.

Despite new privacy promises from Apple, tech columnist Geoffrey Fowler discovered many apps still probing phones to target ads or sell information. (Video: Jonathan Baran/The Washington Post)

Apple only lets you access iPhone apps through its own App Store, which it says keeps everything safe. It appeared to bolster that idea when it announced in 2020 that it would ask app makers to fill out what are essentially privacy nutrition labels. Just like packaged food has to disclose how much sugar it contains, apps would have to disclose in clear terms how they gobble your data. The labels appear in boxes toward the bottom of app listings. (Click here for my guide on how to read privacy nutrition labels.)

But after I studied the labels, the App Store is now a product I trust less to protect us. In some ways, Apple uses a narrow definition of privacy that benefits Apple — which has its own profit motivations — more than it benefits us.

Help Desk: Ask our tech columnist a question

Apple’s big privacy product is built on a shaky foundation: the honor system. In tiny print on the detail page of each app label, Apple says, “This information has not been verified by Apple.”

The first time I read that, I did a double take. Apple, which says caring for our privacy is a “core responsibility,” surely knows devil-may-care data harvesters can’t be counted on to act honorably. Apple, which made an estimated $64 billion off its App Store last year, shares in the responsibility for what it publishes.

It’s true that just by asking apps to highlight data practices, Apple goes beyond Google’s rival Play Store for Android phones. It has also promised to soon make apps seek permission to track us, which Facebook has called an abuse of Apple’s monopoly over the App Store.

In an email, Apple spokeswoman Katie Clark-AlSadder said: “Apple conducts routine and ongoing audits of the information provided and we work with developers to correct any inaccuracies. Apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed from the App Store entirely if they don’t come into compliance.”

My spot checks suggest Apple isn’t being very effective.

And even when they are filled out correctly, what are Apple’s privacy labels allowing apps to get away with not telling us?

Trust but verify

A tip from a tech-savvy Washington Post reader helped me realize something smelled fishy. He was using a journaling app that claimed not to collect any data but, using some technical tools, he spotted it talking an awful lot to Google.

To test if privacy labels were hiding the truth, I repeated part of an experiment I ran on my own iPhone in 2019. Software made by surveillance-fighting firm Disconnect called Privacy Pro forces your phone’s data to go through a local virtual private network that logs and blocks connections to trackers.

It has become extremely common for app makers to embed code called software development kits (SDKs) in apps that sends your data to other companies. Privacy Pro catches some of this activity.

Facebook will now show you exactly how it stalks you — even when you’re not using Facebook

The clearest test for me — and, presumably Apple — was to probe the apps with labels promising the highest level of privacy: “Data not collected.” These are the apps that get a blue check mark and shouldn’t be sending data to anyone other than themselves.

Using a search engine, I found apps claiming they’re completely clean. After testing them with Privacy Pro, I asked Patrick Jackson, Disconnect’s chief technology officer and a former National Security Agency researcher, to run a deeper analysis on some of the suspect apps.

One thing we looked for is evidence of apps sending my phone’s unique ID, known as its Apple IDFA. That’s the keys to the kingdom for companies that want to track you — nearly as important as your name or Social Security number — allowing them to connect up data they get from one app with lots of other sources.

A few highlights — or, should I say, lowlights — of apps claiming they took no data at all:

  • The Satisfying Slime Simulator, rated for ages 4 and higher, was sharing a way to identify my iPhone and other device properties with Facebook, Google and a service called GameAnalytics. And it was sending Unity, a software provider for game makers, not only my phone’s ID but also my battery level, free storage space, general location and even volume level. I never heard back from the app’s maker.
  • The social network Rumble was also sending Facebook and Google an ID that could be used to track my phone, along with other data about how I used the app. Rumble didn’t respond to my emails but changed its privacy label in mid-January to disclose that it collects a lot more data.
  • Travel app Maps.Me was sending my ID and other data to Google and Facebook, but also app-analytics company Flurry and Russian Internet company The app’s director, Andreas Constantinides, said his company purchased the app from last year and was in the process of updating its practices and its labels.
  • Other apps we spotted erroneously claiming to take no data include FunDo Pro — which has not since changed its label — and PlayerXTreme, Instdown and Whats Direct Chat and Web, all of which have changed their labels.

These four-Pinocchio falsehoods were only the beginning of the story. Then I started spot-checking apps that claimed they collected some limited data, but weren’t using it to track you.

In my house, we play a lot of the popular game Match 3D, which challenges the brain to find pairs of things on a crowded page. Its label claimed that it only took “data not linked to you.” But we found it sending an ID for my phone that could be used to track me to more than a dozen different companies. The app’s maker didn’t respond to me, but did change its label after I got in touch, to acknowledge collecting “data used to track you.”

