Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

8/13/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

With iOS's Privacy Nutrition Label, Apple Upstages Regulators

New iOS privacy features require developers to disclose what data they're collecting, how they're using it, and with whom they share it.

In 2012, the National Telecommunications and Information Administration (NTIA) convened a series of meetings that were intended to develop a legally enforceable code of conduct to provide transparency in how companies providing applications and interactive services for mobile devices handle personal information. This multistakeholder process sought input from companies, researchers, advocates, trade groups, and the like.

One of the initial proposals for a code of conduct came from a group of Carnegie Mellon researchers at the Cylab Usable Privacy and Security Lab and a security researcher at Microsoft, who had released a paper in 2009 that promoted the idea of a "privacy nutrition label" as a de facto standard to be used by all app developers.

The process ended in the spring of 2013 with a group of think tanks, trade organizations, advocates, and companies signing on to the finalized code of conduct. But in the long run, this went nowhere. A voluntary code of conduct that was meant for app developers to leverage as a means to provide transparency through short form notices in their mobile apps was barely touched upon by the app developer community.

Almost seven years later, Apple has achieved what we could not: A privacy nutrition label. The company announced at its 2020 WWDC last month new iOS privacy features requiring app developers on their platform to disclose in clear language what data they are collecting, how they're using the data, and who they are sharing it with — basically, any data that is linked to a user and is being used for ad tracking. And the apps must get users' opt-in consent. This is akin to a nutrition label that will help consumers make informed decisions about whether they want to download an app.

With one software update, Apple has been able to force 1.85 million apps to reveal their privacy practices in a standardized iconographic form. This is testament to the power of the tech giant, which has about 1.5 billion devices in the market. In other words, Apple is setting the mobile privacy standard, not a governmental body or multistakeholder voluntary process.

Apple's new iOS privacy features are already drawing industry ire. More than a dozen digital ad groups in Europe, including ones backed by Google and Facebook, have complained that app providers who want to track users across apps will now have to get consent from consumers twice, increasing the likelihood that users will opt out. The European Union's General Data Protection Regulation (GDPR) already requires them to get user permission to collect data for marketing purposes. And now Apple will be forcing apps to get consent for ad targeting instead of allowing it by default.

Apple's use of the word "tracking" could be seen as a direct assault on advertising providers. Consumers will first have to opt in to ad tracking and they'll know exactly what data is being used and how. When an app tries to access the device's unique identification number for advertisers, a message will pop up that says the app "would like permission to track you across apps and websites owned by other companies."

The company also has made it much harder for advertisers to target users based on location. Now, apps will only be able to detect a user's location within 10 square miles instead of a more granular, precise location based on GPS. Location-based tracking is typically used to help marketers understand user behaviors so they can more effectively target them with location-based ads. While people may have resigned themselves to targeting based on website visits, they are increasingly concerned about being tracked by their whereabouts. Only one-third of US smartphone users said in a recent survey that they were comfortable sharing location information for marketing purposes.

Keep in mind that developers will have to self-report their data practices for the new nutrition label. Self-reporting privacy certification programs already have a questionable reputation, and most recently with Europe's invalidation of the US government-run "Privacy Shield" program. Plus, mobile apps already have a history of poor privacy practices and misleading users. For these nutrition labels to be effective, then, Apple must be clear about how it will verify and enforce that the information developers provide is accurate, complete, and up to date. Given that its App Store is already carefully vetted for security issues, this shouldn't be too arduous for them to handle.

This move by Apple to plant a stake in the ground on behalf of privacy may have far reaching consequences. As scholar and author, Woodrow Hartzog argues in Privacy's Blueprint: The Battle to Control the Design of New Technologies: "Design is power. Design is political. People do not use technologies for whatever tasks or goals they wish to accomplish. Instead, technologies shape how people use them. Technologies shape users' behavior, choice, even attitudes." The iOS changes may raise privacy awareness among consumers who previously didn't think about the information their apps were collecting about them. It will also force advertisers to adopt new business models that aren't totally reliant on knowing user behavior.

In addition, this could set a strong example for other tech providers and could make privacy the new normal. Some of the same researchers from Carnegie Mellon University who proposed the mobile app nutrition label over a decade ago recently proposed a standardized privacy and security label for Internet of Things devices. Apple's user interface and design decisions have been known to lead to sea changes throughout the tech hardware and software industry. When it comes to privacy, hopefully this change won't be an exception.

Related Content:

Heather Federman is the VP of Privacy & Policy at BigID, where she manages and leads initiatives related to privacy evangelism, product innovation, internal compliance and industry collaboration. Prior to BigID, Heather was the Director of Privacy & Data Risk at Macy's Inc., ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.