iOS 8 and Privacy: Major New Privacy Features
iOS 8 includes several new privacy features founded on Apple’s core privacy principles of consent, choice and transparency. With these principles in mind, Apple created and incorporated increasingly granular controls for location, opportunities for developers to communicate to users how and why they use data, and limits on how third parties can track your device.
Users now have greater visibility regarding application access to location information.
In previous versions of iOS, apps could prompt users for permission to use Location Services, and, once a user gave an app access, the app could access the user’s location any time it was running, including when the app was not on screen (i.e. in the background). In iOS 8, Location Services has two modes: “While Using the App” – whereby the app can only access location when the app is on screen or made visible to a user by iOS making the status bar blue – or “Always.” Apps have to decide which Location Services mode to request and are encouraged by Apple to only request access “Always” location permission when users would “thank them for doing so.” In fact, iOS 8 will at times present a reminder notice to users if an app that has “Always” location permission uses Location Services while the app is not on screen.
Users will be able to limit access to their contacts.
In iOS 8, users can use a picker, controlled and mediated by iOS, that allows users to share a specific contact with an app without giving the app access to their entire address book.
Apps will be able to link directly to privacy settings.
With iOS 8, apps will be able to link directly to their settings, including their privacy settings, making it easier for users to control their privacy. Before, apps could only give instructions on how to go to the phone’s settings to change the privacy controls. This new feature makes control over privacy settings more accessible to users.
Apple’s new Health app implements additional protections for user’s health data.
Apple’s new Health app and HealthKit APIs give third party health and fitness apps a secure location to store their data and gives users an easy-to-read dashboard for their health and fitness data. Apple has implemented a number of features and safeguards to protect user privacy. First, a user has full control as to which apps can input data into Health and which apps can access Health data. Second, all Health data on the iOS device is encrypted with keys protected by a user’s passcode. Finally, developers are required to obtain express user consent before sharing Health data with third parties, and even then they may only do so for the limited purpose of providing health or fitness services to the user. These features and restrictions allow users to have control over their HealthKit data.
Apple requires apps accessing sensitive data to have a privacy policy disclosing their practices to users
Apple requires apps that utilize the HealthKit or HomeAPIs, offer third party keyboards, or target kids, to have a privacy policy, supporting industry standards and California law. App privacy policies should include what data is collected, what the app plans to do with that data, and if the app plans to share it with any third parties, who they are. Users will be able to see the privacy policy on the App Store before and after downloading an app.
iOS 8 places additional emphasis on disclosure of why developers want access to data.
Apple strongly encourages developers to explain why their apps request a user’s data or location when a user is prompted to give an app access. Developers can do so in “purpose strings,” which are part of the notice that appears when an app first tries to access a protected data class.
Apple’s iOS encourages a “just in time” model, where users should be prompted for access after they take an action in an app that requires the data. The “just in time” prompt and access flow is mediated by iOS and replaces consent models such as those consisting of strings of permissions that pop up after installation like a conga line or users having to give an app access to all data if they want to use an app. Moreover, Apple continues its practice of encouraging app developers to only ask for access to data when needed, and to gracefully handle not getting permission to access a user’s data.
MAC address randomization makes it more difficult to track and individualize iOS devices.
Wi-Fi enabled devices generally scan for available wireless networks. These scans include the device Media Access Control (MAC) address, which is a 12 character string of letters and numbers, required by networking standards to identify a device on a network and assigned by the manufacturer. Mobile Location Analytic companies have, at times, relied on these scans, and the fact that Wi-Fi devices’ MAC addresses do not change, to track individual mobile devices as they move around a venue.
In iOS 8, Apple devices will generate and use random MAC addresses to passively scan for networks, shielding users’ true MAC addresses until a user decides to associate with a specific network. Randomizing MAC addresses makes this kind of tracking much more difficult. However, your device can still be tracked when you are connected to a Wi-Fi network or using Bluetooth. FPF’s Mobile Location Analytics Code of Conduct governs the practices of the leading location analytics companies and provides an opt-out from mobile location tracking. Visit Smart-Places for more details or to opt-out.
Summary
iOS 8’s new “prompting with purpose” disclosures, refined location settings, strict requirements for HealthHit, HomeKit, and kids apps, and MAC address randomization will present greater transparency, protection, and control over privacy for iOS users.
