Apple attached unverified privacy label to Beijing's Olympics App with security flaws

Apple's practice of not verifying privacy policies has been persistent from the start.

If you go to Apple store and try to download China's official Winter Olympics app My 2022, Apple would tell you that "the developer does not collect any data from this app". But if you read the detail, it says that this was "indicated" by the developer and not verified by Apple.

But if you read the developer's privacy policy, which is in Chinese, it says at the beginning "we may collect related personal information of yours". I don't know if this contradicts "does not collect data from this app" but it's at least very confusing.

https://my2022.beijing2022.cn/fdfsdownload/group1/M00/00/64/wHw7iGF6BEGAQN5BAACZVT8MjNg94.html

If you keep reading, in Chinese, you'll know that the developer would collect "personal information including name, national identification number, phone number, email address, profile picture, and employment" from domestic users, as found by @citizenlab, and "demographic information and passport information (i.e., issue and expiration dates) as well as the organization to which they belong" from International users.

https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/

BUT you wouldn't know all this if you don't read Chinese and don't usually go out of your way to find apps' privacy policies, because when you tap open the privacy policy link on My 2022's Apple store page, it shows "404 not found".

IOC defends My 2022: "the app has received approval from the Google Play store for Android phones and the App Store for Apple phones". This is, again, misleading and confusing as Apple stated clearly that it has not verified the app's privacy practices.

https://www.dw.com/en/ioc-reacts-to-cybersecurity-concern-over-beijing-my-2022-phone-app/a-60466680

Turns out that the privacy label problem with the Winter Olympic's My 2022 app isn't anything new. It has been somewhat persistent since Apple rolled out the privacy label policy at the end of 2020 @geoffreyfowler at WaPo has written about it last year.

https://www.washingtonpost.com/technology/2021/01/29/apple-privacy-nutrition-label/

"Apple’s big privacy product is built on a shaky foundation: the honor system. In tiny print on the detail page of each app label, Apple says, 'This information has not been verified by Apple'", the article says.

And Apple's response to these concerns was: "Apple conducts routine and ongoing audits...and we work with developers to correct any inaccuracies. Apps that fail to disclose privacy information accurately may have future app updates rejected, or in some cases, be removed..."

Even the @EnergyCommerce committee at Congress has sent a letter last year to @tim_cook and Apple upon learning about these concerns, asking for more details of their privacy label policy.

https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/Apple%20Letter%20re%20App%20Privacy%20Label%202-2021.pdf