Apple’s App Privacy Labels — I have Questions
Apple’s privacy labels are a great start in letting consumers know what is happening with their data, but in my opinion, it is not clear enough in terms of how this data collection happens.
I came across a great piece from Greg Morris on Apple’s privacy labels this morning, and it got the gears in my brain spinning. Since Google recently updated the YouTube app with the Apple required privacy rundown, I decided to examine it in greater detail.
First up is the “Data Used to Track You”. Upon initial examination there is nothing that really alarms me or that I don’t quite get.
As shown above, Physical Address, Email and Phone Number, as well as User ID (my Google account) and Device ID (my iPhone’s advertising identifier) make sense. Aside from the device identifier, my best guess is that this is information Google already has about me based on the fact that I’m signed into the app with my Google account.
Next, I examined the “Data Linked to You” in terms of “Third-Party Advertising”.
Location makes sense, although I do not recall giving Google explicit access to that data through the YouTube app. In fact, I don’t actually ever recall a prompt to allow this. Sure enough, a quick check in my iPhone’s location settings (Settings — > Privacy — > Location Services) shows that YouTube is not on the list for allowing location services. I wonder how they are getting my location? I would suspect that they are getting it from data points like my IP address, but that is just speculation. Curious to know more, I clicked the App Store provided link that says “Learn how the developer lets you manage your privacy choices”. This link basically says what Google is using some of this data for, but specific to Location, it does not specifically say how this data is collected. I don’t care if Google has my location for third-party advertising, but I would like to know how they are getting it.
The “Contact Info” data is all pretty self explanatory and things that Google already has based on my Google account.
“Search History” is also self explanatory. Apple defines this as “information about searches performed in the app”. What I search for within the app itself, Google will know. In fact they give explicit settings to control this in the YouTube app itself. Ok, cool, cool.
Then we get to “Browsing History”. This is where things also get a bit confusing. First, I don’t care if Google has my browsing history. If I did I would not use Chrome on my laptop. Although I do use Chrome with the uBlock Origin extension to block third party ads and tracking, as third party ads that follow one around the internet are annoying. On my iPhone, I prefer Safari, and the intelligent tracking prevention built into WebKit should prevent this.
Apple defines “Browsing history” as follows:
This is somewhat confusing. In the YouTube app, one can click on links to outside web pages. For example, clicking the “Patreon” link shown below will take me to the Gears and Gasoline Patreon page. (By the way, if you like cars, these guys and this channel are awesome.)
However, clicking that link will open actual Mobile Safari (since I have Safari set as my default browser) as opposed to an in-app browser. So in this particular case, because I clicked that particular link in the YouTube app, Google knows I did that and where that link points. Fair enough. Is that it? If so, okay. Unfortunately the “Learn how the developer lets you manage your privacy choices” does not explicitly show how they are collecting this data, or if they are trying to collect it beyond that.
Now, if I were to change the “default apps” setting in YouTube to Safari or Chrome from “Default browser app”, clicking that Patreon link from the Gears and Gasoline About page would open up a WebKit instance in the YouTube app itself. I would assume that at that point, YouTube would have finer grained tracking, but again, it does not appear that any technical info on how this works can be found.
I continued going through the other categories in the YouTube privacy label, and it was more of the same, just for different purposes. I’m assuming, however, that it is just the same data collection points used for different things. For example, Browsing history is not only used for third-party advertising purposes, it is also used for “Developer’s Advertising or Marketing”, “Product Personalization”, and “Other Purposes”.
In closing, I think that Apple requiring privacy labels for all apps in the App Store is a great thing. However, I would like it if there were more technical details specific to how the data is being collected, not just that it is being collected.