Monday, February 22, 2021

Google vs. iOS App Privacy Labels

Eric Slivka (tweet):

Google today finally updated its YouTube iOS app for the first time in over two months, becoming one of the highest-profile Google apps to see an update since early December when Apple began requiring that developers disclose privacy practices for each of their apps in order to have their updates approved.

[…]

Google has denied that it is holding back iOS app updates in order to delay revealing its privacy practices, but many users have found that hard to believe considering the sudden slowing of app updates coinciding with Apple’s disclosure deadline and continued updates for Google’s various Android apps.

Earlier this week, the Gmail iOS app even began displaying “out of date” warnings when trying to add a new account, even though there is no new version of the app available and there have been no updates to the Gmail iOS app since December 1.

John Gruber:

A few hours and seems like Google has pushed a server-side change to suppress these warnings. But the apps themselves were not updated, and Google still hasn’t supplied privacy nutrition labels.

My utterly uninformed theory is that Google somehow didn’t understand the magnitude of what these iOS privacy changes entailed. It’s not just about a single device identifier used for targeted advertising.

Ryan Jones:

Google’s first privacy label. Let’s look at their strategy:

“We collect a shit ton of private data, but we link it to an Identifier and then only use that identifier to track you.”

Deviously brilliant.

[…]

Forces Apple’s hand brilliantly… you want to take down YouTube, when no one press has even noticed?

[…]

The real question:

How did Apple App Review approve this!?

Clearly it skirts the rules, which were written overly-generic to stop this exact strategy.

Ryan Jones:

I’ve annotated the exact rule.

Read the highlighted sentences. It’s expertly written by Apple to capture exactly what Google is attempted.

[…]

Intent matters, not execution. If you use an ID for the purpose of tracking 100 other things… you are “tracking 100 other things.”

[…]

I hope that helps clarify Google’s (and Facebook’s) privacy labels are most definitely breaking these rules.

Curtis Herbert:

I don’t think you get how privacy labels work.

They don’t have to say “track” for stuff used inside Google (which their ad network is). They only have to disclose track for stuff shared outside Google Inc.

They can build up a huge profile for someone and let third parties target that with ads, all while keeping the data internal (aka not “track”).

The key here is what Google shares, not what they ingest from third parties. They can grab all kinds of data from other companies, that doesn’t count for tracking (for Google, it counts for the other companies). It only counts if they share it.

Ryan Jones:

Here, read the highlighted parts as a sentence. Notice, sharing is not needed.

[…]

They don’t have to send it to anyone! If any data in the pool of data they use is from anywhere that’s not theirs - it’s tracking.

This is confusing, but I think Jones’ interpretation—that Google’s privacy nutrition label is breaking the rules—better matches the rules as written. (It’s possible but unlikely that Google has somehow segregated the data from the YouTube app so that it’s not linked with data obtained from SDKs in third-party apps or from Web sites running AdWords or Google Analytics.)

See also: this thread between Joe Cieplinski and me.

Previously:

Update (2021-03-15): Juli Clover (tweet, The Verge):

Google today quietly added App Privacy labels to its Gmail app, marking the first of its major apps to receive the privacy details aside from YouTube.

Ryan Jones:

Gmail added the privacy nutrition label…and said ZERO data is “used to track you”.

LOL okay. Embarrassing for Apple.

Update (2021-03-23): Juli Clover (Hacker News):

There was speculation that Google’s delay meant that it had something to hide, which DuckDuckGo is leaning into with a new tweet that highlights Google’s data collection and calls out the company for “spying” on users.

Google recently added App Privacy labels to its Google Search app, spelling out the extent of information that’s collected. For third-party advertising purposes, Google collects data that includes location, search history, and browsing history. Google’s own marketing data includes all of the above information along with contact info and device identifiers, plus there’s even more data collected for analytics, app functionality, and product personalization.

Update (2021-06-07): Ole Begemann:

Google Photos on iOS doesn’t launch unless you give it full access to all your photos, circumventing the selective photo library access privacy option. Perhaps not surprising from Google, but incredibly user-hostile nonetheless.

Comments RSS · Twitter

Leave a Comment