Monday, February 22, 2021 [Tweets] [Favorites]

Google vs. iOS App Privacy Labels

Eric Slivka (tweet):

Google today finally updated its YouTube iOS app for the first time in over two months, becoming one of the highest-profile Google apps to see an update since early December when Apple began requiring that developers disclose privacy practices for each of their apps in order to have their updates approved.

[…]

Google has denied that it is holding back iOS app updates in order to delay revealing its privacy practices, but many users have found that hard to believe considering the sudden slowing of app updates coinciding with Apple’s disclosure deadline and continued updates for Google’s various Android apps.

Earlier this week, the Gmail iOS app even began displaying “out of date” warnings when trying to add a new account, even though there is no new version of the app available and there have been no updates to the Gmail iOS app since December 1.

John Gruber:

A few hours and seems like Google has pushed a server-side change to suppress these warnings. But the apps themselves were not updated, and Google still hasn’t supplied privacy nutrition labels.

My utterly uninformed theory is that Google somehow didn’t understand the magnitude of what these iOS privacy changes entailed. It’s not just about a single device identifier used for targeted advertising.

Ryan Jones:

Google’s first privacy label. Let’s look at their strategy:

“We collect a shit ton of private data, but we link it to an Identifier and then only use that identifier to track you.”

Deviously brilliant.

[…]

Forces Apple’s hand brilliantly… you want to take down YouTube, when no one press has even noticed?

[…]

The real question:

How did Apple App Review approve this!?

Clearly it skirts the rules, which were written overly-generic to stop this exact strategy.

Ryan Jones:

I’ve annotated the exact rule.

Read the highlighted sentences. It’s expertly written by Apple to capture exactly what Google is attempted.

[…]

Intent matters, not execution. If you use an ID for the purpose of tracking 100 other things… you are “tracking 100 other things.”

[…]

I hope that helps clarify Google’s (and Facebook’s) privacy labels are most definitely breaking these rules.

Curtis Herbert:

I don’t think you get how privacy labels work.

They don’t have to say “track” for stuff used inside Google (which their ad network is). They only have to disclose track for stuff shared outside Google Inc.

They can build up a huge profile for someone and let third parties target that with ads, all while keeping the data internal (aka not “track”).

The key here is what Google shares, not what they ingest from third parties. They can grab all kinds of data from other companies, that doesn’t count for tracking (for Google, it counts for the other companies). It only counts if they share it.

Ryan Jones:

Here, read the highlighted parts as a sentence. Notice, sharing is not needed.

[…]

They don’t have to send it to anyone! If any data in the pool of data they use is from anywhere that’s not theirs - it’s tracking.

This is confusing, but I think Jones’ interpretation—that Google’s privacy nutrition label is breaking the rules—better matches the rules as written. (It’s possible but unlikely that Google has somehow segregated the data from the YouTube app so that it’s not linked with data obtained from SDKs in third-party apps or from Web sites running AdWords or Google Analytics.)

See also: this thread between Joe Cieplinski and me.

Previously:

Comments

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment