Privacy labels failMany ‚tracking-free‘ apps in iOS secretly track users

Apple forces developers give clear privacy information to app users. But according to new research, four out of five tested apps that claim to not collect data from users actually do.

Apples bunte Apps
iPhone-Apps müssen seit einem Jahr klare Labels tragen – oft stimmen die aber gar nicht Gemeinfrei-ähnlich freigegeben durch unsplash.com Rami Al-zayat

It reads like a fairly simple statement: „Data not collected“. Apple introduced such clear privacy labels for apps on its mobile operating system iOS over a year ago. They are supposed to show whether and which data the app passes on to its operators or third parties.

A sizeable portion of apps claim not to collect any data from users. But many of these labels are clearly false, as a technical analysis shared exclusively with netzpolitik.org has shown. Computer scientist Konrad Kollnig from Oxford University examined 1,682 randomly selected apps from Apple’s App Store. 373 of the apps tested (22.2 percent) claim not to collect personal data. However, four out of five, 299 apps in total, contacted known tracking domains immediately after the first app launch and without gaining user consent. (Data to be published soon, more details on the method here.)

One prominent app from Kollnig’s dataset is „RT News“ by the Russian state broadcaster. The app claims not to collect any data. To verify the accuracy of that claim, Kollnig loaded it onto a test device and navigated to a few random articles. In total, the RT app sent data to 19 domains. Not to Russia, but to tracking services of the tech giants Facebook and Google, the market research company ComScore and the advertising company Taboola.

Such data collection should be specified in the data protection label, says Kollnig, because it could contain sensitive information, including what news users have viewed in the app. „Unfortunately, it’s often unclear what data is really being collected and what happens to that data.“ He says that particular caution should be exercised with apps that have access to the GPS location. As research by the New York Times has shown, such location data often ends up in the hands of data companies that offer it for sale – a clear case of abuse.

Kollnig, a PhD student at Oxford University’s Department of Computer Science, and his colleagues have been studying just how much tracking is happening through apps. Most recently, they published an analysis of nearly two million Android apps in the Internet Policy Review. They found that little has changed since the EU’s General Data Protection Regulation took effect in May 2018. According to their findings, around 90 percent of the apps in Google’s Play Store may share tracking data with third parties.

Konrad Kollnig
Konrad Kollnig - Alle Rechte vorbehalten K.K.

For his analysis of iOS apps, Kollnig randomly selected apps that have been in Apple’s app store since January 2020 and have subsequently added a privacy label. He loaded the apps automatically on an iPhone 8 running on iOS 15.2, where each app was opened. No other interaction took place; crucially, no consent to tracking was given. Kollnig examined the data flowing from the phone through a so-called man-in-the-middle proxy. He also installed some apps manually for extra testing.

Privacy labels get bad reviews

In principle, Apple sets higher standards than other companies when it comes to data protection and privacy. The tech giant has used its privacy bona fides for marketing purposes, including speeches by CEO Tim Cook at major European data protection conferences.

In December 2020, Apple introduced privacy labels „to help you understand how apps handle your data“. They faced criticism from the start. In January 2021, Washington Post columnist Geoffrey A. Fowler found more than a dozen false claims in privacy labels, including in a video app for children and a popular game. Fowler noted that the small print of the labels states that Apple does not always check the privacy information, but instead relies on occasional audits.

A year later, the situation is essentially the same. Kollnig found numerous popular apps in his analysis that collect more data than claimed. For example, the puzzle app of a large gaming company sends an ID number of users to numerous tracking services, contrary to its label. Tracking even happens within apps by government agencies. Kollnig found that the app of the Met Office, the UK’s national weather service, sends sensitive information such as GPS data to Google and Amazon and also – without any indication in the label – collects a user ID.

Apple declined to comment directly on Kollnig’s analysis. Contacted by netzpolitik.org, the tech giant only said that the information in the labels came from the developers, and that Apple focusses ongoing reviews on the most popular apps.

According to Kollnig, there is a practical reason why so much data from popular apps ends up with third parties. Tracking services are usually integrated into apps via so-called libraries. Libraries are subroutines that perform certain tasks in an app. Their use makes work easier for programmers, but means less control over the finished app. Many libraries come from companies like Google, and the tracking code is hidden in them. „App operators often have no way of verifying the program code of these libraries, because the tracking companies usually do not make their code public,“ says Kollnig.

Tracking offers app providers a way to make money through personalized advertising. „The need of app operators to earn money is understandable,“ says Kollnig. But the business comes at the expense of the users, who hardly know anything about the collected data. According to Kollnig, Big Tech companies deliberately make it difficult for app operators to use privacy-friendly alternatives. His thinks that in order for this to change, EU countries must start enforcing their privacy laws more vigorously.

Correction on Friday, January 21, 2022: The story initially misstated that one out of five apps, 299 in total, contacted known tracking domains immediately after the first app launch. We corrected that figure to four out of five.

Mehr Zeit für kritische Berichterstattung

Ihr kennt es: Zum Jahresende stehen wir traditionell vor einer sehr großen Finanzierungslücke und auch wenn die Planung und Umsetzung unseres Spendenendspurts viel Spaß macht, bindet es doch sehr viele Ressourcen; Ressourcen, die an anderer Stelle für unsere wichtige Arbeit fehlen. Um Euch also weniger mit Spendenaufrufen auf die Nerven zu gehen und mehr Recherchen und Hintergründe bieten zu können, brauchen wir Eure regelmäßige Unterstützung.

Jährlich eine Stunde netzpolitik.org finanzieren

Das Jahr hat 8.760 Stunden. Das sind 8.760 Stunden freier Zugang zu kritischer Berichterstattung und wichtigen Fragestellungen rund um Internet, Gesellschaft und Politik bei netzpolitik.org.

Werde Teil unserer Unterstützungs-Community und finanziere jährlich eine von 8.760 Stunden netzpolitik.org oder eben fünf Minuten im Monat.

Jetzt spenden


Jetzt spenden

2 Ergänzungen

  1. Überrascht das wirklich jemanden? Nein.
    Und: Interessiert das mehr als drei Leute? Nein.
    Werfen wir das noch mit der Studie zusammen, die getestet hat, wie Apps damit umgehen, wenn man beim Tracken (ATT) sagt: Nein. Über 80% ignorieren das und tracken genauso als wenn man ja sagt.
    Jetzt könnte man das den Landes-Datenschützern melden. Aber da passiert dann auch nichts. Man ist auf sich selber gestellt.
    Www-kuketz-blog.de
    http://Www.untertauchen.info
    Usw.
    ich bin froh, dass ich mein iPhone hergegeben habe und GrapheneOS verwende.

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.