Apple’s New App-Privacy Rules Expose Past Loopholes

Apple Inc. is trying to enforce new privacy policies across its vast network of iPhone and iPad apps—and in the process is exposing longstanding gaps that left users’ data vulnerable to abuse. The company has issued new rules for app developers designed to limit future data collection and ad targeting. The rules thrust Apple into the role of regulator and enforcer in the wake of controversy over the misuse of personal data from Facebook Inc. —a scandal that has triggered calls for new federal regulations of digital information. But Apple’s new rules also raise concerns that the company’s previous policies contained loopholes allowing apps to collect and resell users’ information, including contacts lists and photo locations, privacy advocates say. Apple didn’t respond to requests for comment.

Apple’s new guidelines out last week state that apps receiving users’ permission to access contact lists and photos can’t build databases with that information or sell it to third parties. The company also added rules saying apps need consent when “recording, logging or making a record of a user’s activity” and said advertisements inside apps must allow users to see all the information used to target them. The rules are the most sweeping and restrictive Apple has ever imposed on developers. Previously, the company didn’t have detailed rules limiting what developers could do with users’ contacts lists. So apps, in theory, could have taken not only phone numbers and emails of friends and family but also those contacts’ birthdays and profile information and build databases or sell it to third parties, said Raj Aggarwal, the co-founder of Localytics, a mobile app analytics company that supports 37,000 apps across 2.7 billion devices. “It’s pretty bad what Apple was inherently allowing,” Mr Aggarwal said. It isn’t clear if any iPhone or iPad apps compromised users’ data as a result of the loopholes, and there is no evidence of Apple currently pulling apps off the App Store for failure to comply with the new rules. In a new code of conduct section in the guidelines, Apple said: “Customer trust is the cornerstone of the App Store’s success. Apps should never prey on users or attempt to rip-off customers, trick them into making unwanted purchases, force them to share unnecessary data…or engage in any other manipulative practices.” Apple’s new guidelines were earlier reported by Bloomberg.

Apple’s effort to crack down on developers comes amid new European privacy rules and continued scrutiny of Facebook’s data-collection practices. The social networking giant has come under fire over the past year for failing to fully protect user data and allowing personal information, including contacts, to be collected and relayed to third parties such as political consulting company Cambridge Analytica. Talking about the Facebook scandal in March, Apple Chief Executive Tim Cook told MSNBC that he didn’t support regulation but said it was time “for a set of people to think deeply about what could be done here.” The company has since not only updated its regulation of apps but also announced new software features aimed at limiting the way Facebook and advertising-based companies track and collect data across Apple devices. The more stringent guidelines could protect Apple and customers as they increasingly store more sensitive information on iPhones, such as medical records. Had an app collected and sold a customers’ health data, Apple would have faced profound reputational risk and therefore needed to “clamp down,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit digital-privacy research group. Still, the rules won’t matter unless Apple enforces them, privacy experts said. They expect Apple to use artificial intelligence to analyse apps that collect data and have staff audit apps that are suspected of violations. “It needs to be a clear, robust and active process for this policy to have any teeth,” Ms Dixon said. Should those efforts fall short, Apple could later block app developers from uploading iPhone address books to servers, said Domingo Guerra, president of Appthority, a mobile security company. Instead, he said Apple could require apps to use the contact list locally on the device, eliminating any data risk.

Apple will have to balance its new regulations with its need to attract developers. The App Store is the primary sales engine behind the company’s growing services business, which generated more than $29 billion in sales last year and has a goal of hitting about $50 billion in sales by 2020. Developers had generated about $100 billion in sales since the App Store’s inception a decade ago. Though Apple’s operating system has only 15% of global smartphone market share, the App Store collects 66% of app-related spending worldwide, about double Alphabet Inc.’s Google Play store, according to market researcher App Annie. “Apple controls that gateway,” Mr Guerra said, “and these app developers have to play by their rules.”

Credit: Tripp Mickle for The Wall Street Journal, 13 June 2018.