We’re pleased to announce that Lockdown Privacy has been acquired by Appex Group, a privacy-conscious mobile development group fully owned and operated by passionate technologists and engineers. Appex is headquartered in Boston, Massachusetts, and is led by open source veterans with extensive background in security. The Appex team was immediately attracted to Lockdown’s industry-leading transparency, and saw that by prioritizing trust through transparency, Lockdown was able to grow organically to over a million users, instead of relying on invasive ads or marketing - a win for both user privacy and for Lockdown.

Going forward, not only is the Appex team committed to operating Lockdown as open source, but they’re also heavily investing in building out new privacy features and performance enhancements, such as a next-generation tracker-blocking engine that’s exponentially more efficient - updates that our two-person team didn’t previously have the resources for.

For us as founders, we’re happy that Lockdown’s new operators are folks who believe in the importance of privacy, and who arguably have much deeper experience with open source than us. Of course, actions speak louder than words, so this month, Appex is completing Lockdown’s fifth audit by independent security and privacy experts - the update will be posted and announced in the next few weeks on OpenAudit.

We look forward to continuing to work with Appex as strategic advisors - and if you have any questions, concerns, or feedback, you can reach the Appex team at team@lockdownprivacy.com.

Best,

Appex & Lockdown Privacy

This study, conducted by Lockdown Privacy, was featured and summarized by The Washington Post in September 2021.

Summary

In April 2021, Apple released the App Tracking Transparency (“ATT”) feature with iOS 14.5. ATT claims to give users choice and transparency for third-party tracking in their apps, and it was lauded by many as a step forward in protecting user privacy. Does it really work? Five months after its release, we tested ten of the top apps in the App Store to see if ATT succeeds in stopping tracking.

Using the open source Lockdown Privacy app and manual testing, we found that App Tracking Transparency made no difference in the total number of active third-party trackers, and had a minimal impact on the total number of third-party tracking connection attempts. We further confirmed that detailed personal or device data was being sent to trackers in almost all cases. ATT was functionally useless in stopping third-party tracking, even when users explicitly choose “Ask App Not To Track”.

Who We Are

We’re ex-Apple engineers whose mission is to increase transparency in technology. We’ve spent the last four years creating open source privacy software (Lockdown Privacy), writing informative content (Transparency Matters, Privacy Review, Openly Operated), and building free tools to help developers become more transparent (OpenAudit).

Unlike most privacy companies that ask users to trust their unproven Privacy Policies, everything we build is open source, so all the results and data in this report can be replicated and verified by anyone with an iOS device. And because we’re also Openly Operated, all our claims are fully backed up by source code, infrastructure, and audit trails — verifiable by anyone with an internet connection.

Background + Objective

It’s no secret that Apple tries to brand itself as a privacy-conscious counterpart to its rivals Google and Facebook, whose ad-based businesses are inherently at odds with privacy. This privacy-as-marketing approach sounds great in ads, but in practice, it’s often less-than-honest or can even be counterproductive. In this study, we test the effectiveness of Apple’s latest privacy feature: App Tracking Transparency.

App Tracking Transparency claims to give users a choice in allowing or requesting to disallow third-party tracking in apps. The average iOS user will, while using an app, encounter ATT with this dialog:

The user’s choice will then show up in the Settings app, under Privacy — Tracking:

Since the two screens above are the entirety of what most iOS users are going to see about ATT, we’ll use these dialogs as the standard for our study. In the example above, if ATT is working as advertised, this means that for the DoorDash app, “all new app tracking requests are automatically denied” and the user has asked the app to not track their “activity across other companies’ apps and websites.”

The objective of this study is to measure how well ATT lives up to Apple’s own claims, and to answer the question: How effective is App Tracking Transparency at stopping third-party tracking activity?

Methodology

To test how effective App Tracking Transparency works, we selected ten top ranked apps, most of which were featured by Apple’s own App Store Editors under either the Apps or Games tabs. We used Lockdown Privacy v1.2.4 to detect (and block) third-party trackers, and manual testing for uncovering the actual content being sent. Some manual testing later uncovered more trackers, which were also included in the results.

We enabled the following Block Lists: Amazon Trackers, Data Trackers, Email Trackers, Facebook Trackers, Game Marketing, General Marketing, Google Shopping, Marketing Trackers, Marketing Trackers II, Reporting. The test device was an iPhone XR initially running iOS 14.8. We later re-tested with the final public release of iOS 15 and found that iOS’s ATT behavior, tracking data, the number of trackers were identical. Tests were conducted during August and September.

Since Lockdown Privacy is free and open source, all data and results in this can be verified by anyone. Due to app updates and specific usage behaviors, independent verification results may differ slightly — for example, using a test app for a longer period of time will likely result in more tracking activity.

Test Process

We tested each app twice: first with choosing ATT’s “Ask App Not To Track”, and then again with choosing ATT’s “Allow [Tracking]”. In each test, we did a clean signup and basic usage of the app for no more than two minutes. After each test, we recorded what tracking activity was detected in Lockdown Privacy’s Block Log, and then reset everything to test the next case.

Simplified Test Example

The following is a shortened version of the test process for the Yelp app. It shows a Settings panel that indicates Tracking is toggled off for Yelp, and then launches the Yelp app. Finally, viewing the tracker Block Log in Lockdown Privacy, we document the dozens of tracking attempts by Yelp’s third-party trackers that iOS’s ATT has allowed.

Results + Data

Tracking Activity in Top Ranked Apps: ATT On Vs Off

Total Tracking Activity: ATT On Vs Off

What Data Is Being Sent To Trackers?

There were a significant number of connections to third parties. Blocking these connections did not affect the functionality of the apps being used, so we looked into what data was being sent. In this section, we highlight the most notable examples. In all cases below, the test chose “Ask App Not To Track” in the ATT dialog.

Note that in all cases, the user’s IP address is exposed to the third party, because that is a basic requirement of making a connection to any site or server on the internet. Particularly personal or egregious data being sent are marked in red.

Discussion

In our tests of ten top-ranked apps, we found no meaningful difference in third-party tracking activity when choosing App Tracking Transparency’s “Ask App Not To Track”. The number of active third-party trackers was identical regardless of a user’s ATT choice, and the number tracking attempts was only slightly (~13%) lower when the user chose “Ask App Not To Track”.

