Some iOS app developers appear to be posting misleading App Privacy Labels in the App Store

Last month, Apple debuted its app privacy labels. Whenever an iOS app developer updated one of his apps, it had to include the app privacy label when listed following the update in Apple's iOS app storefront. This label, found underneath the option in the App Store to download and install an app, shows the type of data that the app collects which can be linked to an iOS user's identity.

For example, we randomly selected a news app in the App Store called Brief Monthly and its privacy label showed that it collects user data related to purchases, Contact Information, the ID of the Device being used, and any data collected when the app crashes. It also collects Usage Data, but this information cannot be linked to the user.

There is a major issue when it comes to the App Privacy Labels and as the Washington Post points out, it has to do with Apple's reliance on the honor system. On the label, it clearly states that "this information has not been verified by Apple." Apple spokeswoman Katie Clark-AlSadder sent an email to the Post in which she wrote, "Apple conducts routine and ongoing audits of the information provided and we work with developers to correct any inaccuracies. Apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed from the App Store entirely if they don’t come into compliance."

But a spot check conducted by the newspaper took a deeper look at those iOS apps with a blue check mark on its Privacy Label. These apps claim that they don't collect any user data at all. The Post used a search engine to find these blue-checked iOS apps and employed software called Privacy Pro that can log and block connections to trackers. After using the software to check out these apps, further analysis on them was conducted by Patrick Jackson, the chief technology officer of the developer that offers Privacy Pro. Jackson was at one time a researcher with the National Security Agency.

This analysis turned up several iOS apps that were sharing information that could identify a user's iPhone with Facebook, Google, and Game analytics. These apps were also sending Unity, a company that provides game makers with software, information including the ID of the iPhone being used, the battery level of the phone, the remaining amount of free storage available, the general location of the phone, and the volume level. Some of the infringing apps included:

In some cases, the label of the app was eventually changed to reflect what the Post discovered, but in most cases there were no changes made. For example, a game played by the family of the Washington Post reporter called "Match 3D" claimed to only collect data not linked to the user. But it turned out that the app was sending an ID number for the reporter's iPhone to more than a dozen companies. While the Post never got a response from the developer, the Privacy Label was changed to reflect that the app collects "data used to track you."

The Post's analysis leads it to conclude that one-third of the apps that claim not to be collecting data from users were actually doing so. And when the newspaper sent Apple a list of apps who seemed to be lying on their Privacy Labels, Apple failed to respond.

Apple also narrows the definition of tracking to "targeted advertising, ad measurement and data brokers." According to Disconnect CEO Casey Oppenheim, Apple's definition "leaves the door open to a lot of behaviors that meet any reasonable definition of tracking."