We Checked 250 iPhone Apps—This Is How They’re Tracking You

When millions of iPhones update to iOS 14.5 in the issue forth weeks, it will become much more obvious that many of the most coarse apps—including weather trackers, dating apps, and games—are advertising-data tools ampere a lot as they are anything else. When you open apps for the first time after Apple ’ s latest arrangement update, you ’ ll get a pop fly ask to “ track your activity, ” and your approval will give permission for developers to link information about you to an advertise profile that can track you across apps ( and across the web ). On the App Store, Apple ’ sulfur recently introduced “ privacy nutrition label ” helps detail what information each app seeks to collect, memory, and contribution, but the implications aren ’ deoxythymidine monophosphate always clear. We decided to see what we could learn about data tracking on iPhones and iPads by reading 250 App Store labels, including those for some of the most popular apps. 1 We found that most of them do indeed collect and share a draw about you, and that some of the longtime worst offenders seaport ’ t changed their demeanor equitable because there ’ s a system pop fly or store label these days .

Understanding Apple’s three privacy categories

The three categories of Apple's new privacy labels: Head into the Apple App Store, and below the reviews you ’ ll find an App Privacy section consist of three categories :

  • Data Used to Track You (or your device) and shared across different apps, ad networks, and companies
  • Data Linked to You (and your real identity) that is collected by the app and company but not shared
  • Data Not Linked to You that the company generally aggregates into larger statistics

Each class lists any of the 14 different types of data that the app collects and uses, as self-reported by the app ’ s developer. This labeling gets complicated quickly, and the like type of data can appear in multiple categories. To actually understand how your privacy is affected by these new tracking-request pop-ups and how to deal with each one thoughtfully, you ’ ll need to understand the labels. ( Though if you ’ vitamin d prefer to skip directly to the how-to part for disabling all of these prompts, see our instructions. )

Data Used to Track You

closely two-thirds of the apps we looked at indicated the collection of some types of data under Data Used to Track You. Apple ’ s definition of tracking refers to any data collected in an app about a person or a device ( your iPhone or iPad ) that is linked to data collected by another party, such as a datum broke or ad network. advertise companies frequently defend the drill by noting that the data collected is typically tied to a singular number, not a person, but it ’ randomness frequently trivial to link a device to a person. And if you see “ Contact Info ” listed as data an app can collect, that can include your name, address, telephone number, e-mail address, and “ Any other information that can be used to contact the user outside the app. ” Of the 20 weather apps we looked at, 17 of them indicated on their tag that they gathered data to track devices for the function of advertising, and 14 of those used location information to track devices. tied without your liaison information, the data your app activeness generates is tracked by a device ID, a singular identifier ( that is, an “ identifier for advertisers, ” or IDFA for short ) that makes it easy for third parties to track you through early apps, services, and websites. The Wall Street Journal has a useful graphic ( subscription required ) that explains how these ads tend to work. Or for a more detail look at how laughably complicated this can get, check out this chart. This data chase across apps explains how you can search for, say, a match of running shoes in one app, and then ads for running shoes start showing up in other apps like Instagram. not all apps that declare their data gain in the Data Used to Track You fortune have ads, but they may sell or parcel data. As Pete Snyder, elder privacy research worker and director of privacy at Brave, a browser and software ship’s company that emphasizes its privacy-protection features, explains : “ so even if an app international relations and security network ’ thyroxine ‘ monetizing ’ by showing you ads, apps will collect everything they can, on the undefined luck that with enough machine eruditeness and combining with other data sets, they ’ ll find some unique data decimal point about you that person in the surveillance economy will pay them for. ” Starting with io 14.5, apps must send you a telling and receive your license before they can track and contribution your activeness. If you tap Ask App not to Track, your IDFA is withheld. Apple besides expects developers to stop using other identifiers, such as an e-mail address or usage data, to track you angstrom well, though there ’ s no technical means to block that tracking. If you allow tracking, the app will continue to plowshare the types of data as listed on the privacy label with early apps and datum brokers. You can always review or change your choice by heading into the Settings app and selecting Privacy then Tracking. If an app has ads, you ’ ll still see them after disabling track, but they won ’ t be based on tracking data from different apps or services. Opting out doesn ’ thyroxine hold on developers from tracking you across multiple apps owned by the lapp party, such as Google Maps and Google Chrome, or Facebook and Instagram. Developers can continue to include their own ads for subscription services, products, or early apps made by the like caller. And companies don ’ t have to list what kinds of data they ’ ve collected and tracked if it doesn ’ metric ton involve advertise or sharing the data with data brokers ; this includes datum for the perform of services such as imposter prevention, security, and some analytics .

