Apple placed seventh out of the 12 internet and mobile companies and ninth in the overall Index, scoring lower than any other U.S.-based company evaluated. This was the first year Apple was evaluated. Despite Apple’s high-profile stance in defense of users’ privacy, the company disclosed few commitments or policies that would indicate respect for users’ freedom of expression. For instance, the company provided little information about how it handles government or private requests to restrict content, and provided no data about government requests to remove apps from its app store. Apple also lacked disclosure of governance and accountability mechanisms around the implementation of its commitments and policies related to privacy or freedom of expression. Although considered an industry leader in user privacy and security, Apple’s commitments in this regard were not always clearly reflected in the company’s privacy-related policies across all of its services evaluated, particularly for Apple’s iOS mobile ecosystem.
Apple Inc. designs, manufactures, and sells a range of computers, smartphones, media players, and other devices. The company also produces operating system software (Mac OS for computers and iOS for mobile) and application software. Other services include iMessage, a messaging application that works across Apple devices and iCloud, a cloud storage service. Apple sells and delivers applications through its App Store.
Apple ranked 14th out of the 22 companies in the Governance category, with the lowest score on this set of indicators of any U.S.-based company.
While the company published a commitment to respect users’ privacy, it made no similar commitment to respect users’ freedom of expression (G1). It disclosed senior-level oversight over privacy issues but made no reference to similar oversight over freedom of expression issues within the company (G2). It disclosed no information about whether it conducts any form of human rights due diligence (G4) or evidence of engaging with stakeholders to address freedom of expression and privacy concerns (G5). The company also offered little evidence of a substantive grievance and remedy and grievance mechanism enabling users to issue complaints against the company for infringement of their freedom of expression or privacy (G6).
Apple ranked eighth among the 12 internet and mobile companies in the Freedom of Expression category, scoring slightly better than Mail.Ru and Samsung.
Content and account restriction requests: Apple provides less information on these indicators than most other internet and mobile companies, performing better only than Tencent, Baidu, Samsung, and Mail.Ru (F5-F7). Apple’s transparency report included data on requests it received to restrict users’ accounts but it disclosed very little information about its process for responding to requests to restrict content on its platforms, or data about these requests (F5, F6). Apple should disclose its processes for responding to requests it receives from governments to restrict apps in its app store, as well as the volume and nature of these requests, as these requests are becoming an increasingly prominent threat to freedom of expression around the world.
Identity policy: Apple disclosed it might require users in certain jurisdictions to verify their identity with their government-issued identification, in compliance with local law (F11).
Apple placed seventh out of the 12 internet and mobile companies evaluated, scoring lower than all U.S. companies in this category.
Handling of user information: Similar to other companies in the Index, Apple fell short of clearly explaining to users how it handles their information (P3-P9). The company did not fully disclose each type of user information it collects (P3), shares (P4), for what purpose (P5), and for how long it retains it (P6). Apple provided even less information regarding if and how users can obtain all the information the company holds on them (P8). However the company received the highest score of any company in the Index for clearly disclosing it does not collect user information from third-party websites through technical means (P9).
Requests for user information: Apple lagged behind most of its U.S. peers in its disclosure of government and private requests for user information (P10, P11), although no company received full credit on these indicators. Like most companies, Apple disclosed its process for responding to government requests but provided no information about whether or how it has handled requests from private parties (P10). In its transparency report it disclosed data on the number of government requests it received, broken out by country, but it did not list the number of requests received for real-time user data (only for stored content) (P11). If it does not respond to real-time access requests because user communications are end-to-end encrypted, Apple should state this.
Security: Apple disclosed less than Google, Yandex, and Microsoft about its security policies, despite consensus in the technical community is that its products are among the most secure on the market. Apple did not fully disclose its internal security oversight processes, including whether it commissions external audits on products and services (P13). Like most companies, Apple offered no information about its processes for responding to data breaches (P15). Apple’s disclosure regarding its encryption policies was notably better than most other companies evaluated (P16), disclosing that it encrypts users’ communications by default. For iMessage and the Apple mobile ecosystem, it disclosed that end-to-end encryption is enabled by default.