Private Internet Access has taken a precursory look at the upcoming iOS privacy labels that were announced last June by Apple and are expected to land “soonish,” certainly in iOS 14. Some app developers raised a voice of concern, while others celebrated the arrival of a well-needed feature. Given the chance to, let’s take a look at the label comparison done by PIA, what those labels would tell the users, and what potential misunderstandings may arise from the new system.
For the VPN space, we see the following sample of labels aiming to inform the user about what data are collected from the products, which of this data can be used for tracking, what is linked to the user’s identity, and what is not related but still collected for other purposes.
According to the above, Apple defines tracking as the process that involves data collection linked with third-parties, potentially for targeted advertising purposes or for direct profit from selling that data to brokers. Examples of that would include device identifiers, usage data, diagnostics, etc.
The data is categorized into two sectors, one linked to the user and one not linked to them. Interestingly, one type of data may be present in either category, depending on the specific requirements. For example, PIA needs contact info upon user registration. However, on the label, it is placed under the “not linked to you” category because the platform doesn’t require ID verification and doesn’t make correlations with other sensitive and potentially identity-revealing information.
Apple treats all anonymized data as “not linked to the user” even if those concern the collection of the user’s location, content, purchases made, etc. These would normally be considered sensitive data, but there’s some trust in the anonymization systems, so this is the main point of concern. Is Apple going to evaluate those systems, or is it going to accept whatever assurances are provided from the developer’s side?
Details like this make the value of these labels ambiguous, although it is too early to evaluate them right now, so we wouldn’t want to jump to conclusions just from PIA’s preliminary look. If we were to suggest a single-glance approach, that would be to pick products with the least populated labels and with a total absence of the user tracking category.
But even then, the evaluation would be unfair and false. For example, not all identifiers are equally persistent or “nosey,” so this does not compare “apples to apples.” Thus, to make an informed decision, the user will have to access a lot more information than what the privacy label conveys, but at least one has a basis to start with. From that perspective, they’re welcome.