Starting on December 8, Apple will require all third-party developers to detail their app’s privacy information, according to an Apple post.
Though developers can already share those details through the company’s App Store Connect website, this new policy is a must for any new apps or updates they submit to Apple. With the new policy, developers will have to identify all of the data they or their third-party partners collect, unless the data meets all of the criteria for optional disclosure listed. By collect, Apple refers to any data that is transmitted off the device in a way that allows developers or their third-party partners to access it for a period longer than what is necessary to service the transmitted request in real time. Third-part partners refers to all analytic tools, advertising networks, third-party SDKs, or other external vendors whose code developers have added to their app.
Apple said that developers will be responsible for keeping responses accurate and up to date. If practices change, developers will have to update responses in the App Store Connect. If the data isn’t provided, the app won’t be allowed into the official iOS App Store or Mac App Store, Apple said.
According to Apple, data types that meet all of the following criteria will be optional to disclose:
- The data is not used for tracking purposes, meaning the data is not linked with Third-Party Data for advertising or advertising measurement purposes, or shared with a data broker. For details, see the Tracking section.
- The data is not used for Third-Party Advertising, Advertising or Marketing purposes, or for Other Purposes, as those terms are defined in the Tracking section.
- Collection of the data occurs only in infrequent cases that are not part of the app’s primary functionality, and which are optional for the user.
- The data is provided by the user in the app’s interface, it is clear to the user what data is collected, the user’s name or account name is prominently displayed in the submission form alongside the other data elements being submitted, and the user affirmatively chooses to provide the data for collection each time.
If a data type collected by the app meets some, but not all, of the above criteria, it still must be disclosed in App Store Connect. Examples of data that may not need to be disclosed include data collected in optional feedback forms or customer service requests that are unrelated to the primary purpose of the app and meet the other criteria above. This information will be turned into “privacy labels” for apps, where users will see how their data is being handled. The labels will show up on apps’ pages in the App Stores.
Security experts note that this new update (iOS 14) puts additional focus on user privacy, and in particular gives users better visibility into their personal information that is shared with third parties.
Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains that previously, iOS users only had the choice between sharing all their information when using apps, or declining to share and not having access to apps. And now Apple has created a new format in the App Store for users to more easily identify how they share personal information with developers and third parties.
"The privacy changes in iOS 14 are part of an unstoppable trend to increase the protection of user privacy. This trend will not stop with tracking for advertisers. Developers that update their apps after December 8, won’t have their apps approved unless they include this information. macOS 10.15 Catalina kicked everyone out of the kernel, a privilege that endpoint security providers had since the beginning of desktop operating systems. With this move security vendors are now also limited in accessing user and system information, and must operate like any other app. Fighting this trend is like fight the ocean tides; you can't. You have to adapt to the trend and innovate or die. Mobile security providers innovated when they couldn't have kernel access and I am sure advertisers will find a way to innovate as well," adds Hazelton.
Hazelton says this requirement to disclose third-party data collection, and whether it’s used for tracking will make it easier for users to understand how mobile apps collect personal data. "This format will clearly disclose personal data used to track users across other apps and websites. It will also disclose how data, like financial information, will be linked to other accounts, devices, or identities," he says. "Like nutrition labels in real life, the goal is to create a common, easily understandable format for users to see how personal data is collected and used by developers and partners. It will make it easier for users to question whether free services from developers are worth the cost of sharing sensitive personal information.”
At first glance, it is a welcome development and an important step on Apple's behalf towards making both the consumer and developer aware of privacy rights and obligations, says Emma Bickerstaffe, Senior Research Analyst at the Information Security Forum, a London-based authority on cyber, information security and risk management. "However, there are questions around how this self-assessment model will be implemented, and whether the consumer will have the inclination to read it when installing an app. Just as consumers now automatically accept cookies and agree to privacy policies, they may also ignore privacy labels in their rush to download an app."
Bickerstaffe adds that in terms of transparency, it is likely that the big players who have more at stake in terms of their reputation and brand image, will be more accurate and vigilant in meeting this requirement than independent developers. "As a self-assessment model with no in-built verification to enforce transparency, its long-term impact remains up for debate," she notes. "Perhaps we are seeing the very start of DevSecOps transforming into DevSecPrivOps – just as developers have become more aware of and now integrate security requirements into development, this step by Apple will mean they will also have to come to terms with privacy requirements, an extra bow to their ever-growing skillset. A potential stumbling block is that the emphasis may turn to privacy rather than security, which should remain at the forefront of application development.”
Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions notes this is an important move by Apple to provide more visibility and transparency to what apps are doing on iOS devices, allowing the user to decide what is ok and what is not ok. For too long, developers have gotten away with hiding mass data collections of users personal data and Apple is now making it visible. I believe it will be great if we can simplify it with a grading system, along with clear risk labels, as you would get on typical consumer products that are bad for your health."
"The thing with Apple’s App Store is that it is the Apple way or the highway. This continues the recent improvements on feature such as the label on when iOS camera or microphone is being used," Carson says. "The only challenge and concern I see is that while time is the most valuable asset, we have way more than data and oil. Companies, like Apple, want you to spend more time and money using their products, however, I hope it is more time being productive, rather than just wasted.”
Commenting on the news, Hilary Wandall, TrustArc's SVP, Privacy Intelligence and General Counsel, says: "Apple's new app privacy requirements are a significant milestone in the long-running debate between consumable privacy transparency and legal privacy notices. While multi-stakeholder attempts for more than a decade at layered privacy notices, privacy notice icons, privacy nutrition labels and other forms of privacy notice templates have failed to gain broad traction, Apple's requirements should serve as the tipping point for making privacy nutrition labels mainstream. This simplified, standardized, visual approach to transparency about the data sharing that is hardest to understand, is an excellent example of how market-driven approaches to addressing privacy can drive better practices across an entire ecosystem and serve as an example for regulators and legislators as they try to tackle how best to address privacy concerns and rights via laws, regulations, and enforcement actions.
"These new requirements also raise the bar for app developers to know their data, data practices, and data sharing in order to update their apps or launch new ones starting December 8th. While apps have been complying with the requirement to post a privacy notice for years now, few organizations are experienced in developing and maintaining the data inventories and data flows that are needed to comply with Apple's requirements. This new business driver for app developers is bound to drive a growing interest in the privacy automation necessary to comply."
Doug Dooley, COO from Data Theorem, has concerns: “We are hearing from developers this will be tough on a lot of businesses. There is a significant new burden added to security and developer (DevSecOps) teams for every new application launch/update going through Apple’s App Store and Mac Store. The necessary level of tracking of an application is not there for most companies. Most application publishers are not even aware of how many different third-party SDKs and open source libraries they use on a per application basis. Each of those third-party code snippets is often connected to backend API services sharing data. We have capabilities added to our platform, such as the “Data Leak Dashboard,” to make it easier to automate the discovery and inspection of third-party SDK/OS libraries so application (Mobile, Web, API) data privacy practices are easier to monitor and fully disclose. However, for the vast majority of the industry, this level of data privacy tracking will be a big hurdle to overcome. If we can pull together and get this sorted out, consumers of apps will be the biggest winners without hurting app publishers for improper disclosure of privacy.”