Apple is in the hot seat this week, but the reality is that none of the companies that control the flow of your personal data, your access to information, or your ability to publish and communicate through your smartphone are doing enough to respect your privacy or freedom of expression.
Last January, a prominent billboard near the Consumer Electronics Show declared: “What happens on your iPhone, stays on your iPhone.” As support for privacy rights and data protection grows around the world, Apple has been positioning itself as the privacy-respecting alternative to companies like Google whose business models rely on the collection and commodification of user information at a massive scale, proclaiming its belief that “Privacy is a fundamental human right.” But does the reality live up to the hype?
Two new articles published this week suggest that Apple has work to do if its privacy practices are to live up to its claims. In a recent Washington Post piece, journalist Geoffrey Fowler examined all the ways that apps track users’ iPhone activity. The week-long experiment revealed that 5,400 trackers “guzzled” Fowler’s data, and that many apps’ data collection practices differed from their privacy policies and other policy documents. Separately, The Verge reported that three iTunes users were suing Apple for allegedly making data about individual users’ listening habits available to data brokers and advertisers.
Apple’s privacy issues are by no means unique among smartphone companies. Rather, Apple’s claims about its robust protection of privacy are what set it apart from its competitors, and journalists should continue to point out the gaps between the company’s claims and reality. But as findings from the 2019 Ranking Digital Rights Corporate Accountability Index show, while Apple ranks relatively well on transparency about policies and practices affecting user privacy, it has persistently fared even worse with respect to another fundamental human right: freedom of expression.
While most of the 24 companies evaluated in this year’s Index demonstrated a weaker commitment to respect users’ freedom of expression than users’ privacy, Apple displayed the widest gap by far, as the graphic below illustrates. It was the only company in the entire Index to receive full credit for its commitment to privacy as a human right and no credit for making a similar commitment to freedom of expression.
Apple’s transparency about policies and practices affecting freedom of expression ranked lower in the 2019 RDR Index than any other U.S.-based internet or mobile company, as we point out in Apple’s 2019 RDR Index report card published on May 16. On May 29 in advance of its Worldwide Developers Conference (WWDC), Apple unveiled a new section of its website featuring information about its App Store policies and practices. Yet while the new section makes such disclosures more prominent, Apple still discloses only limited information about its process for enforcing its rules in the App Store or how it determines whether an app is breaking those rules. Even now, despite the fact that the company is widely reported to remove apps in response to government demands around the world — including in China — there is no information to be found on the company’s website about how Apple handles government requests to remove content from the App Store, much less data about the kinds of apps that are censored in various countries around the world. (While its Transparency Reporting page states that starting with its report for July 1 — December 31, 2018, it will begin to report on government requests to take down apps from the App Store in instances related to alleged violations of legal and/or policy provisions, it has yet to publish any such information.)
While iPhone users have reason to demand greater transparency and accountability from Apple, users of Android devices — whether they are using handsets sold directly by Google or phones from other device manufacturers like Samsung that also run on Android — also face threats to privacy and freedom of expression that the companies fail to mitigate or disclose to users. Since 2017 the Ranking Digital Rights Corporate Accountability Index has been evaluating the mobile ecosystems controlled by Apple, Google, and Samsung. While Apple significantly improved its disclosures between 2017 and 2018, our data shows much less progress in the past year. Google made few improvements to its disclosures about Android. As for Samsung, it disclosed significantly less than either Apple or Google, and its overall score declined since 2018. (See Google’s 2019 RDR Index report card and Samsung’s report card.)
The growing reach of smartphones
Smartphones and apps are front and center in the fight for privacy and freedom of expression across the global internet: over half of the world’s 4.3 billion internet users access the internet primarily through apps on their mobile phones, instead of browsers on a desktop or laptop computer.
The relative affordability of mobile phones has contributed to their growing global popularity as a primary means of using the internet. As a result, any risks to mobile users’ rights to freedom of expression, access to information, and privacy are compounded for low-income and other vulnerable internet users who are more likely to use older, less expensive devices. These older devices are inherently more vulnerable to malware, targeted hacking, non-consensual data collection, and other harms than newer and more expensive models.
“Mobile ecosystems” are an indivisible set of goods and services offered by a mobile device company, comprising the device hardware, operating system, app store, and user account. Alarmingly, and despite improved transparency in other areas, the 2019 RDR Corporate Accountability Index found that neither Apple nor Google — whose operating systems together account for 98% of the world’s smartphones — had taken enough meaningful steps to improve their disclosure about how their mobile products impact users’ human rights since we started evaluating mobile ecosystems since the previous year.
In addition to Apple’s iOS and Google’s Android ecosystems, we evaluated device manufacturer Samsung and 12 global telecommunications companies, whose modifications to the stock Android operating system can also have significant effects on device security. Across the board, companies failed to show key information that users have the right to know, with the two main players demonstrating opposite strengths and weaknesses: overall, Apple scored higher than Google on privacy but much lower on freedom of expression, while Google disclosed more information about policies affecting users’ freedom of expression but less about the Android ecosystem’s respect for user privacy.
App stores and freedom of expression
App stores have become gatekeepers with tremendous power to control what types of apps are available, to whom, under what conditions, and what kinds of user data they can collect. This is especially true of the Apple mobile ecosystem, as users can only install apps through Apple’s proprietary App Store (unless they modify their device in ways that are disallowed by Apple, such as jailbreaking it). In contrast, Android users can download apps from third-party app stores rather than exclusively from the Google Play Store, as well as “side-load” apps without going through an app store.
