Mastodawn

Anirban Jul 4, 2023

I've seen 2 or 3 posts in my TL re: App Store privacy info for Threads vs. Mastodon. https://mastodon.social/@jsq/110653072170221591 for example.

I feel like people greatly misunderstand the App Store privacy labels. They're not at all a ground truth you should read without careful interpretation.

- Entirely self reported
- No consistent auditing or data quality enforcement by Apple
- Very vague, both on the scope of categories and what's "collection"
- "May be collected" is a "worst case" statement.

(cont)

Pierre Bourdon Jul 4, 2023

- Only data shared directly with the app developer or contracted parties needs to be reported.
- Some categories that aren't vague are way too broad.

Mastodon reporting an empty list here is in fact very obviously wrong. When you log in to mastodon.social from the Mastodon app, you are sharing contact info (email address), identifiers, as well as usage data.

So at the very least you should conclude Threads is doing a better job of informing its users re: privacy than Mastodon gGmbH is.

Pierre Bourdon Jul 4, 2023

Overall the App Store privacy labels are a terrible implementation of a potentially good idea. There is no way for a user to figure out how accurately a developer filled that info, and there's no baseline of quality because nobody on the Apple side reviews or enforces this.

Large companies are in fact more prone to over-declaring here because that has ~ no cost except for pissing off privacy loonies (which you can never satisfy anyway) while covering your ass legally.

Pierre Bourdon Jul 4, 2023

Disclaimer for this post: I worked for ~2 years as a privacy reviewer for infra services at Google. This is what I would minimally declare for the Mastodon app, from my reading of Apple's policy:

- Contact Info (email address, obviously)
- Location (coarse location, Mastodon stores IP addresses in logs)
- Contacts (your follows/followers)
- User Content (your toots)
- Search History
- Identifiers (handle)
- Usage Data (logs, anti-abuse)

Not far from Threads' list...

Pierre Bourdon Jul 4, 2023

My wish for today is for people to actually read Apple's documentation about privacy labels before replying with something wrong that is very clearly stated in the policy document: https://developer.apple.com/app-store/app-privacy-details/

If whatever I've stated seems wrong to you it's likely because the policy is vague, counter-intuitive, and just stupid in some areas. Or please justify your replies with proper quotes from the policy so we can at least start discussing differences in interpretation...

App Privacy Details - App Store - Apple Developer

Learn about providing your app’s privacy practice details in App Store Connect for display on your App Store product page.

Apple Developer

Pierre Bourdon Jul 4, 2023

> just stupid in some areas

For example, the definition of collecting "Location" data includes "Coarse location" data. Which is defined as "Information that describes the location of a user or device with lower resolution than a latitude and longitude with three or more decimal places".

Collecting and/or inferring (e.g. via IP address) country of residence is collecting coarse location data.

A checkbox where the user states "I am a resident of planet Earth" is collecting coarse location data.

robryk Jul 4, 2023

@delroth well, then everyone who has an app talk to their backend over TCP (and records that fact) collects that: they know that the user is in a ball of diameter equal to maximum rtt for TCP.

vriska, thief of light

@robryk @delroth it only counts if the data is persisted

Mae Jul 4, 2023

@delroth any clue what health data could mean in this case? That’s one that stands out to me as hard to justify

Pierre Bourdon Jul 4, 2023

@Mae not completely sure. Apple's definition is very broad and includes e.g. "Fitness and exercise data", and the policies don't clarify whether that data needs to be structured in any way or whether it can be incidentally collected via unstructured user data (e.g. someone posting "I've ran 20km today!").

They do include every single other category, so it would make sense if that's their interpretation.

avi Jul 4, 2023

@delroth I’m not sure whether I would declare a “following” list as “contact info”. Big social media frequently asks for contacts permissions to “find your friends”. I think that’s what “contact info” refers to.

Pierre Bourdon Jul 4, 2023

@nektworks these privacy labels have nothing to do with the actual app permissions (which gate access to the contacts API on device). This is about what information is collected by the app's developer, and Apple defines the "Contacts" category as including "social graph" information.

thomas.Jul 4, 2023

@delroth I see where you’re coming from, but these are all the sorts of things one could reasonably assume a social media app would collect. Also mastodon isn’t selling whatever data it has on me to advertisers.

Pierre Bourdon Jul 4, 2023

@rrrromas yes, it's exactly my point: what people are screenshoting and sharing are mostly benign stuff you'd expect every social network to declare as data they collect.

Your screenshot is more interesting since it shows advertising as the purpose for collection. Note however that it doesn't extend at all to "selling data" - any kind of targeting would be declared the same way. I'd expect Meta does very little selling of data, since that collection/inference is their motte.

Pierre Bourdon Jul 4, 2023

@rrrromas however, given that your screenshot also shows "crash data" as being used for "third party advertising", one can doubt how much the list actually reflects reality vs. checks all the boxes to cover asses.

Der Teilweise Jul 4, 2023

@delroth I don’t think that Mastodon (gGmbH) collects these data if you use your own or a third party server.

What server to use is up to the user.

That’s the difference: you can use the Mastodon App without sending data to Mastodon gGmbH but you cannot use the Threads app without sending data to developer of the Threads app.

Pierre Bourdon Jul 4, 2023

@teilweise the Apple Privacy Labels documentation/policies make no such distinction. See also https://mastodon.delroth.net/@delroth/110653978499688171 and the rest of that reply thread.

