A preliminary look at privacy labels in iOS VPN apps

Posted on Jan 19, 2021 by Caleb Chen
VPN-PRIVACY-LABELS

Apple’s new privacy labels inform users about what information the app (VPN or otherwise) is sending back to the app’s developers – and for what purpose. There has been a lot of news and voting with feet over the last few weeks as a direct result of these privacy labels, particularly with encrypted messaging apps such as WhatsApp and Facebook Messenger. This is just a preliminary look at the differences between data collection practices of different iOS VPN apps, and other researchers will undoubtedly share and update their findings as more VPN apps reveal their data collection practices via their app privacy labels.

Apple has split the privacy labels into two types depending on whether the information collected is used to track you, or is not linked to you and used for things like app functionality. For more information on what all this means technically, and some illustrative examples, do reference Apple’s official Privacy Definitions and Examples.

vpn privacy label comparison

VPN Apps Privacy Labels: Data used to track you and Data linked to you

Apple defines data used to track you as:

“Tracking occurs when data collected about you or your device is linked with third-party data for targeted advertising or advertising measurement purposes. Tracking can also occur when data about you or your device is shared with a data broker.”

Similarly, Apple defines data linked to you as:

“Data that is linked to your identity (via your account, device, or other details).”

Private Internet Access has a strict no logging policy and does not store any data about your VPN or even VPN app usage, so there’s no possibility of third parties being able to track you.

VPN Apps Privacy Labels: Data not linked to you

In contrast, Apple defines data that is not linked to you as:

“Data that is not linked to your identity (via your account, device, or other details).”

An email address, as in Private Internet Access’s privacy label’s as an example, is used under both the “Developer’s Advertising or Marketing” and the “App Functionality” categories as data used that is not linked to you. The Private Internet Access VPN app uses a username and password to sign in, and the email address comes into play since every account is tied to an email address.

This preliminary look at what iOS VPN apps’ privacy labels reveal about data connection practices. As privacy becomes more mainstream, this is the type of information that is needed for consumers to make an informed decision on which companies to trust.