Data Linked to You

The Data Linked to You class includes any types of data the developer collects that can be tied to your identity but is not shared with one-third parties. In some instances it can be difficult to comprehend why a company wants this sort of data. Apps actually collect a set of information about you but need much of that datum for basic functionality. For example, if you pay for an app through a subscription serve, the app ’ s developer needs entree to “ Purchases ” data and possibly even “ Financial Info ” in order to verify your account condition. “ User Content ” data can include the photograph you add to an app but besides game data such as saves or multiplayer-matching information. An app is not supposed to use any of the types of data listed in the Data Linked to You part of the privacy tag to track you across early apps, but in many cases that expectation doesn ’ triiodothyronine keep your data contained to the app. Take, for example, Google Chrome, which collects a assortment of information about your world wide web browse and is tied to your Google history. It ’ sulfur easy to see a long privacy label, particularly in the Data Linked to You helping of the label, as bad news program. But Christy Harris, conductor of engineering and privacy research at Future of Privacy Forum, disagrees with that notion : “ Just because an entity lists a multitude of data elements that they might collect, does not necessarily indicate that they are doing nefarious things or that they are some massive data collector. ” In our experience, we had to use the apps for a while equitable to understand why their privacy labels listed certain types of data under Data Linked to You, which we think defeats the determination of the tag in those situations .

Data Not Linked to You

about everything in the Data not Linked to You section is about analytics. About 50 % of the apps we looked at said they collected “ Diagnostics, ” making that the most common type of data accumulated. This type of data refers to crash reports, energy use, and other technical issues. Most of this datum is innocuous, but the traffic analyzer we used, Disconnect ’ s Privacy Pro SmartVPN, flag several types of diagnostic tools, including Adjust, Amplitude, and Crashlytics, as trackers. Since many of these tools can besides be used for tracking, either for advertise or for tasks that are allowed under Apple ’ second rules, such as imposter prevention or analytics, their being blurred the conclusions we could make for this category in our test. Some diagnostic tools, such as Adjust, amply support Apple ’ s new rules, offering developers a way to display ads without tracking the device ID. But flush while testing an app, it ’ s impossible for most people to verify how the app employs such third-party tools unless the developer mentions the use of those tools in its privacy policies. Despite the Data not Linked to You diagnose, we did run into some questionable data collection in this class during our examen of diverse apps. For exemplar, the KXAN Weather app lists several types of data in this section of its privacy label, including “ Precise Location ” and “ Email Address, ” and both of those types of data can be easily tied to identity in most cases .

Our results

Four pie charts showing the percentages of iOS apps that use identifiers, usage data, location, and contact information to track users. We chose to examine the privacy labels and practices of 250 apps ( a fraction of the millions of apps in the App Store ) across several categories. This choice included the crown apps of 2020, vitamin a well as democratic games, browsers, weather apps, streaming-video apps, photography apps, notes apps, dating apps, shopping apps, news program apps, and health and fitness apps. ( We collected the data between March 17 and 26, 2021. ) Among those apps, we found the following :

  • 60% of the apps had a Data Used to Track You label.
  • Of the apps with a Data Used to Track You label, 96% used identifiers (either the device ID or a user ID), 70% measured advertising data (usually information about which ads you’ve seen and whether you clicked them), 38% of the apps used location, and 19% used contact info (typically an address). When you tell an app not to track you, Apple withholds the identifier from the app but technically can’t monitor any of the other possible methods.
  • 57% explicitly mentioned advertising as their purpose for tracking you.
  • 44% of all the apps we looked at indicated using data in the Data Linked to You category for third-party ads, while 55% said they used it for “developer’s ads.”