How do these results compare to Apple’s App Tracking Transparency claims? In our earlier section, we observed that the average iOS user will see ATT’s claims that “all new app tracking requests are automatically denied” and that a user can ask the app to not track their “activity across other companies’ apps and websites.”

Neither of Apple’s claims about App Tracking Transparency hold up. New app tracking requests were not automatically denied, and even though it is technically correct that the user can ask apps to not track their activity across other companies’ apps and websites, in our tests, in no case did apps respect this request. And since every connection exposes the user’s IP address, it’s trivial for these third parties to uniquely identify users, rendering ATT useless.

In many cases, trackers received much more than the user’s IP address. We observed that they received an egregious amount of data, including a user’s accessibility settings, the exact time that the user last restarted the device (down to the second), the device’s current battery level and screen brightness (both with a precision of 15 decimals), the user’s exact latitude and longitude, installed keyboards, time zone, current speaker and microphone settings, currency, volume level, and much much more — see the “What data is being sent to trackers?” section above for full examples.

Apple’s Massive Loophole: A Narrow Definition of Tracking

How could Apple have failed so miserably in stopping third party trackers with a feature named “App Tracking Transparency”? Digging into the answers for this question led us to discover the main cause: Apple’s narrow definition of the term “tracking”.

In a way, the definition of tracking can be simple and intuitive: Tracking is when an app unnecessarily sends your data to third parties. That third party has now tracked you, because they have, at a minimum, your IP address: the simplest and oldest identifier on the web. From your IP address, your location can be approximated fairly reliably, along with who your ISP is. And since it’s an identifier that stays the same for most home internet connections, it’s a pretty easy way to track you across the web.

Instead, Apple has hijacked the term “tracking” to define it as something highly specific, and they’ve even placed their full definition of it in developer documentation, which of course no average iOS user will ever read. So what is it? It turns out that Apple interpretation of “tracking” is that it must fulfill all of these conditions: First, it must link user data from one app/website to another app/website. Second, it must do this specifically for targeted advertising or advertising measurement purposes. Third, Apple excludes a list of so-called acceptable tracking behaviors that are not considered “tracking”.

Based on our research, we found Apple’s definition of tracking to be misleading, counterintuitive, and confusing for these reasons:

1) It is too narrow in scope: There are obvious cases outside of advertising where a reasonable person would consider a behavior “tracking”. For example, if someone was tracking your location in real-time using spyware embedded in an app, Apple would not consider this “tracking”, because it is not “advertising” related.

2) It contains too many caveats: Buried in developer documentation, Apple maintains a list of tracking behaviors that are not considered “tracking”. While these exceptions might sound reasonable, most of them are vague enough that they can be reinterpreted by even the most egregious trackers to fit in these exclusions. For example, since “fraud detection” is such an expansive exception, marketing trackers can (and do) claim that they are sending dozens of different signals and data from a user’s device, not to uniquely identify the user for advertising, but for the purposes of so-called “fraud detection”. In fact, during our research, we found a case where a third party’s software (Kochava) labeled itself “AppleTracker”, even though Apple definition would not consider it “tracking”.

3) It relies too heavily on trusting the very tracking companies that the policies are supposed to be protecting users against: Apple’s definition allows apps to secretly send any and all of your data to third parties, and as long as those third parties publicly claim they won’t link your data to other sites or sell it, it’s not considered “tracking” by Apple. It is a 100% trust-based honor system, which means that the only way for these companies to get caught “tracking” is to literally pen a public confession of guilt or wrongdoing — something that profit-driven companies are not exactly known for doing.

4) It incentivizes less transparency, creating more dangers for privacy: Apple’s tracking definition makes the privacy-regressive assumption that third-party connections are by default innocuous, so any enforcement would require that someone provides definitive proof of abuse. But what if these third-party connections are intentionally obscured or encrypted? Our testing found that Apple allows the closed-source AppsFlyer tracker to encrypt the data that it sends from the user’s device, so that nobody can see exactly what AppsFlyer is receiving. The danger here is that third party trackers can access anything that its host app can access. For example, for Square’s Cash App, as unlikely as it may sound, it’s entirely possible that their embedded AppsFlyer tracker is sending all of your financial transactions to their own third party servers, and nobody other than AppsFlyer — not even Apple — would know.

To Catch A Tracker, We Must Think Like A Tracker

But what if Apple is right to trust third-party tracking companies, and all the tracking companies really are trying their best to protect user privacy, even at the expense of their own profits? To test this theory, we “went undercover” by spending a few hours as an app developer who wanted to circumvent Apple’s own tracking rules when users choose ATT’s “Ask App Not To Track”. Would the tracking services allow us to do this, or would we be proven right?

It turns out, we weren’t wrong. We were actually more right than we thought.

Not only do these trackers allow their clients to break Apple’s rules, but they specifically built features to help their clients easily circumvent Apple’s ATT privacy rules.

First, we created a dummy app that used the Kochava tracking service. With just a few clicks, we configured Kochava to violate Apple’s “ATT Opt-Out” by asking it to tracking users across apps (using “IP address” and “User Agent”) for the purpose of ad targeting (“Paid Media”). Basically, Kochava made it really convenient for any app developer to violate even Apple’s narrow definition of tracking.

We later performed the same test with the AppsFlyer tracking service (which, as previously mentioned, hides the data it sends off your device), and it was even easier to enable “privacy cheat mode” and track users against their consent — all it took was clicking a single button.

It’s important to note that since these “cheat ATT” settings are configured on the third party tracker’s dashboard, there is a zero percent chance of Apple finding out that apps are engaging in this behavior, because Apple does not have access to it. Achievement unlocked: Illusion of User Privacy.

Conclusion

When it comes to stopping third-party trackers, App Tracking Transparency is a dud. Worse, giving users the option to tap an “Ask App Not To Track” button may even give users a false sense of privacy: users who would have otherwise been more cautious with giving their data to an app might let their guard down, thinking that they’re “safe” from third-party tracking. Furthermore, we found that some apps didn’t even bother to show the ATT dialog, despite contacting numerous third-party trackers.

