Privacy labels fail: Many ‚tracking-free‘ apps in iOS secretly track users

It reads like a fairly simple statement: „Data not collected“. Apple introduced such clear privacy labels for apps on its mobile operating system iOS over a year ago. They are supposed to show whether and which data the app passes on to its operators or third parties.

A sizeable portion of apps claim not to collect any data from users. But many of these labels are clearly false, as a technical analysis shared exclusively with netzpolitik.org has shown. Computer scientist Konrad Kollnig from Oxford University examined 1,682 randomly selected apps from Apple’s App Store. 373 of the apps tested (22.2 percent) claim not to collect personal data. However, four out of five, 299 apps in total, contacted known tracking domains immediately after the first app launch and without gaining user consent. (Data to be published soon, more details on the method here.)

One prominent app from Kollnig’s dataset is „RT News“ by the Russian state broadcaster. The app claims not to collect any data. To verify the accuracy of that claim, Kollnig loaded it onto a test device and navigated to a few random articles. In total, the RT app sent data to 19 domains. Not to Russia, but to tracking services of the tech giants Facebook and Google, the market research company ComScore and the advertising company Taboola.

Such data collection should be specified in the data protection label, says Kollnig, because it could contain sensitive information, including what news users have viewed in the app. „Unfortunately, it’s often unclear what data is really being collected and what happens to that data.“ He says that particular caution should be exercised with apps that have access to the GPS location. As research by the New York Times has shown, such location data often ends up in the hands of data companies that offer it for sale – a clear case of abuse.

Kollnig, a PhD student at Oxford University’s Department of Computer Science, and his colleagues have been studying just how much tracking is happening through apps. Most recently, they published an analysis of nearly two million Android apps in the Internet Policy Review. They found that little has changed since the EU’s General Data Protection Regulation took effect in May 2018. According to their findings, around 90 percent of the apps in Google’s Play Store may share tracking data with third parties.

For his analysis of iOS apps, Kollnig randomly selected apps that have been in Apple’s app store since January 2020 and have subsequently added a privacy label. He loaded the apps automatically on an iPhone 8 running on iOS 15.2, where each app was opened. No other interaction took place; crucially, no consent to tracking was given. Kollnig examined the data flowing from the phone through a so-called man-in-the-middle proxy. He also installed some apps manually for extra testing.

Privacy labels get bad reviews

In principle, Apple sets higher standards than other companies when it comes to data protection and privacy. The tech giant has used its privacy bona fides for marketing purposes, including speeches by CEO Tim Cook at major European data protection conferences.

In December 2020, Apple introduced privacy labels „to help you understand how apps handle your data“. They faced criticism from the start. In January 2021, Washington Post columnist Geoffrey A. Fowler found more than a dozen false claims in privacy labels, including in a video app for children and a popular game. Fowler noted that the small print of the labels states that Apple does not always check the privacy information, but instead relies on occasional audits.

A year later, the situation is essentially the same. Kollnig found numerous popular apps in his analysis that collect more data than claimed. For example, the puzzle app of a large gaming company sends an ID number of users to numerous tracking services, contrary to its label. Tracking even happens within apps by government agencies. Kollnig found that the app of the Met Office, the UK’s national weather service, sends sensitive information such as GPS data to Google and Amazon and also – without any indication in the label – collects a user ID.

Apple declined to comment directly on Kollnig’s analysis. Contacted by netzpolitik.org, the tech giant only said that the information in the labels came from the developers, and that Apple focusses ongoing reviews on the most popular apps.

According to Kollnig, there is a practical reason why so much data from popular apps ends up with third parties. Tracking services are usually integrated into apps via so-called libraries. Libraries are subroutines that perform certain tasks in an app. Their use makes work easier for programmers, but means less control over the finished app. Many libraries come from companies like Google, and the tracking code is hidden in them. „App operators often have no way of verifying the program code of these libraries, because the tracking companies usually do not make their code public,“ says Kollnig.

Tracking offers app providers a way to make money through personalized advertising. „The need of app operators to earn money is understandable,“ says Kollnig. But the business comes at the expense of the users, who hardly know anything about the collected data. According to Kollnig, Big Tech companies deliberately make it difficult for app operators to use privacy-friendly alternatives. His thinks that in order for this to change, EU countries must start enforcing their privacy laws more vigorously.

Correction on Friday, January 21, 2022: The story initially misstated that one out of five apps, 299 in total, contacted known tracking domains immediately after the first app launch. We corrected that figure to four out of five.