Ever wonder how much of your personal data your favorite iPhone apps use or give away? Thanks to a new study, you can quickly find out — and it may not be a surprise that Instagram and Facebook are among the “worst.”
Among the other “most invasive” apps (we’ll get back to that designation in a bit) are LinkedIn, GrubHub, Uber, Uber Eats, a Swedish shopping app called Klarna and a British train-ticket app called Trainline.
Among the “least” invasive were Microsoft Teams, Netflix, Signal, Telegram, Zoom and app-of-the-moment Clubhouse. None of them collected any data for marketing or advertising purposes for use by themselves or by third parties.
Swiss cloud-storage service pCloud generated these lists by checking out the App Privacy disclosures in the App Store, which Apple began to require in December 2020.
PCloud revealed what it found in a blog post earlier this month. It wasn’t clear from the blog post how many apps pCloud reviewed, though it clearly focused on well-known apps.
Specifically, pCloud counted how many times an app used personal data for in-house advertising or marketing, or for third-party advertising.
Apple lists the types of data disclosed by apps into 14 categories: Browsing History, Contact Info, Contacts, Diagnostics, Financial Info, Health and Fitness, Identifiers, Location, Purchases, Search History, Sensitive Info, Usage Data, User Content and Other Data.
The worst offenders
The Instagram app, said pCloud, shares 11 out of these 14 categories, or 79%, with third parties for purposes of selling ads. It uses 12 out of 14, or 86%, for its own advertising and marketing.
Instagram’s corporate stablemate Facebook matches that 86% score with its own app regarding in-house advertising and marketing, and comes in at No. 2 in the third-party sharing rankings with a 57% (8 out of 14) score.
The specific categories pCloud listed didn’t quite match up with what we can see in the U.S. version of the App Store — perhaps European privacy rules are creating different results on the other side of the Atlantic.
LinkedIn and Uber Eats shared third place among the apps that shared the most personal data with third parties, scoring 50% each. Just behind them were Trainline, YouTube and YouTube Music with 43% (6 out of 14) apiece.
Among apps that used the most personal data for their own marketing, third place went to Klarna and Grubhub, with 64% (9 out of 14) each; behind those were Uber and Uber Eats, with 57% each.
Even pCloud’s own iPhone app was not blameless. The service didn’t analyze it, but we looked it up in the App Store. The Pcloud app uses four categories of personal data — purchases, contact info, identifiers and usage data — for its own purposes.
That results in an invasiveness scores of 29% for in-house marketing and advertising, enough to place among Lyft, ESPN, Grindr and others. (The pCloud app shared no data with third parties.)
The pCloud blog post also contained a third ranking called “How much data each app is tracking overall.” Instagram and Facebook topped that as well, followed by Uber Eats, Trainline and eBay.
However, pCloud didn’t explain how it got the numbers for that chart, and we couldn’t figure out how. (Instagram scores 67%, less than the average of its other two scores.) We’ve asked pCloud about this, as well as how it determined which apps to analyze, and will update this story when we receive a reply.
How bad is this, and what can I do about it?
Now back to the designation of “invasive.” It’s hard to put clear definitions on privacy issues, because what seems invasive to one person might be completely fine to another person.
For example, I don’t really mind if third parties see what else I may have purchased on Instagram, but it does bother me that Instagram shared my financial information, contact info, contacts and search and browsing histories. You may feel differently.
You also have to bear in mind that these rankings are based entirely on what app developers have chosen to share with Apple. Apps that don’t fully disclose such information may be kicked out of the App Store, but that doesn’t mean they’re all being honest.
We already know that thousands of iPhone apps leak personal information from their back-end cloud servers. It’s a safe bet that many iPhone apps have privacy-leaking errors in their code that they’re not aware of.
Unfortunately, we’ll likely never know how many do because unlike Android, Apple doesn’t let you take apart and check any app’s code for errors or suspicious behavior.
The silver lining is that you can control much of what apps collect and share about you. When you first open an app, it will ask you for several permissions, which you can grant, deny, or grant only while the app is in use. (The third option is probably best.)
You can also go into your iPhone’s Settings app to fine-tune what an app collects about you, but the process isn’t as clear as it is when you first open an app.