We besides used Disconnect ’ s Privacy Pro SmartVPN app to analyze traffic on 150 of the 250 apps, and we found that they shared data across 44 different third-party services that Disconnect defines as trackers, averaging between two and three third-party services per app ( some estimates suggest that apps can be connected to deoxyadenosine monophosphate many as six trackers each ). When you get into the big-name social media, dating, and shop apps, Apple ’ s privacy labels promptly become inexplicable. Of the 150 apps we checked, 17 apps shared data with third parties without disclosing that sharing on their privacy label. When we reached out to the developers behind those 17 apps, only four replied with an explanation ; in those four cases, the developers said their apps communicated with an analytics service for tracking how people used the app. ( Disconnect flags this type of tool as a tracker because it can be configured to document a one person ’ mho use, but it doesn ’ t precipitate under Apple ’ s definition since there ’ s no ad component. ) At this spell, at least four other apps ’ developers have not responded to our request for gossip but have restfully updated their App Store pages to add a newfangled list of data types under the Data Used to Track You share of their pronounce, and two apps appear to have removed some of their trackers. Among the apps whose developers didn ’ t react to our request for comment, most commune with third-party tools or services that can technically work for tracking but may fall under Apple ’ mho exceptions for analytics, such as Adjust, Amplitude, AppsFlyer, and Crashlytics. future of Privacy Forum ’ s Christy Harris speculates that these apps “ might be using a third-party SDK that besides has an advertising component. ” Basically, some SDKs—software development kits, or tools that developers can hook into—have multiple uses. One exemplar is a crash-reporting cock that may have an choice to track a device ID in other context. It ’ s up to app developers to know how these tools function, to know how their apps are configured to use them, and to partake that connection on their privacy labels correctly. The Washington Post ran a deep test analyzing a handful of apps ( subscription required to read article ) and besides found respective apps sharing more data than they claimed they did. Some of this discrepancy may be attributable to a developer misunderstanding Apple ’ south rules or not know adequate about the SDKs it uses. More cynically, you might assume the developer is being intentionally untruthful. But among the apps we looked at, around 90 % were guileless about their trailing .

Weather apps (still) share tons of data about you

Weather apps have long been scrutinized for selling your localization data, and that ’ sulfur still the case today. Of the 20 weather apps we looked at, 17 of them indicated ( in the Data Used to Track You part of their privacy label ) that they gathered data to track devices for the purpose of advertise, and 14 of those used localization information to track devices. location information is particularly valuable to data brokers, with the sales of location-targeted advertising reaching an estimated $ 21 billion in 2019. One app, Weather Radar Live, does not list anything on its Data Used to Track You label but appears to communicate with two potential trackers, Adjust and Crashlytics, both of which can be configured to fit Apple ’ s definition of not tracking. Weather Radar Live ’ s developer didn ’ t react to our request for comment or an explanation of how it uses those tools. overall, we found that 18 weather apps shared data with an average of four third-party companies listed as trackers by Disconnect. Some weather apps offer to remove visible ads through in-app purchases, but after we signed up in our quiz, none of them changed their behavior in see to sending data to third parties. Carrot Weather stood out as the only general-purpose weather app in the top 20 at the fourth dimension of our testing that didn ’ thyroxine have a Data Used to Track You label. ( One other non-tracking app, Windy.com, is a niche weather app for wind instrument mold. ) I asked Carrot Weather ’ s developer, Brian Mueller, why he charges for certain features in the app. “ My upwind data providers charge a small amount for each weather data request—and this cursorily adds up when the widgets are requesting 40+ updates per day, ” Mueller told me. “ Without charging extra for the subscription, I wouldn ’ deoxythymidine monophosphate be able to offer any of these features at all. A batch of weather apps sell your data to third parties to pay for these costs, but I think that ’ s wrong. ”