The core problem is that App Tracking Transparency is entirely based on the honor system, so it suffers the same fatal flaw as Apple’s “Privacy Nutrition Facts”. App developers can choose whether or not to be honest about tracking, and if all their competitors are lying, why would they choose to be honest? Since the App Store has millions of apps, slipping by the rules is not only easy, but as our testing showed, it’s the norm.

Apple also doesn’t have an incentive to police the very profitable App Store (~20% of revenue). Sure, they’ll shut down no-name scams when they go viral, or apps that publicly tout rule violations. But what are the odds that Apple reprimands Yelp (partnership with Apple Maps), or DoorDash (#1 Food Delivery App), or popular games (98% of App Store revenue)? And with enough users, apps can even gain power over the “walled garden”, lest their users switch to Android or Huawei. For example, WeChat was allowed to violate rules because China is a critical market for Apple, and Uber was given a unique privilege that let it record users’ screens.

So what should Apple do?

Trackers can’t send data that they don’t have access to, so the most direct technical fix is to limit or eliminate app access to information that is used to fingerprint devices. In iOS 15, apps are allowed unlimited access to device data that are totally irrelevant to their functionality. For example, why would any app need access to the exact second that the user last restarted their iPhone? And why does iOS give apps access to this data in such a high degree of precision? Data such as an iPhone’s remaining battery and screen brightness (both accurate to 15 decimals), or an iPad’s remaining free space (down to the byte), serve no legitimate, non-fingerprinting purpose for most apps. And for the rare app that might need this level of precision, App Review should approve the usage on a case-by-case basis.

Apple also needs to take a hard line against closed-source trackers — especially the ones that further encrypt the data they’re sending to third-party servers. Trackers have access to everything its host app has access to: Trackers in your finance app have access to all your financial data, trackers in health apps have access to all your health data, and trackers in your photos apps have access to all your photos. And the only way to ensure the tracker isn’t stealing any of this, is for the tracker to reveal their source code. Without that, the “walled garden” concept is a total sham, because even Apple’s App Review team has zero visibility into what data is being sent to third parties.

On the marketing and user interface side, Apple needs to come clean that App Tracking Transparency is a completely trust-based system, and possibly even rename the feature itself. It’s plain dishonest to show users a dialog that gives the option of choosing “Ask App Not To Track”, while Apple (a company that excels in user interface and design) knows full well that 1) the average user will be misled into thinking they’re protected from tracking and that 2) in practice, there is very little to no compliance or effect on third-party tracking.

In the Settings app, Apple needs to be extremely clear that iOS currently does not and cannot stop third-party tracking. Before iOS 14.5, every app permission (Camera, Contacts, etc) in the Privacy panel has always been enforced by iOS, ensuring that certain apps can or can’t access certain features. iOS 14.5’s Tracking permission breaks this ten-year-old iOS pattern and misleads users into thinking that it’s enforced like every other permission. In fact, iOS even claims something completely untrue here: that “new app tracking requests are automatically denied.”

Finally, over the long term, Apple should be more transparent and model transparency for developers by open sourcing not only their software, but also their processes. What exactly does Apple or any app developer do with a user’s data when it’s uploaded to the cloud? What trackers are embedded in an app? How does Apple’s App Review verify an app’s privacy promises?

In a world where software and processes are truly transparent, these and other pressing privacy questions can be answered accurately and verified easily. Absent that, a billion iPhone users around the world are stuck with an unacceptable compromise: relying on independent researchers to, in their spare time, test and report on the effectiveness of a trillion dollar company’s flagship features.

Apps have a responsibility to protect the privacy of user data, and to secure it against external and internal threats. But apps often just make up whatever privacy claims sounds good, and place it in their marketing materials, Privacy Policy, and Apple’s self-reported Privacy Nutrition Facts. This leads to data hacks, leaks, and even theft.

OpenAudit is a standardized way of proving these claims, instead of just asserting them. Here is a simple tutorial on how it works. A claim must have references (either specific lines of code, or relevant documentation). Auditors then perform verifications on each reference to ensure they adequately support the claim. More relevant to Lockdown Privacy users, we also conducted an OpenAudit in April 2021. Here’s a snippet:

In this example, the reader clicked the claim that “user data […] is protected by modern encryption”, which shows a popup with the proof of that claim: three references that support it, and two auditor verifications per reference. OpenAudit is designed to show everyday users which claims have been independently verified, while allowing technical users to quickly dig into the details. Lockdown Privacy’s OpenAudit has a total of 582 references and 1164 verifications, all publicly viewable at https://openaudit.com.

Today, users are forced to blindly trust that their apps (even privacy apps) won’t steal or leak their data. But how can you tell which apps actually respect your privacy, and which apps are just using slick marketing and making false promises? In an App Store plagued with fraudulent, scammy, and negligent apps, OpenAudit lets honest apps stand out by earning user trust through independently verified proof.

OpenAudit is open source and developers can use it to to audit their own apps for free at openaudit.com. And if you want to work on this full-time, we’re hiring! Reach out to work@openaudit.com to join our mission of using transparency to make apps, services, and the web a safer and more trustworthy place for everyone.

This story was featured and re-posted by FastCompany. You can go read it here.

With the recent release of iOS 14, Apple enabled a new feature called “App Privacy” (or what they call Privacy Nutrition Labels) in the App Store, which supposedly shows users what information apps collect, and how it’s used. For example, the Facebook app’s extremely long App Privacy section, which details all the information they collect, is already the subject of viral tweets such as this one:

Most people are already aware that Facebook has terrible privacy practices, but Apple still deserves a lot of credit for exposing Facebook so publicly on their official platform. Raising awareness about privacy is terrific, and this is definitely the right direction. So what’s the catch?

The problem with Apple’s App Privacy is that it’s entirely self-reported. The app developer gets to make whatever privacy claims they want, and none of that information is vetted. There’s no verification by Apple or by any other source.

App Privacy is not new. It’s re-branding and simplification of the Privacy Policy, aka the “We Pinky-Promise to Not Steal Your Data” document. Unfortunately, App Privacy doesn’t fix the Privacy Policy’s inherent and critical flaw: Privacy Policies contain no proof of the privacy claims they make.

