Keeping Privacy Labels Honest: Developer conformity to self declared data collection via Apple Privacy Labels
2022Conference / Journal
Authors
Martin Johns Madita Olvermann Benjamin Altpeter Malte Wessels Simon Koch
Research Hub
Research Hub C: Sichere Systeme
Research Challenges
RC 8: Security with Untrusted Components
Abstract
At the end of 2020, Apple introduced privacy nutritional labels, requiring app developers to state what data is collected by their apps and for what purpose. In this paper, we take an in-depth look at the privacy labels and how they relate to actual transmitted data. First, we give an exploratory statistically evaluation of 11074 distinct apps across 22 categories and their corresponding privacy label or lack thereof. Our dataset shows that only some apps provide privacy labels, and a small number self-declare that they do not collect any data. Additionally, our statistical methods showcase the differences of the privacy labels across application categories.
We then select a subset of 1687 apps across 22 categories from the German App Store to conduct a no-touch traffic collection study. We analyse the traffic against a set of 18 honey-data points and a list of known advertisement and tracking domains. At least 276 of these apps violate their privacy label by transmitting data without declaration, showing that the privacy labels’ correctness was not validated during the app approval process. In addition, we evaluate the apps’ adherence to the GDPR in respect of providing a privacy consent form, through collected screenshots, and identify numerous potential violations of the directive.