It’s (sometimes) worth paying for apps

A screenshot from Minecraft's privacy label showing that it uses purchases, identifiers ,and usage date to track users. anecdotic tell suggests that apps that cost money collect and share less data than their free counterparts do. They seem to do so to the extent that when I ’ meter looking for a new app to use, I ’ ll consider a pay option. The logic is obvious : Most paid apps wear ’ triiodothyronine have ads and so don ’ deoxythymidine monophosphate benefit directly from collecting data about you. loose apps aren ’ triiodothyronine always bad, and paid apps don ’ deoxythymidine monophosphate constantly respect your privacy, so you still need to scrutinize apps before installing them. many free games make money through embedded ads. When we looked at the top 20 free games of 2020, 19 of them reported data assemble in the Data Used to Track You incision of their privacy label ; Among Us was the lone exception. Of the top 20 paid games of 2020, only four said they used data for trailing, but seven of them hadn ’ thyroxine even received their privacy label at the meter of our research. ( If an app hasn ’ deoxythymidine monophosphate been updated to include a privacy pronounce, it can not access Apple ’ s built-in trailing tool and frankincense won ’ metric ton get entree to tracking data. ) Minecraft was the most surprise game with a Data Used to Track You label, and it stands as a showcase example of how such labels aren ’ thymine as helpful with a lot of the apps from large companies. We asked Microsoft, the publisher of Minecraft, for more data about its privacy label, but representatives declined to comment. Since the bet on app falls under Microsoft ’ s general privacy policy, it ’ s difficult to figure out what the app does based on the statements on the label and in the privacy policy alone. When we tested the app, we saw it send data to AppsFlyer, a mobile analytics company, but that ’ s all we learned. Another plot with a big company behind it, Heads Up, sent data to two one-third parties ; that app links to WarnerMedia ’ s privacy policy, which details all sorts of sharing across third parties. The other two games that listed data gathering on their privacy label, Monopoly and Farming Simulator 20, each shared with three trackers. ( bill that if any of these games, or any other apps, are run on the account of a child who is under 13, the “ Allow Apps to Ask to Track ” option is off and can ’ t be enabled. ) Among the games included in the Apple Arcade $ 5-a-month subscription plan, we didn ’ metric ton find any using data for tracking purposes, likely because games in the plan don ’ t have ads. As for other paid apps, the majority of paid note-taking apps we looked at didn ’ thymine list any types of data gather in a Data Used to Track You label, but two apps with paid subscription plans— Evernote and Notion —did. however, these apps don ’ metric ton scrape the subject of your notes for advertise ; on their respective labels, Evernote lists “ Email Address ” and “ Device ID ” and Notion lists “ Advertising Data ” as the types of data collected. We besides happened across some paid apps that employ more nefarious tactics than many free apps use. several weather apps, for example, use manipulative design to trick you into signing up for their subscriptions while however shoveling your data off to third parties. Likewise, paying for some content subscription services, such as newsworthiness subscriptions, meditation-app subscriptions, or video stream services, doesn ’ triiodothyronine grant you any extra privacy .

Shopping, exercising, moving, news, and dating apps are big into tracking

Labels and app behaviors are always changing, but here are some conclusions that we found surprise, insightful, and representative of how apps tend to plowshare data, according to what we found in the Data Used to Track You labels and our own tests across the crown download. ( Information collected between March 17 and 26, 2021. )

17 out of the top 20 shopping apps we looked at said they collected and shared data for tracking

In our tests, these apps sent data to an average of three third-party trackers. ( The Amazon app, for one, shares merely identifiers, while wish collects and shares your location, contact information, identifiers, purchases, search history, use data, and browsing history. ) Since on-line shop is heavily interwoven with on-line ad, it isn ’ metric ton surprise that a boastfully total of shopping apps engage in this behavior, but we were hush stunned to see fair how much these apps gather and presumably share about people ’ s habits .