Apple doesn’t verify any of the App Privacy information that app developers submit - because they can’t. There is currently no way for Apple to know what an app does with user data after the data is sent to the app. But by calling it equivalent to “Privacy Nutrition Labels”, Apple irresponsibly implies that this privacy information is vetted, when that is absolutely false.

This results in two unintended consequences: it creates a false sense of security for users, and an incentive for more dishonest and privacy-invasive apps in the App Store.

A False Sense of Security for Users

The Privacy Policy, and by extension, App Privacy, has been a failure due to its inaccuracy and lack of reliability. This is partially because even the app developers themselves may not know what user data is being given to third parties, or who those third parties give user data to.

One example of this is a recent privacy scandal involving the mass selling of user data to the U.S. military, with location data harvested from various apps - a Craigslist app, a Muslim prayer app, weather apps, and many others. This was possible because these apps used a third-party integration that sold location data. And since the app developer didn’t even know the third-party integration was doing this, they of course didn’t mention it in their apps’ Privacy Policies (or App Privacy) - they can’t include what they don’t even know.

Another example is the case of poor security practices, resulting in security breaches. It seems like every week, some company “regrettably” announces that they’ve been hacked. Last week, it was SolarWinds, who apparently set their server password to “solarwinds123”. Negligent, cheap, and lazy security practices like this are commonplace, and are opaque to even the most detailed Privacy Policies.

Both real-world examples above seriously impact user data and privacy, and unfortunately in both cases, App Privacy doesn’t help, and worse, may give users a false sense of safety.

Incentivizing Dishonest and Privacy-Invasive Apps

The App Store ecosystem is a competitive place. For every app, there are at least two or three apps with similar functionality competing for the same users. And you don’t need five email apps - you need one good one. Users choose apps based on many factors: features, design, screenshots, reviews, and now with iOS 14, App Privacy. So to win the most users, developers are now incentivized to make their App Privacy look good. Key phrase: “look good”.

Again, App Privacy is based on Privacy Policies, so it relies on the app developer to be honest - it’s like asking restaurants to do their own health inspections and provide their own health scores. Now that App Privacy makes the Privacy Policy much more prominent, how does this affect the incentive structure for App Store apps?

Let’s say you’re choosing between two email apps on the App Store - both seem similar in features and design. Unbeknownst to you, however, one email app is created by a dishonest developer who intends to extract extra profit by selling your emails to third parties, while the other email app is honest and does not do this. Which app do you end up choosing?

In this situation, both email apps collect basic analytics. The dishonest app, however, writes in their App Privacy that they don’t collect or sell any data, while the honest app admits that they collect basic analytics. So you read the App Privacy for both apps, and decide that since you want to “maximize privacy”, you download the dishonest app - the one that secretly sells your emails to third parties. It’s not your fault - it’s the fault of a poor incentive structure.

This results in a nightmare feedback loop: Dishonest apps make more money due to their willingness to lie on their App Privacy, and then use their ill-gotten profits to buy Apple’s App Store Search Ads, which allows them to appear first in search results and rope in more downloads and more user data. Sell the user data, rinse and repeat. I previously wrote about the magnitude of top-selling apps doing exactly this on the App Store here. The App Store’s “scam apps” problem hasn’t gotten better since then, and the introduction of App Privacy will now help them seem even more legitimate than ever before to unsuspecting users.

Finding Apps That Truly Respect Privacy

So what can be done about App Privacy’s ease of abuse?

Apple has said that developers caught lying on their App Privacy will be banned, but this threat has no teeth. First, as mentioned earlier, it’s impossible for Apple to catch liars because Apple has no way of knowing if app developers are telling the truth about privacy - this threat is only effective against the most visible companies like Facebook, who are already under heavy scrutiny. Second, Apple is not financially incentivized to eliminate profitable apps from the App Store (since they take 30% of revenues as well as App Store Ads), and other than specific removals of a few scandals that go viral in the media, they aren’t spending the time or resources to individually verify the 2 million apps on the App Store.

Luckily, you don’t need to depend on Apple. Here how to find and choose truly privacy-respecting apps:

First, look for apps that are 100% open source. Open source is the “organic” of software, and it means the app’s code is publicly visible, so there’s nothing to hide. There are no unknown third-party integrations, and everything the app does, including collection of data and how it’s used, is accessible by everyone. Importantly, ensure that not just the app, but also the app’s servers (where your data is stored and transferred in the cloud) are 100% open source.

Second, check a site like Privacy Review for neutral third party analyses on the tracking behaviors of specific apps. Instead of trusting App Store’s App Privacy, which is self-reported, these sites use tools like Lockdown Privacy to see exactly what connections to trackers are made - it’s like a Snopes, but for apps. Watch out, though, for review sites that get a “referral bonus” from your app signups or downloads - these are almost always scams, because they only get paid when you purchase the app.

Third, make sure that management and ownership of the company is clear. Who is the CEO? Where are they located and are they a real company? Or are they a series of offshore shell companies that allow the owners to stay anonymous? You’ll be surprised how often that last one is true, especially for so-called privacy apps that are malware or data-mining companies in disguise.

Final note

Apple’s App Privacy creates a heavily-manipulated illusion of transparency, without any of the benefits of true transparency. It gives financial incentives for apps to be more dishonest, and Apple would be well-advised to change course on this for the health of the App Store ecosystem and their 1.5 billion customers.

App Privacy has a lot of potential. It shouldn’t just be a watered-down Privacy Policy that misleads users. It should instead adopt a verifiable transparency standard like Openly Operated, which puts the responsibility on the companies to prove their security and privacy claims before being allowed to access user data.

In the meantime, we advise that you (and your family and friends) to take App Privacy with a heavy grain of salt, because it’s not at all a dependable indicator of trustworthiness - and may simply indicate an app developer’s willingness to lie.

A few years ago, people started realizing that their personal data (browsing activity, IP address, etc) were being monetized and/or exploited for profit. To combat this, the California Consumer Privacy Act (CCPA) was passed, which said that companies have to let users say no to the sale of their personal data. Other states are now passing similar bills.

For the uninitiated, personal data like IP addresses and other unique identifiers are used by advertisers, data brokers, and tracking companies to build a shadow profile of you, and to follow you across websites. That’s why if you’re shopping for blue hiking shoes, and then went to read the news on different site, you’ll see ads for blue hiking shoes on the news site. The fact that everyone has a unique IP makes it the most common and easily exploitable personal data.

