We all know that apps collect our data. Yet, one of the few ways to discover what an app does with our information involves reading a privacy policy.
Let’s be honest: Nobody does that.
So late last year, Apple introduced a new requirement for all software developers that publish apps through its App Store. Apps must now include so-called privacy labels, which list the types of data collected in an easily scannable format. The labels resemble a nutrition markers on food packaging. These labels, which began appearing in the App Store in December, are the latest attempt by tech designers to make data security and digital privacy, which are linked, more accessible for all of us to understand. You might be familiar with earlier iterations, like the padlock symbol in a web browser. A locked padlock tells us that a website is more secure, while an unlocked one suggests a website can be more susceptible to attack.
The question is whether Apple’s new labels will influence people’s choices. “After they read it or look at it, does it change how they use it or stop them from downloading it?” asked Stephanie Nguyen, a research scientist who has studied user experience design and data privacy. To put the labels to the test, I pored over dozens of apps. Then I focused on the privacy labels for WhatsApp and Signal, the streaming music apps Spotify and Apple Music, and, for fun, MyQ, the app I use to open my garage door remotely. I learned plenty. The privacy labels showed that apps that appear identical in function could vastly differ in handling our information. I also found that lots of data gathering happen when you least expect it, including inside products you pay for. But while the labels were often illuminating, they sometimes created more confusion.
How to Read Apple’s Privacy Labels
IPhone and iPad users with the latest operating system (iOS and iPadOS 14.3) can open the App Store and search for an app to find the new labels. Inside the app’s description, look for “App Privacy.” That’s where a box appears with the brand. Apple has divided the privacy label into three categories to get a complete picture of the kinds of information that an app collects. They are: Data is used to tracking you. This information is used to follow your activities across apps and websites.
For example, your email address can help identify that you were also using another app where you entered the same email address. Data linked to you: This information is tied to your identities, such as your purchase history or contact information. Using this data, a music app can see that your account bought a particular song. Data not linked to you: This information is not directly tied to you or your account. For instance, a mapping app might collect data from motion sensors to provide turn-by-turn directions for everyone; it doesn’t save that information in your account. Now let’s see what these labels reveal about specific apps.
WhatsApp vs. Signal
On the surface, WhatsApp, which Facebook owns, appears nearly identical to Signal. Both offer encrypted messaging, which scrambles your messages so only the recipient can decipher them. Both also rely on your phone number to create an account and receive notifications. But their privacy labels immediately reveal how different they are under the hood. The first one below is for WhatsApp. The next one is for Signal: The titles immediately clarified that WhatsApp taps far more of our data than Signal. When I asked the companies about this, Signal said it tried to take less information.
The WhatsApp privacy label showed that the app could access user content, including group chat names and group profile photos for group chats. Signal, which does not do this, said it had designed a complex group chat system that encrypts the contents of a conversation, including the people participating in the chat and their avatars. The WhatsApp privacy label showed that the app could access our contacts list; Signal does not. With WhatsApp, you hcanupload your address book to the company’s servers stohelp you find your friends and family who are also using the app. But on Signal, the contacts list is stored on your phone, and the company cannot tap it. “In some instances, it’s more difficult not to collect data,” Moxie Marlinspike, the founder of Signal, said. “We have gone to greater lengths to design and build technology that doesn’t have access.”
