It is not entirely clear how effective these warnings will be, but the attempt itself is promising.
The very idea of developing privacy and labels warning about its violation is not new. In the early 2010s, academic researchers had already developed prototypes of privacy labels for mobile apps. Even earlier, countries such as Finland, Singapore, and the United Kingdom began to promote labels dedicated to the security of IoT devices. But Apple appears to be the first tech giant to use and promote this tactic on a truly grand scale.
“Apple’s approach looks promising, but it’s not clear how much user testing has been done for this,” says Lorrie Cranor, director of CyLab’s CyLab Privacy and Security Lab at Carnegie Mellon. “As the scenario evolves with real applications and real users, it will be interesting to see what works and what doesn’t – whether the developers understand how to provide information correctly, whether they are really telling the truth, and whether users understand what this means – all these questions remain open."
The label has three categories: Data Used for Tracking, Data Associated with You, and Data Not Associated with You, with checkboxes for each detailing what the app has under the hood. The label can indicate that the app wants to collect your location, financial services, or contacts, and links it to a valid account or identifiers, such as your device ID.
The privacy label can go further and let you know that the app is sharing your data with third parties, such as companies that will track you through their websites and services.
Many applications have already sent information about how they work and will receive their Privacy Label any day now, but they will become ubiquitous only after a while. Providing privacy information is required when a developer submits a new app or update to Apple for review, and many apps have infrequent update cycles. However, Apple says some developers added the information anyway, perhaps to avoid hiding anything.
But in today’s realities, it is difficult to find an application that does not track and does not identify users. Since providing data for Shortcuts is now mandatory in the iOS and macOS app stores, it is up to the developer to provide factual information and update it over time.
“You are responsible for the accuracy and timeliness of your responses,” Apple’s developer guide says.
App stores such as Google Play and the App Store have been constantly cracking down on malicious apps that fail these audit and verification processes over the years. Given the regular nature of this phenomenon, it appears that misleading privacy statements will occasionally surface as well, at least until researchers or concerned users discover and point out inconsistencies.
Pardis Emami-Nayini, a privacy researcher at the University of Washington who worked with Cranor and others to develop Security Labels for the Internet of Things, notes that false information is not the only obstacle. Some developers may not fully understand the requirements for providing information, or may not have a comprehensive understanding of how their application collects and manages data. This may seem like it should be obvious, but in fact, developers often create what they are told without giving a direction that specifically reflects the flow of information.
For example, it goes without saying that applications often include pre-existing open source code that may contain tracking or data collection mechanisms that the developers are not fully aware of. Apple’s privacy sharing process can be a good opportunity for developers to make sure they actually understand what’s going on inside their software. But it’s just as easy to imagine how some developers aren’t interested and miss important details.
There are also certain types of data collection that are “optionally disclosed” because the data is not used for tracking purposes or is rarely collected. The type is meant to make things easier, as there are favorable situations where an application collects, say, a one-time location ping, but doesn’t pass it anywhere, and gives users a clear opt-out option. The problem, however, is that the “optional disclosure” category seems like an uncultivated field for loopholes and workarounds.
“If you meet all the criteria, you don’t have to disclose certain information that you collect, which doesn’t sound like a good idea,” says Emami-Nayini. “Application developers just need to say: “We meet these parameters”.
As with food additive data, many users simply ignore it or only check the one criterion they care about. But for people who actually study and use the Labels, the information needs to paint an accurate picture to be useful.
If you found this article helpful, then share it with your friends on social networks!
According to Wired.