To be clear, I don’t know exactly how widespread the falsehoods are on Apple’s privacy labels. My sample wasn’t necessarily representative: There are about 2 million apps, and some big companies, like Google, have yet to even post labels. (They’re only required to do so with new updates.) About 1 in 3 of the apps I checked that claimed they took no data appeared to be inaccurate. “Apple is the only one in a position to do this on all the apps,” says Jackson.

But if a journalist and a talented geek could find so many problems just by kicking over a few stones, why isn’t Apple?

Even after I sent it a list of dubious apps, Apple wouldn’t answer my specific questions, including: How many bad apps has it caught? If being inaccurate means you get the boot, why are some of the ones I flagged still available?

Who gets to define ‘privacy’?

Putting aside the deception, there’s another question: Are Apple’s labels even helpful?

For anyone who takes the time to comparison shop, privacy labels can reveal differences in how apps take our information. In general, apps that collect less data are better for consumers than the ones that take more. The detailed App Store privacy label for Facebook stretches for 14 screens, leaving a clear impression we’re getting a digital shakedown.

But there’s a tremendous amount of power — and billions of dollars to be made — in allowing companies to define for themselves what counts as “privacy.” Apple’s definitions may not make common sense to many people.

You can spot the squishiness of the labels in a back-and-forth I had with PBS about the app store listing for its popular PBS Kids Video app. We found the app sending my phone’s ID to Google, even though its label said it didn’t collect data that could be linked to me. PBS told me the label reflected an update to the app it eventually published on Jan. 28, in which Google no longer gets sent my ID but still helps PBS measure performance.

Even with its update, the label is still missing an important piece of information: There’s Google inside.

Nowhere on any of Apple’s privacy labels, in fact, do we learn with whom apps are sharing our data. Imagine if nutrition facts labels left off the whole section about ingredients.

Irony alert, there’s a tech giant that is more transparent: Facebook. With a setting called “off-Facebook activity” that it launched in 2020, you can actually see all the different apps and websites that are feeding your data to Facebook and ask the social network to stop using the data to target you with ads.

Apple’s definition of privacy is curiously narrow in other ways, too. For example, the privacy labels appear to consider “tracking” to be limited to targeted advertising, ad measurement and data brokers. “It leaves the door open to a lot of behaviors that meet any reasonable definition of tracking,” Disconnect’s CEO Casey Oppenheim told me, including sharing data with governments.

Cutting off the ability of Facebook and Google to track us could benefit Apple, which similarly collects data about you and has a growing business of its own selling ads in the App Store.

I’m under no illusion that making privacy clear is an easy problem to solve. Apple’s labels are, by its own description, a work in progress. Just adding more information to app stores won’t really help most people. In fact, overwhelming us with choices and work is one way these companies get away with saying they give us “control” while still sucking up our data.

We need help to fend off the surveillance economy. Apple’s App Store isn’t doing enough, but we also have no alternative. Apple insists on having a monopoly in running app stores for iPhones and iPads. In testimony to Congress about antitrust concerns last summer, Apple CEO Tim Cook argued that Apple alone can protect our security.

Other industries that make products that could harm consumers don’t necessarily get to write the rules for themselves. The Food and Drug Administration sets the standards for nutrition labels. We can debate whether it’s good at enforcement, but at least when everyone has to work with the same labels, consumers can get smart about reading them — and companies face the penalty of law if they don’t tell the truth.

Apple’s privacy labels are not only an unsatisfying product. They should also send a message to lawmakers weighing whether the tech industry can be trusted to protect our privacy on its own.

The secret life of your data: What you need to know

For all the good we get from technology, it can also take a lot from us. The Post’s tech columnist Geoffrey A. Fowler examines the personal information streaming out of devices and services we take for granted.

Amazon Sidewalk: Amazon Sidewalk shares your Internet with smart homes — and surveillance devices. Here’s how to turn it off.

Alexa: By default, Amazon keeps a copy of everything Echo smart speakers record.

Browser extensions: Add-ons and plug-ins can see and share everything you do on the Web.

Cars: Automakers use hundreds of sensors and an always-on Internet connection to record where you go and how you drive.

Credit cards: A half-dozen kinds of companies can grab data about purchases, from your bank to the store where you’re shopping.

Don’t sell my data: The California Consumer Privacy Act (CCPA) can help even residents of other states see and delete their data — and tell companies to stop selling it.

iPhones and Android phones: Hidden trackers in apps share personal information — even while you and your phone are asleep.

TVs: Once every few minutes, smart TVs beam out a snapshot of what’s on your screen.

Web browsers: Google’s Chrome loaded more than 11,000 tracker cookies into our browser — in a single week.

Have a question about data privacy? Ask The Post.