Pierre BourdonJul 4, 2023

I've seen 2 or 3 posts in my TL re: App Store privacy info for Threads vs. Mastodon. https://mastodon.social/@jsq/110653072170221591 for example.

I feel like people greatly misunderstand the App Store privacy labels. They're not at all a ground truth you should read without careful interpretation.

- Entirely self reported
- No consistent auditing or data quality enforcement by Apple
- Very vague, both on the scope of categories and what's "collection"
- "May be collected" is a "worst case" statement.

(cont)

Show threadPierre BourdonJul 4, 2023

- Only data shared directly with the app developer or contracted parties needs to be reported.
- Some categories that aren't vague are way too broad.

Mastodon reporting an empty list here is in fact very obviously wrong. When you log in to mastodon.social from the Mastodon app, you are sharing contact info (email address), identifiers, as well as usage data.

So at the very least you should conclude Threads is doing a better job of informing its users re: privacy than Mastodon gGmbH is.

Show threadPierre BourdonJul 4, 2023

Overall the App Store privacy labels are a terrible implementation of a potentially good idea. There is no way for a user to figure out how accurately a developer filled that info, and there's no baseline of quality because nobody on the Apple side reviews or enforces this.

Large companies are in fact more prone to over-declaring here because that has ~ no cost except for pissing off privacy loonies (which you can never satisfy anyway) while covering your ass legally.

Show threadPierre BourdonJul 4, 2023

Disclaimer for this post: I worked for ~2 years as a privacy reviewer for infra services at Google. This is what I would minimally declare for the Mastodon app, from my reading of Apple's policy:

- Contact Info (email address, obviously)
- Location (coarse location, Mastodon stores IP addresses in logs)
- Contacts (your follows/followers)
- User Content (your toots)
- Search History
- Identifiers (handle)
- Usage Data (logs, anti-abuse)

Not far from Threads' list...

Show threadthomas.
@delroth I see where you’re coming from, but these are all the sorts of things one could reasonably assume a social media app would collect. Also mastodon isn’t selling whatever data it has on me to advertisers.
Jul 4, 2023 at 12:17pmIvory for iOS
Show threadPierre BourdonJul 4, 2023

@rrrromas yes, it's exactly my point: what people are screenshoting and sharing are mostly benign stuff you'd expect every social network to declare as data they collect.

Your screenshot is more interesting since it shows advertising as the purpose for collection. Note however that it doesn't extend at all to "selling data" - any kind of targeting would be declared the same way. I'd expect Meta does very little selling of data, since that collection/inference is their motte.

Show threadPierre BourdonJul 4, 2023
@rrrromas however, given that your screenshot also shows "crash data" as being used for "third party advertising", one can doubt how much the list actually reflects reality vs. checks all the boxes to cover asses.