13 out of 20 health and fitness apps we looked at indicated data gathering under their Data Used to Track You label

As with most app categories, the most common data these apps said they collected in this regard was the device ID. alone one app, Planet Fitness Workouts, said in its label that it collected “ Health and Fitness ” datum. This app category includes apps with pay subscriptions, such as Calm, which according to its privacy policy provides data to third gear parties to target ads. meanwhile, the privacy policy for Flo explains, in more detail than most companies bother with, how that app shares information—but that explanation is probable vitamin a detailed as it is because of charges brought by the Federal Trade Commision claiming that Flo misled users about its privacy and data communion. In our tests, we found that the 13 apps shared with an average of three third-party trackers. Because of the personal nature of health and fitness data, we were a morsel faze to learn that the majority of such apps were freely sharing data. It ’ second unmanageable to track precisely how datum brokers or advertisers use data, but we do know about some tools, such as Deloitte ’ sulfur PredictRisk, which uses information from data brokers ( who may or may not collect data from apps ) to generate a health-risk prediction score that is then provided to life insurance companies to assess whether people may be concern in their intersection .

12 out of 13 of the house- or apartment-hunting apps we looked at used data for tracking

Bad news for privacy fans who are dream-scrolling Zillow for houses : Of all the categories we looked at, these apps shared the most data, everything from browsing history outside the app to contact information to “ User Content. ” This makes sense given that new-homeowner and new-apartment-renter profiles are probable to lead to easy ad-driven sales as they come packed with predictable shopping needs. In our tests, we found that these apps sent many types of data to an average of five one-third parties .

All 13 of the news apps we looked at used data for tracking

In most cases, these apps indicated on their privacy labels the solicitation of obvious types of data, such as identifiers, use data, and contact information, but occasionally they ’ vitamin d list more : The CBS News and BBC News apps, for example, both use browsing history, and a handful of others besides use location information. Considering that news apps have ads, this consequence international relations and security network ’ metric ton shock, but most of these apps besides charge subscription fees. In our tests, we found that these 13 apps, including the New York Times app, sent data to an average of five trackers each .

12 out of 13 dating apps we looked at listed data gathering on their Data Used to Track You label

Dating apps besides partake a draw of data, sending that data to two trackers on average in our tests. Though none of these apps listed Apple ’ s official “ Sensitive Info ” type on their labels as being used for tracking purposes, they do track and share data that can be sensitive—at least three share your location history, and just having some of them installed might reveal your orientation course. It ’ s unfortunate there aren ’ metric ton more privacy-focused options in this app category .

How to minimize your exposure to data tracking

Personalized ads tracking you all over the position are creepy, but creepiness shouldn ’ triiodothyronine be your only concern in respect to how much of your data gets shared. In the past year, union agencies have used placement data from a datum agent for immigration enforcement ( subscription required to read article ). The US military has purchased localization data from apps, besides, and last year a datum agent claimed it could trace and break down the demographics and location of protestors. once your data goes from an app to third-party datum brokers, it ’ south peculiarly difficult to track how these other parties use all the data they collect. Data brokers, as an diligence, sell to everyone from ad companies to debt collectors to governments. And the data can reveal all sorts of storm things, such as health-risk prediction scores or fiscal information. Although Apple ’ s new rules will put a check to your IDFA ending up in their data sets, it ’ second much harder to regulate the practice of any of the other personal data and history floating out there. If you ’ ve lost path of what apps do what, you can take a few steps to minimize the total of tracking on your device overall :

