Pierre BourdonJul 4, 2023

I've seen 2 or 3 posts in my TL re: App Store privacy info for Threads vs. Mastodon. https://mastodon.social/@jsq/110653072170221591 for example.

I feel like people greatly misunderstand the App Store privacy labels. They're not at all a ground truth you should read without careful interpretation.

- Entirely self reported
- No consistent auditing or data quality enforcement by Apple
- Very vague, both on the scope of categories and what's "collection"
- "May be collected" is a "worst case" statement.

(cont)

Show threadPierre BourdonJul 4, 2023

- Only data shared directly with the app developer or contracted parties needs to be reported.
- Some categories that aren't vague are way too broad.

Mastodon reporting an empty list here is in fact very obviously wrong. When you log in to mastodon.social from the Mastodon app, you are sharing contact info (email address), identifiers, as well as usage data.

So at the very least you should conclude Threads is doing a better job of informing its users re: privacy than Mastodon gGmbH is.

Show threadPierre BourdonJul 4, 2023

Overall the App Store privacy labels are a terrible implementation of a potentially good idea. There is no way for a user to figure out how accurately a developer filled that info, and there's no baseline of quality because nobody on the Apple side reviews or enforces this.

Large companies are in fact more prone to over-declaring here because that has ~ no cost except for pissing off privacy loonies (which you can never satisfy anyway) while covering your ass legally.

Show threadPierre BourdonJul 4, 2023

Disclaimer for this post: I worked for ~2 years as a privacy reviewer for infra services at Google. This is what I would minimally declare for the Mastodon app, from my reading of Apple's policy:

- Contact Info (email address, obviously)
- Location (coarse location, Mastodon stores IP addresses in logs)
- Contacts (your follows/followers)
- User Content (your toots)
- Search History
- Identifiers (handle)
- Usage Data (logs, anti-abuse)

Not far from Threads' list...

Show threadpaulmather007Jul 4, 2023
@delroth I feel like in the iOS/Macos context "Contacts" has a specific meaning - will it share info from my "Contacts" app. Mastodon certainly doesn't do that. (It doesn't even have access to my Contacts app.)
Show threadPierre BourdonJul 4, 2023

@paulmather007 I've replied to that already. No, your understanding here is not correct, we're not talking about app permissions, the documentation/policies define what "Contacts" is in this context.

https://mastodon.delroth.net/@delroth/110654800385803729

Pierre Bourdon (@[email protected])

@[email protected] these privacy labels have nothing to do with the actual app permissions (which gate access to the contacts API on device). This is about what information is collected by the app's developer, and Apple defines the "Contacts" category as including "social graph" information.

Mastodon
Show threadpaulmather007Jul 4, 2023
@delroth Hmm. That's certainly confusing labeling! Quickly googled it and the definition I found was "a list of contacts in the user’s phone, address book, or social graph." By that definition any social networking app would have "access" to my Contacts, since they're running a social graph by design. I guess that would be a fault of the labeling system, but that's not very helpful to the user.
Show threadPierre BourdonJul 4, 2023
@paulmather007 yeah, that's my point exactly. This whole system is terribly designed, and if anything the lesson we should be learning from this whole comparison between Threads and the Mastodon app is that Mastodon gGmbH have been misrepresenting their data collection...
Show threadpaulmather007Jul 4, 2023
@delroth Also, it's a mistake to use the app icons for Contacts and location services if the data we're talking about isn't the Contacts app or location services. Thanks for explaining this to me!
Show threadPierre Bourdon
@paulmather007 as someone who's never really been immersed in the Apple ecosystem I didn't even notice the reused icons as a possible source of confusion. TIL, thanks!
Jul 4, 2023 at 5:00pmWeb
Show threadpaulmather007Jul 4, 2023
@delroth Yeah not to be long winded but the arrow icon for location is what appears in the menubar when an app is using either GPS data or WiFi triangulation to figure out your location. So it’s got a specific meaning from a user’s perspective