So this new law passes, and now sites slap on a “Do Not Sell My Data” button to appease the regulators. What do they do? Do they work? I clicked a bunch of ‘em to find out:

Six sites with the “Do Not Sell My Data” button at the site footer.

For shopping sites Bloomingdale’s, Nordstrom, and Lowe’s, the “Do Not Sell My Info” links lead to forms where, ironically, you’re required to give more of your personal data in order to proceed to the next step. If you’re someone who is concerned about your data being sold, why would you give away your full name, emails, phone number, home address, and credit card numbers to another third party? What are they going to do with this info?

How many companies are in the “Intel Alliance”? Who is OneTrust and what happens if Google acquires them? And WTF is “service-now.com”?

On popular news site “The Hill”, clicking “Do Not Sell My Data” shows a dialog that links to the privacy policies of the 32 advertising and tracking companies they work with. The “Save & Exit” button makes no sense because there are no options to save, and clicking it does nothing. The “Do Not Sell My Data” button dismisses the dialog without any visible response. Did that… do something? Do I have to click that every time I visit the site? And am I expected to read and stay updated with all 32 privacy policies just to read the news?

A sort of “Forbes 30 under 30” of tracking and ad companies. Congrats to all who made it.

Clicking “Do Not Sell My Data” buttons on other sites, other issues surfaced:

First, the opt-out forms apparently need to be completed using every browser and device I use to access the apps or sites. So the number of times I have to do this process is (number of sites & apps) * (number of devices) * (number of browsers). The time wasted ends up getting pretty huge, pretty quickly.

Big “getting websites to stop selling my info” Mood. Source

Second, I learn that every time I clear my cookies (which are another way websites track users), I have to redo everything. So if I attempt to reduce tracking by clearing my cookies, I’m actually also implicitly agreeing to let companies sell my personal data, and I have to opt-out on every site again. 🤦🏻‍♂️

Why do we have to find and click a tiny button, fill out forms, give more personal data, and jump through whatever hoops on every single site and app, on every device and browser, just to not have our personal data sold to third parties? Should we also have to specifically tell every restaurant we dine at to not spit in our food? Or have to specifically tell every plumber we hire to not steal from our homes?

Obviously, nobody wants their personal data to be sold, so a more reasonable system would be for every website to by default not sell users’ personal data, instead of requiring users to opt-out.

So if we changed the law to simply penalize companies that sold user data without explicit consent, would that work better?

Nope, that wouldn’t work either — for three reasons:

First, tracking companies are already challenging what “sale” in “sale of data” means — arguing that many instances are a gray area. For example, if TRACKERS-R-US paid ACME App to add a tracker, does this count as “sale”? A high-powered attorney could argue that it’s not, because the data goes directly from users to TRACKERS-R-US, so it’s not owned by ACME — and you can’t sell what you don’t own. Or what if ACME doesn’t get cash, but instead gets a share of revenue or some service in return? Or what if TRACKERS-R-US is branded as a “analytics tool” that’s “crucial” to the functioning of ACME App? These nitpicky questions may seem inane and stupid to you, but the fact that there’s even some tiny chance of ambiguity can create years of litigation and appeals, because companies, like anyone else, are innocent until proven guilty. In these cases, companies don’t need to win — they simply need to drag out the legal battles as long as possible (see Uber).

Second, enforcing laws about what companies should do internally is nearly impossible, because catching violations relies on self-reporting, and also because many violators are outside of the law’s jurisdiction. There’s simply no scalable way to know if companies are selling user data. If a company claims they don’t sell user data, but does it anyway, they’ll get away with it 99.999% of the time, because the only people that know about the violation are themselves. Add a few more 9’s if the company is based outside the USA.

I thought Facebook might have put their “Do Not Sell” link under the “More” menu. Nah.

Third, some companies just don’t give a flying f about what the laws say, because they can easily afford the fines, and because the political climate doesn’t exactly lend itself to serious regulatory action against mega-corporations. While companies like CNN and Wal-Mart make attempts to comply by adding “Do Not Sell” links, Facebook (who collects more personal data than anybody else) has completely ignored it, choosing instead to wait for the next slap on the wrist.

If you want companies to not sell your personal data, we know what doesn’t work: It doesn’t work to spend all your free time clicking “Do Not Sell” buttons that probably do nothing, and it doesn’t work to pass regulations that are ultimately ignored or rely on ineffective self-policing.

So what would work?

Let’s go to the source: Sites and apps you want to use are simultaneously serving you third-party trackers that you don’t want. Remember news site The Hill from earlier and their 32 tracking companies? You *want *the news, but you *don’t want *the third-party data sharing. And if it’s an app (instead of a site), this tracking can even happen in the background, when the app isn’t even open.

The simple solution that we (two ex-Apple engineers) came up with is to directly block the trackers, so that your personal data doesn’t get out to third parties in the first place. This is way more effective than allowing tracking and hoping that apps and sites don’t later sell your info.

We built a free and open source app that you can you can download right now called Lockdown, and it blocks trackers, ads, and badware in not just your browsers, but all apps. So you don’t have to stop reading the news, online shopping, or playing games— just install Lockdown, push a button to activate it, and then go on living your life — we take care of the rest. Here’s what it looks like:

Simple to use for everyone, powerful customizability for advanced users.

“Wait a second… free? What’s the catch?”, you’re asking, “Are you guys trying to Zuck us over in some hidden, nefarious way?”

Nope. We’re pretty open about how we pay the bills. Lockdown lets you automatically block trackers with its free Firewall, but if you want more protection by hiding your IP address and encrypting your connections (for safety on public wi-fi and insecure sites/apps), you can pay for Lockdown’s fully-audited Secure Tunnel (VPN) service. Revenue goes to keeping the Firewall free and updated with the constantly changing (and increasingly clever) landscape of trackers, ads, and badware.

We believe people and companies that build privacy products have a unique responsibility to be more transparent than any other product line. That’s why Lockdown is 100% open source and openly operated — so that anyone can see what it’s doing, and just as importantly, what it’s not doing.

