Key findings
- Apple earned the largest score improvement of any company in the Index, but still lagged behind most of its U.S. peers due to its failure to disclose policies affecting users’ freedom of expression.
- Apple improved its commitments to users’ privacy in a number of areas, including its disclosure of options users have to control how their information is used for targeted advertising. It was also the only company in the Index to clearly disclose that it does not track users across third-party websites.
- Apple improved its disclosure of its policies for responding to data breaches, but its disclosure of other security policies and practices still fell short.
Analysis
Apple placed seventh out of the 12 internet and mobile ecosystem companies evaluated, disclosing less about policies and practices affecting freedom of expression than most of its U.S. peers. The company earned the largest score improvement in the 2018 Index, due to improved transparency reporting and disclosure of its policies affecting user privacy. However, Apple still received the lowest score of all U.S. internet and mobile ecosystem companies evaluated due to its lack of disclosure of policies affecting users’ freedom of expression. Despite improvements to its transparency reporting, Apple still provided no data about government requests to remove apps from its app store, or data on content or account restrictions the company undertook to enforce its own rules. U.S. law prevents companies from disclosing the exact number of government requests for stored and real-time user information they receive, which prevented Apple from being fully transparent in that area.
- Strengthen commitments to freedom of expression. While the company made significant improvements to its disclosure of policies affecting users’ privacy, it needs to improve its disclosure of commitments to freedom of expression.
- Clarify role in policing content. Apple should disclose more information about its own decisions to remove content that violates the company’s terms, as well as data on government requests it receives to remove apps from its App Store.
- Be more transparent about handling of user information. Apple should clarify what types of user information it collects, shares, and retains, and for what purpose.
Apple Inc. provides computers, smartphones, and other devices, and also produces iOS operating system software and application software. Services include iMessage, a messaging application that works across Apple devices, and iCloud, a cloud storage service.
Governance
Apple scored below most of its peers in the Governance category, with the lowest score on this set of indicators of any U.S. company in the Index. Still, the company significantly improved its governance score in the 2018 Index, primarily due to a new “Privacy Governance” policy that more clearly outlines Apple’s privacy commitments, thought it made no similar clarifications regarding its commitments to freedom of expression. The company strengthened its commitment to respect user privacy as a human right (G1) and clarified its oversight of privacy risks at the senior management level (G2), though it did not publish similar disclosure with regard to freedom of expression. It also disclosed it conducts impact assessments to examine privacy risks associated with its products and services (G4), and that it engages with stakeholders on privacy-related issues (G5). Like its peers, Apple offered little evidence of a substantive grievance and remedy mechanism enabling users to submit complaints against the company for infringement of their freedom of expression or privacy (G6).
G1. Policy commitment
Apple improved its commitment to privacy as a human right.
G2. Governance and management oversight
Apple improved its disclosure of its oversight over privacy issues within the company.
G3. Internal implementation
The company clarified that it offers employee training on privacy and has a whistleblowing mechanism for employees to report privacy concerns.
G4. Impact assessment
Apple improved its disclosure of its privacy risk assessment practices, stating that the company considers how laws may impact user privacy, and that it conducts assessments of privacy risks associated with new and existing products and services.
G5. Stakeholder engagement
The company clarified it engages with civil society on privacy issues.
Freedom of expression
Apple revealed little about policies and practices affecting freedom of expression, scoring below all other U.S. companies but performing better than Mail.Ru, Samsung, Yandex, Tencent, and Baidu.
Content and account restrictions: Apple disclosed less than all other internet and mobile ecosystem companies, except for Chinese company Baidu, about what the rules are on its different services and how they are enforced (F3, F4, F8). While it provided some information about what is prohibited (F3), it disclosed no data about the volume or nature of content or accounts it restricted to enforce its rules (F4). It also did not disclose whether it has a policy to notify users when it restricts content or accounts (F8).
Content and account restriction requests: Apple significantly improved its disclosure of how it handles government and private requests to restrict content or accounts (F5-F7), but still disclosed less than its U.S. peers. It disclosed its processes for responding to government requests (F5), and provided data on the number of account restriction requests it received from governments, broken down by country (F6). But it failed to provide data on requests it received to remove content, such as apps in its App Store. It also disclosed nothing about requests it received through private processes (F7).
Identity policy: Users and app developers access Apple services using an Apple ID account. Apple disclosed it might require Apple ID users in certain jurisdictions to verify their identity with their government-issued identification, in compliance with local law (F11).
F2. Changes to terms of service
The company’s F2 score declined due to a change in the iCloud terms of service, which made it less clear whether the company notifies iCloud users of changes to the terms and the method of notification.
F5. Process for responding to third-party requests for content or account restriction
Apple more clearly disclosed its process for responding to account restriction requests it received from non-judicial entities, via court orders and from foreign jurisdictions. The company also clarified the legal basis for responding to government requests and committed to carry out due diligence and push back on overbroad requests.
F6. Data about government requests for content or account restriction
Apple improved its disclosure of the number of account restriction requests it received per country, as well as the number of accounts affected by each request.
Privacy
Apple received the third-best score among internet and mobile ecosystem companies in the Privacy category, disclosing less than Google and Microsoft, but more than Twitter and Facebook.
Handling of user information: Like its peers, Apple fell short of clearly explaining how it handles user information (P3-P9). The company did not adequately disclose each type of user information it collects (P3), shares (P4), for what purpose (P5), and for how long it retains it (P6). The company improved its disclosure of options users have to control how their information is used for advertising purposes (P7), but this suggests that targeted advertising is on by default. Apple was the only company in the Index to clearly disclose that it does not track users across third-party websites (P9).
Requests for user information: Apple disclosed less than Google and Microsoft but more than the rest of its peers about its process for handling government and private requests for user information (P10-P12). Like most companies, Apple disclosed information about its process for responding to government requests but nothing about private requests it receives (P10). It disclosed data on the number of government requests it received by country, requests it received via court orders, and requests for content vs. non-content data (P11). However, Apple did not disclose the exact number of requests received for stored or real-time user data, or what actions it took in response to these requests, because it is prohibited by law from doing so.
Security: Apple disclosed more than any other internet and mobile ecosystem company other than Google about its security policies, but still fell short in key areas. It did not fully disclose its internal security oversight processes, including whether it commissions external security audits on its products and services (P13). However, it made notable improvements to its disclosure of how it handles data breaches, and was the only internet and mobile ecosystem company to receive any credit on this indicator (P15).
P7. Users’ control over their own user information
The company improved its disclosure of options users have to control how their information is used for targeted advertising, providing them with detailed information on how they can opt out of both interest-based and location-based advertising.
P8. Users’ access to their own user information
Apple improved its disclosure of options users have to obtain a copy of the personal information the company holds about them.
P11. Data about third-party requests for user information
Apple improved its disclosure of the number of government requests it received for content and non-content data, as well as requests received through court orders in criminal and civil cases.
P15. Data breaches
Apple improved its disclosure of its policies for responding to data breaches.