Very little is known about censorship within the various app stores. Like other platforms that host content produced by third-parties, app stores receive requests from governments and from private third-parties to remove or restrict content. News apps, VPNs (which help users get around China’s technical censorship system), the Taiwanese flag emoji, and even individual songs have all disappeared from Apple’s platforms in the PRC, with no explanation from the company.
Google’s Android was the only mobile ecosystem in the 2019 RDR Index to publish any data about the volume and nature of content and accounts restricted for violating the Play Store’s rules (see the findings for 2019 RDR Index indicator F4.1), although this data was not comprehensive or published regularly. Apple failed to provide enough information to users about its process for evaluating requests for content restriction (see indicator F5), its process for enforcing its own terms of service, or the volume and nature of apps that it removed or restricted for violating its rules (see F4.1). Samsung, which operates its own Galaxy Store, did not disclose such information, either.
Data collection and privacy
Privacy of location data is especially important for mobile ecosystems because people tend to keep their devices on them at all times. Historical data about where the device has been reveals extremely sensitive and personal information. The Android ecosystem in particular needs to limit the collection of location data by Google and by third-party apps.
Google received only partial credit on the 2019 RDR Index indicator P7.5, which evaluates whether the company clearly discloses that it provides users with options to control the device’s geolocation functions. The company had previously received credit for such disclosure but, in August 2018, the Associated Press found that Google saves users’ location history even if they have disabled “Location History” on mobile devices. Google has since revised its page on managing location data, stating that some services may still save users’ data even if location data is turned off. For journalists and activists to safely conduct their work, they must have the ability to control who can track their whereabouts and for what purposes. Similarly, people have the right to know if key location data, such as visits to hospitals, are shared with insurance companies. Such data sharing practices have a strong potential to affect insurance rates and access to healthcare in ways that are inherently discriminatory.
Security risks unique to mobile devices
Low-income internet users of Android devices produced by manufacturers like Samsung, who often make changes to the stock Android operating system that affect how quickly users can access security updates, are especially vulnerable. As we highlighted in the 2017 RDR Index, such changes to the Android mobile operating system can hinder the timely delivery of software updates, including security updates, that are key to device security and user privacy. Samsung no longer disclosed what changes it introduced to the Android mobile operating system (P14), though it had previously disclosed some information about such modifications.
Telecommunications providers can also make such changes affecting how quickly users can access security updates (P14.6). None of the telecommunications companies evaluated in the 2019 RDR Index disclosed such information. Manufacturers and telecommunications companies all need to be much more transparent about the changes they make to the Android operating system and how the changes affect users’ device security.
Android models from the Nexus and Pixel product lines and iOS devices receive updates directly from Google and Apple, respectively, but neither company gives users all the information they need about device security. Google was the only company to disclose how long various device models would be guaranteed to receive software updates — a “best by” date for smartphones — though it did not commit to providing security updates for five years after a new model’s release (a reasonable expectation, given how expensive devices can be). Apple and Samsung did not provide such information, making it difficult for users to evaluate for how long their devices will be safe to use.
Demanding more of companies
Any device designed to curate content, facilitate speech, collect data, and allow multiple third-parties to collect reams of personal information — including physical location around the clock — poses a significant threat to human rights. Users should be concerned that these companies have made so little progress when it comes to respecting freedom of expression and privacy on mobile devices: none of these companies score more than 60% on RDR’s indicators measuring mobile ecosystems’ transparency.
The 2019 RDR Index includes a series of policy recommendations that mobile ecosystem companies can and should adopt to ensure their users’ safety and rights online, including:
- Be transparent about restrictions to freedom of expression: Apple should make its terms of service easier to find and understand, and it should publish data about actions it takes to enforce its own rules, and about actions it takes to remove content as a result of government and other third party demands (as it states that will start doing for the July 1 — December 31, 2018 period).
- Enforce rules protecting user privacy: Apple should enforce rules governing third-party apps’ collection of user information, and publish data about its actions.
- Guarantee security updates for five years: Apple should ensure its devices are safe to use for at least five years after release, and publish this “best by” date.
- Be transparent about enforcing the company’s own rules: Google should provide comprehensive data about restrictions to the Play Store due to its own terms of service enforcement. It should publish this information at least once a year, as a structured data file.
- Do more to protect privacy: Google should clarify what information it collects and shares, and for what purpose — and give Android users clear options to control what data is collected about them (notably location data).
- Guarantee security updates for five years: Google should increase the duration for which it guarantees new devices will receive security updates from three to five years.
- Be transparent about third-party requests: Samsung should publish data about third-party requests for content and account restrictions, and for user data.
- Improve security disclosures: Samsung should be more transparent about measures it takes to keep user information secure, and if it encrypts user communication and private content.
- Commit to providing timely security updates: Samsung should disclose what modifications it makes to the Android operating system, if any, and how such changes affect the company’s ability to send security updates to users. It should commit to provide security updates for the operating system and other critical software for a minimum of five years after release, and to do so within one month of a vulnerability being announced to the public.
- Commit to providing timely security updates: Telecommunications companies should disclose what modifications they make to the Android operating system, if any, and how such changes affect users’ access to security updates. In all cases, users should be able to install security updates within one month of a vulnerability being announced to the public.
Click here to read the full 2019 RDR Index report.