We built Lockdown because it’s something we wished existed: a simple, transparent, and powerful tool for stopping invasive third-party tracking. We hope it can do the same for you. Get it for free at LockdownPrivacy.com.

(Update: Lockdown was featured by App Store and also featured in Forbes — check it out and share the story! )

When you send a photo to someone, your messaging app actually first sends the photo to an app’s server, which then sends the photo to them:

And sure, in the 90’s, this might have been what happened. But somewhere along the line, someone figured out how to profit from user data, and so now here’s what actually happens:

And that’s just sending photos. Today, you give apps access to your camera, location, microphone, contacts, browsing habits, even your medical records. After you tap “Allow” once, an app can even upload your entire photo and video library to their servers in the background while you’re sleeping.

The Internet is facilitating an insane free-for-all for our personal data, with potential consequences getting worse. Apps even exploit this data with behavioral science to squeeze every dollar or minute out of their users, when it’s clearly against the users’ best interests. Today, companies have every incentive to exploit our data for profit, and no incentive to protect our privacy.

Since we’re only going to rely more on apps over time, the critical question is:

How do you know if you can trust an app?

Trust Through Privacy Policy?

When you ask a company about protecting your data, they respond by telling you to read their Privacy Policy, which is a document they wrote (or copy-pasted) that promises they’ll protect your data.

But wait, isn’t that circular logic? I should trust that they’re protecting my data because… they have a document that says they’ll protect my data? How do I know they’re doing any of the things they claim in the Privacy Policy?

It turns out it’s impossible to know if an app company is violating their Privacy Policy (or violating privacy laws), because there’s literally nothing stopping them: they’re Privacy Policies, not Privacy Proofs. Not only that, they’re actually not legally binding, and in the rare cases when companies actually *do *get caught, the penalties are unbelievably light. And as recent government (in)action on data breaches, ISP privacy rules, and net neutrality show, often there are no penalties at all.

Privacy Polices and regulations do not create real trust, and they only serve to provide a false sense of security or privacy.

Trust Through Pricing?

It’s a common saying on the internet: “If the product is free, then you’re the product.” And while that’s sometimes true since revenue must come from somewhere, some people make the logical fallacy of thinking the inverse must also be true: “If the product is not free, then you’re not the product.”

Due to this mistake, some people use price as a criterion when choosing apps to use, by looking for apps that aren’t free and making the false assumption that non-free products will not exploit their data for profit.

Of course, it’s very possible and just as likely for a company to both charge you for an app while also profiting off of your data or having poor security. Therefore, pricing is a bad criterion for finding an app that you can trust.

Trust Through Aesthetics/Design?

Woah, those app screenshots look so sleek! And their website is so colorful and tastefully designed, with beautiful animations that you simply can’t resist. Why would an adorable cartoon bear lie to you? Is that even possible?

Well sadly, yes — cartoon characters lie all the time. Since they were created by a human and their dialogue is written by a human, an adorable cartoon bear is not less likely to exploit your personal data for profit. It might look cuter while doing it though.

The aesthetics of a website might tell you that that they spent $20 on a SquareSpace theme (or pirated it), but say nothing about how trustable an app or service is — it‘s even possible that the company skimped on data security in order to spend more on their website’s design and animations.

Trust Through Popularity?

If all your friends jumped off a digital bridge, would you? At one point, Yahoo had over three billion accounts, and in 2013, they broke the world record 🎉for biggest data breach ever, by a very long shot. Since then, there have been many more breaches of tens or hundreds of millions accounts of other companies. And these are only counting disclosed and known breaches — nobody knows what the real numbers are.

Popularity isn’t a reliable proxy of how trustworthy an app is. In fact, there are even scam apps that make it into the top charts of the App Store.

So what actually creates trust?

Apps should have to earn the trust of its users, especially when there are such strong financial incentives for companies to simply lie and abuse user data.

To earn user trust, apps should be fully transparent— the public should be able to see everything the app and its servers are doing, so that anyone can verify that there’s no negligent, dishonest, or even malicious activity. In other words: trust through transparency.

Trust Through Transparency

Full transparency means making the entire operation of an app public and verifiable, from the app code on your phone or computer, to the server code and infrastructure on the cloud, to the actions of the company’s employees, plus proof of all of that. It’s *everything *that touches your data. Everything.

If getting full and verifiable transparency from the apps we use every day seems like a radical idea, it’s because we’ve been trained for so long to expect so little from companies. We’ve been trained to upload our personal data, cross our fingers, and simply hope for the best. The truth is, if we’re giving companies our most sensitive personal information, why shouldn’t we expect them to give us proof of exactly what they’re doing with it?

A Standard For Transparency

To be clear, partial transparency is insufficient and misleading, because it still allows “bad bits” to be hidden, defeating the purpose of transparency. For example, a company hiding just a small part of their server code is still able to secretly copy all user data to unknown third parties from their servers.

So how do we know if an app is being fully transparent, versus only partially transparent or not transparent at all?

A standard for full transparency doesn’t exist today, so we’re creating one and giving it away for free.

This new standard is called Openly Operated, because full transparency requires the entire* operation* of an app to be open and verifiable. This includes making public all app source code, server code, infrastructure, and employee actions, as well as providing proof of accuracy and validity. It’s like giving the public read-only access to the app operator’s Admin console (example here).

How this is different from apps today? Here’s the photo-sending example from the beginning again — except this time, the app is Openly Operated:

Unlike the earlier examples, the Openly Operated certification process forces the app to be fully and verifiably transparent, preventing the app’s operators from hiding privacy and security issues. This process, at a high level, is:

1. The app fulfills specific requirements to demonstrate full transparency, and uses direct references to source code, infrastructure, and other evidence to prove the app’s privacy or security claims.

2. Combine these requirements and proof of claims into an Openly Operated Audit Kit that anyone can publicly view and verify.

3. Get matched with independent auditors, who verify the Audit Kit to produce public Openly Operated Audit Reports, detailing their verifications and providing a summary.

This lets everyone participate in “trust through transparency”: users who are more technical can perform verifications themselves by diving into the nitty gritty details in the Audit Kit, while less tech-savvy users can read the independent Audit Reports and summaries. Openly Operated’s transparency is the opposite of the status quo, where apps simply tell users to read their totally unproven and unverifiable Privacy Policy.