  • Disable tracking on your iPhone or iPad: You can disable tracking entirely by heading to Settings > Privacy > Tracking and then disabling Allow Apps to Request to Track. If you want to allow some apps to track your activity, you can customize which ones can and can’t track you on this screen. Note that Apple’s new tracking rules apply only to data coming from the app on your iOS device. If you want to block tracking elsewhere, such as on your computer’s browser, we have a list of browser extensions for just that purpose.
  • Delete apps you don’t use: Review the apps you don’t use and delete them. You might have dozens of old apps you used only once just sitting there, still selling your data. If you download anything new, scrutinize the privacy label to ensure you’re comfortable with what the app will do with your data.
  • Avoid the big tech companies: Read through any privacy label for an app made by Facebook or Google, and you’ll see how much data they collect about your behavior. Now is a good time to consider avoiding the apps from such tech behemoths on your phone or to consider using those services in your browser instead. While you’re at it, consider a new browser, too. Apple’s default Safari app isn’t bad in this regard, but some alternatives, such as Brave, DuckDuckGo, and Firefox, are even more focused on privacy, and all of them integrate more privacy protections inside the app than Safari does.

Apple’s improvements are only a small step

In general, we found the newly privacy labels informative for apps in more narrow-interest categories and for apps from smaller companies, such as productiveness apps. It ’ mho helpful to see what types of data your disturbance app might gather up or share, for case, and that cognition may influence you to choose another option. And possibly it ’ ll be eye-opening to see what that release photography app you use to make Instagram collages shares about you ( it ’ s likely not the photograph itself, but the datum might include what other apps you use or which ads you ’ ve clicked ). even though the labels are not constantly utilitarian for understanding the behavior of every class of app, we did find them helpful to discern between one niche app, such as a notes app, and another when it came to their privacy practices. When you get into the big-name social media, dating, or shop apps, however, Apple ’ s privacy labels cursorily become inexplicable .Two screenshots of HBO Max app privacy with the latest, as of April 2021, omitting the Data Used to Track You section. But we have seen some insidious shifts with the launch of io 14.5. Before io 14.5, apps could list relevant types of data collection in their labels ’ Data Used to Track You section but weren ’ deoxythymidine monophosphate required to ask you for that license. On April 29, 2021, however, we noticed that a few high-profile apps—including those of Compass Real Estate, HBO Max, and Tinder —had removed the tracking section of their privacy labels since our initial expect at them a calendar month prior, suggesting that in the future we may see a switch in how apps approach sharing data when they ’ rhenium required to ask you for license. Outside of the App Store, the broader technical school universe placid has a ways to go to become transparent about its data-collection practices, and that measuring stick of transfer will require updates to privacy laws. As autonomous research worker and adviser Ashkan Soltani notes, although Apple can presently block a specific type of tracking, “ there ’ randomness going to be new technologies and new developments—and how proactively is Apple going to be in seeking those out ? ” We ’ ve already seen some proof of concept ( subscription required to read article ) for different techniques that get around Apple ’ south rules. Soltani points to Global Privacy Control, which he created, as one share of a broader solution, which “ provides the ability to set the set in your browser and be opted out automatically. ” The importance of transparency, rules, and regulations isn ’ thymine going anywhere. “ The surveillance economy is permeant in ways that are unknown to closely everyone, and it ’ s designed to stay unknown, ” Brave ’ s Pete Snyder points out. “ And the technical school companies most responsible are doubling down by encouraging ecosystems that give users less control, less agreement of how what ’ second being recorded about them, and less power over their own lives. ” With Apple ’ s privacy nutrition labels, now people at least have one more tool for better understanding how their data gets used, shared, and sold .

Footnotes

1. entire lists of the apps we reviewed are available as CSV files. We collected this datum during the time period of March 17–26, 2021, and apps may have changed their policies since then. You can see the lists for all 250 apps, apps with entries under Data Linked to You, apps with entries under Data not Linked to You, and apps with entries under Data Used to Track You. Jump back.

Sources

1. Pete Snyder, elder privacy research worker and director of privacy at Brave, electronic mail consultation, April 09, 2021 2. Ashkan Soltani, freelancer research worker, call consultation, April 09, 2021 3. Christy Harris, conductor of technology and privacy research at Future of Privacy Forum, Zoom interview, March 31, 2021

Leave a Reply

Your email address will not be published.