Pierre Bourdon (@[email protected])

@[email protected] and before you go and claim that using m.s is the exceptional case: 1. I disagree given it's a default option; 2. that's not how the policy is written anyway so that would be a moot point. It might reasonably apply for the email address since that information is willingly given by the user, but stuff like Usage Data for example doesn't fit point (4) in the "Optional disclosure" requirements - it's not directly provided by the user, and the user is not affirmatively making a choice.

Mastodon

paulmather007 Jul 4, 2023

@delroth I feel like in the iOS/Macos context "Contacts" has a specific meaning - will it share info from my "Contacts" app. Mastodon certainly doesn't do that. (It doesn't even have access to my Contacts app.)

Pierre Bourdon Jul 4, 2023

@paulmather007 I've replied to that already. No, your understanding here is not correct, we're not talking about app permissions, the documentation/policies define what "Contacts" is in this context.

https://mastodon.delroth.net/@delroth/110654800385803729

Pierre Bourdon (@[email protected])

@[email protected] these privacy labels have nothing to do with the actual app permissions (which gate access to the contacts API on device). This is about what information is collected by the app's developer, and Apple defines the "Contacts" category as including "social graph" information.

Mastodon

paulmather007 Jul 4, 2023

@delroth Hmm. That's certainly confusing labeling! Quickly googled it and the definition I found was "a list of contacts in the user’s phone, address book, or social graph." By that definition any social networking app would have "access" to my Contacts, since they're running a social graph by design. I guess that would be a fault of the labeling system, but that's not very helpful to the user.

Pierre Bourdon Jul 4, 2023

@paulmather007 yeah, that's my point exactly. This whole system is terribly designed, and if anything the lesson we should be learning from this whole comparison between Threads and the Mastodon app is that Mastodon gGmbH have been misrepresenting their data collection...

paulmather007 Jul 4, 2023

@delroth Also, it's a mistake to use the app icons for Contacts and location services if the data we're talking about isn't the Contacts app or location services. Thanks for explaining this to me!

Pierre Bourdon Jul 4, 2023

@paulmather007 as someone who's never really been immersed in the Apple ecosystem I didn't even notice the reused icons as a possible source of confusion. TIL, thanks!

paulmather007 Jul 4, 2023

@delroth Yeah not to be long winded but the arrow icon for location is what appears in the menubar when an app is using either GPS data or WiFi triangulation to figure out your location. So it’s got a specific meaning from a user’s perspective

paulmather007 Jul 4, 2023

@delroth And, as a non-technical person, "Location" has the icon next to it that indicates GPS location via location services in iOS, so I would have read this to be GPS location. I'm curious what would happen if one doesn't give Threads access to Contacts etc. I know if I try it out I'm not okaying access to my health and fitness data, that's crazy! Unless it's also a jogging tracker app. :)

Pierre Bourdon Jul 4, 2023

@paulmather007 and yet again, no, that's not how the documentation defines it. https://developer.apple.com/app-store/app-privacy-details/ clearly says "Location" includes "Coarse location" which is defined as "describes the location of a user or device with lower resolution than a latitude and longitude with three or more decimal places".

Literally asking someone for their country of residence is collecting "Coarse location" by that definition. Yes, it's absolutely dumb, but don't complain to me about that :)

App Privacy Details - App Store - Apple Developer

Learn about providing your app’s privacy practice details in App Store Connect for display on your App Store product page.

Apple Developer

paulmather007 Jul 4, 2023

@delroth It is! I mean, if you're using the app, it means you exist somewhere in the universe, and that would be a coarse location by that definition!

Pierre Bourdon Jul 4, 2023

@paulmather007 even worse, you can likely narrow it down to Earth and its lower orbit.

paulmather007 Jul 4, 2023

@delroth I've interacted with some people on social media who I'm not sure have ever visited Earth. :)

Felix Gilcher Jul 6, 2023

@delroth But saying “when you log into mastodon.social, you are sharing usage data” is misleading as well - many users of the mastodon app never do that. You log into delroth.net, I log in to berlin.social. My usage data is shared with my instance and that is laid out in the privacy policy of the instance that I agreed to when signing up.

It’s a bit like saying “when you browse the web, you are sharing userdata.” That’s correct, but the data should not be shared with the browser vendor.

Pierre Bourdon Oct 20, 2024

re-boosting this a year later because people are doing the same shit with Bluesky and it's just as ridiculous as ever

Incognito ergo sum ⚔️Jul 4, 2023

@delroth health info.... Just why?

Pierre Bourdon Jul 4, 2023

@brennschluss I don't know, but my best guess is that it's because the type of user content posted and shared by users is unbounded and might contain that kind of data (example: a post that mentions health issues, or fitness / exercise). Apple's policies don't state that things that qualify as "user content" don't also qualify for the other categories of data collection.

Pierre Bourdon Jul 4, 2023

@brennschluss personally I'm not sure if I agree with that interpretation - and it's a guess about the reason anyway, I'm not the privacy reviewer / lawyer that had to make the decisions for Meta. But I think it's plausible.

Incognito ergo sum ⚔️Jul 4, 2023

@delroth in this case it reminds me of talking to the police "everything you say can be used against you for marketing purposes"

Pierre Bourdon Jul 4, 2023

@brennschluss there's nothing here that implies "marketing purposes" fwiw. That's not a requirement of the policies in question.

avi Jul 4, 2023

@brennschluss @delroth I assume that if you decide to share, for example, info about a workout on social media, they technically have health data that can technically be linked to the user.