Openly Operated is a free certification. Its mission is for all apps to earn trust through transparency, so all documentation is available at no cost, and companies pay nothing to license the certification. We’ve even built examples to show that Openly Operated apps are possible. These are more than proof-of-concepts — they’re in production, fully functional, and are operating at scale with real users.

Everything Should Be Openly Operated

Companies have been blatantly dishonest with how they handle and secure user data for too long. Since its creation until now, Facebook has had a privacy setting for user posts labeled “Only Me”. To any regular person, “Only Me” has a simple meaning: me, and literally nobody else.

But over the last ten years, we’ve learned the hard way that Facebook has a very different definition of “Only Me”. To Facebook, “Only Me” means “Me and All Of Facebook’s Advertisers and Their Partners and Some Of Facebook’s 25,000 Employees and Some Unknown Number Of Contractors and Facebook Apps That Friends or I Have Used and Those Apps’ Employees and Anyone Those Apps Share Or Sell Data To… Maybe”.

Probably need a smaller font to fit the truth here.

Privacy and security scandals happen every week not because companies are evil, but because like anything else, companies operate on incentives. In a world where there’s no way to verify an app’s security or privacy claims, why should a company be honest and make less money, while their competitors are being dishonest and making more money? Current incentives give dishonest and insecure companies an edge to grow faster, compete more efficiently, spend more on marketing, and capture the most customers.

Openly Operated provides a structured way for companies to prove their privacy and security claims. Users have nothing to lose and everything to gain by demanding transparency from the apps they give their personal data to. The question shouldn’t be “Why should the apps I use be transparent?” — it should be “Why aren’t the apps I use transparent? What are they hiding?”

Learn more at OpenlyOperated.org. Whether you’re a user curious about the many benefits of transparency, an engineer building apps people can trust, or a company that wants to win customers while increasing security, Openly Operated has something to offer you.

Wouldn’t it be nice if “Only Me” really meant “Only Me”?

Note: I originally published this story on Medium, where it received 45,000 likes (#52 overall that year). I’m republishing it here because writing this helped spark my interest in transparency and trust in software, and eventually building Lockdown Privacy, Openly Operated, and Privacy Review.

At WWDC, Apple reported that they’ve paid out $70 billion to developers, with 30% of that ($21 billion!) in the last year. That’s a huge spike, and surprising to me because it didn’t seem like my friends and I were spending more on apps last year. But that’s anecdotal, so I wondered: Where are these revenues coming from? I opened App Store to browse the top grossing apps.

Step 1: Follow The Money

I scrolled down the list in the Productivity category and saw apps from well-known companies like Dropbox, Evernote, and Microsoft. That was to be expected. But what’s this? The #10 Top Grossing Productivity app (as of June 7th, 2017) was an app called “Mobile protection :Clean & Security VPN”.

Given the terrible title of this app (inconsistent capitalization, misplaced colon, and grammatically nonsensical “Clean & Security VPN?”), I was sure this was a bug in the rankings algorithm. So I check Sensor Tower for an estimate of the app’s revenue, which showed… $80,000 per month?? That couldn’t possibly be right. Now I was *really *curious.

I tap into the app details to see that the developer is “Ngan Vo Thi Thuy”. Wait so, this is a VPN service offered by an independent developer who didn’t even bother to incorporate a company? That’s a huge red flag. For those of you who don’t know why this is bad, a VPN basically routes all your internet traffic through a third party server. So in this case, a random person who couldn’t piece together a grammatically correct title, who also didn’t bother to incorporate a company, wants access to all your internet traffic.

Another red flag was this comically terrible app description:

Direct screenshot from the “Mobile protection :Clean & Security VPN” app description.

According to this, “Mobile protection :Clean & Security VPN” is “Full of features” — well, it’s certainly full of something. Apparently, “Mobile protection” includes protecting you from “dupplicate” contacts. And these “scans” are what the screenshots claim as “Quick & Full Scan Internet Security”. Five internets to anyone who can figure out the relationship between Internet Security and duplicate contacts.

All these red flags — and I haven’t even downloaded the app yet. I check the Reviews tab to find some vague, fake-looking 5-star reviews:

Seeing the dates on these reviews brought up another question. How long has this app been up? Well, according to Sensor Tower, “Mobile protection :Clean & Security VPN” has been a top 20 grossing Productivity app since at least April 20th (almost 2 months now).

Step 2: Duplicitous Behavior

Out of curiosity about this supposedly top grossing app, I download it. Here’s what happens when I open it for the first time:

Yes, “This app need to cccess to your Contact to scan your Contact first.” The only option here is to tap Agree, and then iOS asks me if I want to give this app “cccess” to my contacts. Uhm, no thank you?

After skipping that, the app tells me my device is at risk. Of course it is. It‘s also ready to “Device Analyze”, Quick and Full Scan, and secure my internet (I can’t wait!).

Tapping “Device Analyze” shows my iPhone’s free memory and storage — a useless and irrelevant feature.

Tapping both Quick Scan and Full Scan shows:

“Your contact is cleaned. No dupplicated found.”

Oh good — no duplicates, except for the extra “p” in “dupplicated”, I guess? 🤷🏻‍♂️

Okay, so let me finally secure my internet by tapping “Secure Internet”. Hmm, what’s this—?

play WITHOUT installing? oh boy!

Up comes this incredibly generous offer to play a bubble shooter game *without *installing! Not sure what I did to deserve this amazing free gift, but it will have to wait. I tap the “X” to return to securing my internet.

Here’s the next screen:

Such generous. Much design. Very scam.

And obviously, I jump at the opportunity to “Instantly use full of smart anti-virus” by tapping “FREE TRIAL”. It’s free, after all.

Touch ID? Okay! Wait… let’s read the fine print:

“Full Virus, Malware scanner”: What? I’m pretty sure it’s impossible for any app to scan my iPhone for viruses or malware, since third party apps are sandboxed to their own data, but let’s keep reading…

“You will pay $99.99 for a 7-day subscription”

Uhh… come again?

Buried on the third line in a paragraph of text in small font, iOS casually tells me that laying my finger on the home button means I agree to start a $100 subscription. And not only that, but it’s $100 PER WEEK? I was one Touch ID away from a $400 A MONTH subscription to reroute all my internet traffic to a scammer?

