- Apple had strong disclosure of privacy and security policies, but only limited disclosure of policies and practices affecting freedom of expression.
- Apple disclosed little about its rules and how they are enforced, and revealed no data about content removed—including apps removed from its App Store—as a result of government requests.
- It was the only company in the Index to clearly disclose it does not track users across third-party websites, and disclosed more about its encryption policies than all of its peers.
Apple placed seventh among the 12 ranked internet and mobile ecosystem companies in the 2019 Index.1 As in previous Index rankings, Apple’s low score relative to its U.S. peers was due to its lack of governance and oversight over human rights risks, and also lack of clear disclosure of policies affecting users’ freedom of expression.2 On privacy and security issues, Apple remains near the top of all ranked companies in this Index. It was the only company to clearly disclose it does not track users across the internet, and disclosed more about its encryption policies than its peers. For its mobile operating system, Apple also disclosed more than Google’s Android and Samsung’s Android about options users have to control location tracking on iOS.
But Apple should be more transparent and accountable to users about policies and practices that affect freedom of expression: Of the user agreements evaluated in the RDR Index, Apple's were among the least accessible. It also lacked adequate disclosure about its rules and how they are enforced. While it disclosed data about government requests to restrict accounts, it disclosed no data about content removal requests, such as requests to remove apps from its App Store.
Apple, Inc. manufactures computers, smartphones, and other devices, and also produces iOS operating system software and application software.
Market cap: USD 957.8 billion3
- Improve governance and oversight: Apple should disclose a commitment to respect freedom of expression as a human right, and put processes in place to strengthen institutional oversight over freedom of expression issues at the company.
- Be transparent about restrictions to freedom of expression: Apple should make its terms of service easier to find and understand. It should publish data about actions it takes to enforce its own rules and actions it takes to remove content as a result of government and other third party demands.
- Clarify handling of user information: Apple should clarify what types of user information it collects, shares, and retains, and for what purposes.
For the third year in a row, Apple had the lowest governance score of any U.S. company evaluated in the Index. It disclosed a clear commitment to respect privacy as a human right (G1) but made no such commitment to freedom of expression. Apple clearly stated that senior leadership exercises oversight over how its policies and practices affect privacy (G2) but failed to reveal if there is similar oversight over freedom of expression issues. Apple disclosed that it assesses privacy risks associated with new products and services, however, it did not disclose if it assessed risks regarding its use of automated decision-making or targeted advertising (G4). Like most of its peers, Apple disclosed little about its grievance and remedy mechanisms for users to submit complaints against the company for infringement of their freedom of expression or privacy (G6).
No score changes
Freedom of Expression
Apple revealed little about policies and practices affecting freedom of expression, scoring below all other U.S. companies in this category. Apple’s user agreements for the services evaluated were the least accessible of all other internet and mobile ecosystem companies (F1)—including the Chinese and Russian companies—and did not specify if and how it notifies users of changes to these terms (F2). Apple also disclosed less than all other U.S. internet and mobile ecosystem companies about its rules and processes for enforcing them (F3, F4, F8). While it provided some information about what content and activities are prohibited across its services (F3), Apple disclosed no data about content it removed or accounts it deactivated as a result of violations of these rules (F4).
Apple was less transparent about external requests to restrict content or accounts than most of its U.S. peers, except for Facebook (F5-F7). It only disclosed data about the number of government requests to restrict or delete accounts that it received, but gave no data about content removed as a result of these requests, including data about apps removed from its App Store (F6). Like many companies, Apple failed to provide any information or data about content and account restriction requests it received through private processes (F7).
F6. Data about government requests for content or account restriction
Apple made its data about government requests for account removals more accessible by providing the data in a structured format.
Apple tied with Google for the second-highest score (after Microsoft) in the Privacy category, and had especially strong disclosure of its security policies. Like most of its peers, Apple fell short of clearly explaining how it handles user information, disclosing less than Twitter, Google, Verizon Media, and Facebook (P3-P9).4 It did not fully disclose each type of user information it collects (P3), shares (P4), for what purpose (P5), and for how long it retains it (P6). However, Apple was the only company in the Index to clearly disclose that it does not track users across third-party websites (P9).
Apart from Google and Microsoft, Apple was more transparent than other internet and mobile ecosystem companies about its process for handling government and other external requests for user information (P10-P12). It disclosed some information about its process for responding to government requests but no similar disclosure could be found regarding the private requests it received (P10). Apple tied with Twitter and Facebook for its disclosure of data about third-party requests for user information it received and complied with (P11). Like other U.S. companies, Apple did not divulge the exact number of requests received for user data under Foreign Intelligence Surveillance Act (FISA) requests or National Security Letters (NSLs), or the actions it took in response to these requests, since it is prohibited by law from doing so.5
Apple disclosed more than any other internet and mobile ecosystem company about its security policies, but still fell short in key areas. It disclosed some information about its internal security oversight processes but provided no information about whether it commissions external security audits on its products and services (P13). However, it made notable improvements to its disclosure of how it encrypts user communications for iOS, iMessage, and iCloud (P16).
P1. Access to privacy policies
P11. Data about third-party requests for user information
Apple made its data about third-party requests for user information more accessible by providing the data in a structured format.
P16. Encryption of user communication and private content (internet and mobile ecosystem companies)
Apple improved its disclosure of how it encrypts user communications for iOS, iMessage, and iCloud.
 For Apple’s performance in the 2018 Index, see: rankingdigitalrights.org/index2018/companies/apple
 Bloomberg Markets, Accessed April 18, 2019, www.bloomberg.com/quote/AAPL:US
 Oath, which provided a range of communications services including Yahoo Mail and Tumblr, updated its name to Verizon Media on January 7, 2019. See: www.oath.com/2019/01/07/oath-is-now-verizon-media
 “USA FREEDOM Act of 2015,” Pub. L. No. 114–23 (2015), www.congress.gov/bill/114th-congress/house-bill/2048