New tool helps mobile app developers create more accurate iOS privacy labels
Ryan Noone
Oct 5, 2023
For over a decade, researchers at Carnegie Mellon University's CyLab Security and Privacy Institute have been working to pioneer privacy nutrition labels, advocating for a quick and easy way to show tech users how their data is being collected and used. In recent years, Apple has begun requiring app developers to disclose this type of information through privacy labels displayed in the iOS App Store. However, recent research has shown that app developers often struggle to create accurate privacy labels.
“Little guidance, a laundry list of confusing terms, and a lack of privacy expertise among app developers often result in developers creating inaccurate labels,” says Norman Sadeh, co-director of CMU’s Privacy Engineering Program and head of the Usable Privacy Policy Project.
“Inaccurate labels mislead users about the data an app might be collecting and how that app handles that data. In addition, it exposes app developers to regulatory penalties”
To overcome this issue, Sadeh and his team have developed a new tool, Privacy Label Wiz (PLW), providing app developers with an easy-to-use, step-by-step resource to help effectively disclose their apps’ data practices.
Privacy Label Wiz offers developers an efficient way to create accurate, user-friendly labels.
Jack Gardner, Recent graduate of CMU's privacy engineering master’s program and a key contributor to the tool's development
“Privacy Label Wiz offers developers an efficient way to create accurate, user-friendly labels," says Jack Gardner, a recent graduate of CMU's privacy engineering master’s program and a key contributor to the tool's development.
"Our tool not only generates a preliminary report based on its analysis of an app’s code, but also prompts developers for input to support the full consideration of their app’s functionality.”
After installing the tool, developers are asked to load their apps’ static code. The code remains on their machine and is never shared with anyone. Privacy Label Wiz then analyzes the code to identify likely data collection and use practices, including whether the app records financial information, browsing history, the user’s location, or enables access to the device’s photos or camera, among others. The wizard also looks at whether sensitive data is shared with third parties such as advertisers or marketing companies, and more generally looks for other practices developers need to disclose in their iOS privacy labels.
Developers are then asked to review the tool’s analysis and confirm, modify, or supplement information about what data their app collects, how that data is handled and with whom it can be shared prompting app developers to answer additional questions as needed.
“In our research, we have found that developers often struggle with some of the terminology used by the iOS privacy labels and with the disclosure of a number of different data practices such as sharing sensitive data with third parties," says Sadeh.
"Privacy Label Wiz is designed to systematically review a comprehensive list of questions with the developer and provide them with the support they need to more accurately disclose their app’s data practices."
Privacy Label Wiz is now available for general public non-commercial use, with options for developers to commercially license the tool.
For media inquiries, please contact Ryan Noone at rnoone@andrew.cmu.edu
Privacy Label Wiz contributors
Core team members:
Jack Gardner, Akshath Jain, Yuayuan Feng, Norman Sadeh
Early contributors:
Kayla Reiman and Zhi Lin