I guess I was lucky I actually read the entire fine print. But what about other people?

Step 3: It’s All Starting to “Ad” Up… to Profit

It suddenly made a lot of sense how this app generates $80,000 a month. At $400/month per subscriber, it only needs to scam 200 people to make $80,000/month, or $960,000 a year. Of that amount, Apple takes 30%, or $288,000 — from just this one app.

At this point, you might still be in disbelief. Maybe you’re thinking: “Sure, just 200 people, but still, it seems highly unlikely that even one person would download this scammy looking app, much less pay for it.”

Maybe you wouldn’t download it. I certainly wouldn’t. But I’ve also never clicked on a Google Ad, yet Google somehow rode Adwords to $700 billion dollars today. “Mobile protection :Clean & Security VPN” is currently ranked #144 in most downloaded free productivity apps in the App Store, with an estimated 50,000 downloads in April.

To get 200 subscribers from 50,000 downloads, they just need to convert 0.4% to purchases — or maybe even fewer, because these subscriptions are automatically renewing, so the subscribers stack month over month. Can you really not imagine one of your tech-illiterate relatives accidentally (or even intentionally) subscribing to this “free trial” to protect their iPad from viruses?

But how did this app get 50,000 downloads in the first place?

I remembered reading that a large percentage of apps were discovered through app store search. So maybe, this app somehow had really good App Search Optimization. I searched the app store for “virus scanner”:

The first result is an ad for “Protection for iPhone — Mobile Security VPN”. Well, that sounds familiar. This isn’t the same app, but this one’s In-App Purchase is “Free Trial to Premium Protection” for $99.99, and it’s ranked #33 for Top Grossing in the Business category.

Turns out, scammers are abusing Apple’s relatively new and immature App Store Search Ads product. They’re taking advantage of the fact that there’s no filtering or approval process for ads, and that ads look almost indistinguishable from real results, and some ads take up the entire search result’s first page.

Later, I dug deeper to find that unfortunately, these aren’t isolated incidents — they’re fairly common in the app store’s top grossing lists. And this isn’t just happening with security related keywords. It seems like scammers are bidding on many other keywords. Here’s a search for “wifi”:

The top result is an ad for “WEP Password Generator”, a simple random string generator that charges $50/month. It’s already making $10,000 per month, despite being released in April. It’s likely a clone of this app, which indicates that yes, this scheme has become so large that scammers are copying each other.

Fixing the App Store: What You Can Do

Well first, if you’re reading this as a developer who also happens to have a less-than-average sense of morality, congratulations! You’ve just learned a (relatively) easy way to make tens of thousands of dollars on Apple’s App Store — at least until they change something. Otherwise, here’s a few suggestions:

1. Teach your less tech-savvy friends and relatives how to check and disable subscriptions. If they’re affected, have them get refunds.

2. Report scam apps when you see them with the iTunes Connect Contact Us form. Select “Feedback and Concerns” and “Report a Fraud Concern”.

3. Signal boost until Apple fixes this by sharing with friends and family.

Fixing the App Store: What Apple Should Do

It’s somewhat hard to believe that Apple isn’t aware of this problem, since these apps aren’t small frys — they’re all over the top lists on the App Store. It could be that they simply don’t consider it a big enough problem to deal with it, or that it just happens to be a very profitable problem for their Search Ads and App Store platforms. Either way, here are some suggestions:

1. Remove Scams and Refund Users: The most obvious. Simply hire someone to proactively and regularly scroll through top apps and remove scams. As you can tell from above, these are not hard to spot at all. And for people who have purchased scam subscriptions, automatically and fully refund all of those past purchases.

2. Better UI on Touch ID Subscriptions: Don’t use small, fine print with the price buried in the text (see “Free Trial” screenshot above). The price should be much more prominent, with possibly a required 5-second delay before a purchase can be made. As a bonus, maybe show the app’s most useful/recent ratings or reviews here.

3. Stricter Review of Subscriptions: How do in-app purchases called “Full Virus, Malware Scanner” get approved by app review for $400 per month? Is anyone home? When a layperson sees this name in an email receipt with a slick green badge icon, they probably don’t cancel it because it looks as official as their Apple Music receipts. And for some apps like this one, despite its in-app purchase being named “Free Trial to Premium”, it wasn’t a trial at all — it was an immediate purchase.

4. Prompt for Delete Subscription on App Deletion: Many 1-star reviewers on scam apps said they were getting charged even though they deleted the app. To most people, that’s the way it should work — so why doesn’t it work that way? When a user deletes an app, ask the user if they want to also cancel their subscription. Of course, confirm it again so they don’t accidentally cancel their Netflix.

5. Easier Cancellation of Subscriptions: Subscriptions are so difficult to cancel, it’s almost as if the design-focused Apple intentionally made it hard. On iOS 10, cancelling a subscription is literally a nine step process*. *Even installing a third-party keyboard is easier (six steps). Make this simpler, please. And no, the tiny “Report a Problem” button on email receipts isn’t enough. (Update: I’m actually unable to refund one of the scam subscriptions, even through the official Apple links.)

6. Fraud- and Abuse-Proof Search Ads: Part of what makes this scam easy to run is the how new Store Search Ads are. Many regular users probably don’t even know they’re clicking an ad. At the least, Apple should review ads for potential fraud before running them (Facebook and Google both do this), and make it more obvious that the top result is an ad.

7. Fine and Take Legal Action: This suggestion is last because it’s unlikely Apple will do it. There’s currently no incentive not to build scam apps. The worst that can happen is getting your account deleted — which doesn’t matter, because you still keep the ill-gotten profits, and you can still make a new account and do it again. Create a deterrent effect by fining and taking legal action against the worst offenders.

Final Note

App developers take pride in the fact that if their creation adds value, or improves peoples’ lives in some way, then people will be happy to pay for it, and everybody benefits. Not only that, but making good apps requires design, engineering, and sales skills, as well as a ton of dedication and hard work.

So, aside from the obvious moral wrongs of exploiting the vulnerable for profit, it’s extremely disheartening to know that some developers are becoming financially successful the easy and unethical way — by making bogus apps that take a few hours to code, and whose functionality is purely to steal from the less well-informed.