You’ve figured out how to read the nutrition labels on packaged food. But what’s the equivalent of too much fat or sugar when it comes to the health of your apps?
In December 2020, Apple added nutrition labels for privacy to product page listings in its iPhone and iPad App Store. Located in boxes near the bottom of app listings, the labels are an alternative to those long privacy policies that nobody reads.
It matters, because data harvested from your phone can used not just by annoying advertisers, but also by politicians to manipulate you and governments to track you.
While they’re a step forward, Apple’s labels are neither complete nor particularly simple. When I conducted a spot check, I found some of the self-reported labels weren’t necessarily even always telling the truth.
But if you take the time to read the labels, you might make some surprising discoveries.
What are you looking for? In short, apps grabbing more of your data than they need to get the job done. Try pitting apps with similar functions against each other. You can see, for example, that the Zoom video chat says it takes six kinds of data linked to your identity, while rival Cisco Webex Meetings says it collects no data beyond what’s required for the app to run.
Apple itself doesn’t offer much help to decode its privacy labels, aside from long pages of definitions.
Below, I’ve laid out the basics — and some red flags that deserve attention when you’re glancing at labels.
Apple’s labels are built around categories — three ways of using data — followed by a list of the types of data being used for each. You can tap in to each category for a bit more detail.
Data Used to Track You: For most people, this section contains the most to worry about.
It means an app is collecting information like your email address that it uses for the purposes of connecting the dots about who you are. Companies could be tying together what you do in different apps and websites — and even what you buy in physical stores.
By Apple’s definition, “tracking” covers targeting ads, measuring the effectiveness of ads or contributing to a data broker who’s likely keeping a file on you.
Data Linked to You: This section shows you the ways apps are collecting and possibly sharing data that they can tie back to you.
It’s a broad category. On the detail page, the types of data are grouped by purposes such as showing you ads from outside companies (“Third-Party Advertising”) or studying how you use an app (“Analytics”).
Data Not Linked to You: This is data that doesn’t count as “personal information.” To use this category, an app should be going out of its way to make sure any of the types of data you see here can’t be tied back you, such as by stripping away your name or ID.
Data Not Collected: This is the all-clear — Apple even awards it a blue check mark. Any app that shows this label shouldn’t be sending data to anyone other than themselves, and for the purposes of running the app.
Red flag 1: A really long label
The more data an app says it takes, the more likely it’s up to something you might not like. The detailed privacy listing for Facebook goes on for 14 screens, a pretty good sign it’s in the business of selling you.
If you don’t feel comfortable with how much data you see on a label, try searching for an alternative app that takes less. We’ll win as consumers when apps have to start competing on taking less data.
This is just a rule of thumb. Some apps might disclose they’re using a lot of data because they’re using it to do something good, like stop fraud. An app could be trying to track you to check the effectiveness of its own ads, rather than selling you out to others.
At the same time, beware apps with really short listings or even “data not collected” could just be inaccurate because Apple doesn’t vet the information before it publishes.
Red flag 2: Apps taking your “identifiers”
As you scan labels, look for the word “identifiers.” These could include what’s known as your Device ID.
It’s obvious that your name, email or social security number are useful information for anyone trying to track you. But your Device ID is the hidden MVP of tracking. It’s a unique code to identify your phone, provided to apps by Apple, that makes it possible to connect the dots on data gathered from different apps.
Good news, there is something you can do to stop apps from taking your Device ID. On a device with iOS or iPad OS 14, go to Settings, then Privacy, then Tracking. Toggle to “off” the setting called “allow apps to request to track.” This sets your Device ID to a bunch of zeros. Apps still might find other ways to track you, but they’ll lose access to the easiest one.
Red flag 3: Apps taking your location
Knowing your location could not only let someone stalk you, but it also reveals an awful lot about how you spend your time.
Apps already have to explicitly ask your permission to track your location. But the privacy labels can give us a few more clues about what all they’re doing with the information. It’s possible apps could be using your location for multiple purposes — both to make an app work correctly and to target ads or covertly sell the information.
My personal rule on location: Whenever apps ask to take it, I just say no. That includes Instagram and Facebook. You can always change your privacy settings later if it turns out an app you really need can’t function without it.
And keep this in mind ...
There’s some important information you won’t find anywhere on Apple’s privacy labels.
For one, you can’t figure out with whom apps are sharing your data. These days, it’s extremely common for apps to contain hidden code from outside companies that passes along your data. That means today’s privacy labels are a bit like nutrition labels without the “ingredients” section. Some people might have allergies to certain ingredients; I have an allergy to certain data-gobbling tech companies, including Facebook and Google.
Nowhere, either, does the App Store tell you if an app has either changed its label or changed its privacy practices since you first purchased the app. You have to go check again whether that app that used to claim it didn’t share any of your data might now be a data vampire.