Keeping Privacy Labels Honest

Authors: Simon Koch (Technische Universität Braunschweig, Institute for Application Security), Malte Wessels (Technische Universität Braunschweig, Institute for Application Security), Benjamin Altpeter (Datenanfragen.de e. V.), Madita Olvermann (Technische Universität Braunschweig, Industrial/Organizational and Social Psychology), Martin Johns (Technische Universität Braunschweig, Institute for Application Security)

Volume: 2022
Issue: 4
Pages: 486–506
DOI: https://doi.org/10.56553/popets-2022-0119

artifact

Download PDF

Abstract: At the end of 2020, Apple introduced privacy nutritional labels, requiring app developers to state what data is collected by their apps and for what purpose. In this paper, we take an in-depth look at the privacy labels and how they relate to actual transmitted data. First, we give an exploratory statistically evaluation of 11074 distinct apps across 22 categories and their corresponding privacy label or lack thereof. Our dataset shows that only some apps provide privacy labels, and a small number self-declare that they do not collect any data. Additionally, our statistical methods showcase the differences of the privacy labels across application categories. We then select a subset of 1687 apps across 22 categories from the German App Store to conduct a no-touch traffic collection study. We analyse the traffic against a set of 18 honey-data points and a list of known advertisement and tracking domains. At least 276 of these apps violate their privacy label by transmitting data without declaration, showing that the privacy labels’ correctness was not validated during the app approval process. In addition, we evaluate the apps’ adherence to the GDPR in respect of providing a privacy consent form, through collected screenshots, and identify numerous potential violations of the directive.

Keywords: Smartphones, iOS, Apple, GDPR, Privacy, Privacy Labels

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.