WWDC23: Get started with privacy manifests | Apple

00:00

♪ ♪

00:10

Tony: Hi, I'm Tony from Privacy Engineering.

00:13

Welcome to "Get started with Privacy Manifests."

00:16

At Apple, we believe privacy is a fundamental human right.

00:21

In addition to techniques like data minimization,

00:24

a key part to bring this value to life

00:26

is to make sure people have transparency and control.

00:29

To support this, we now provide new tools to make it even easier for you

00:33

to provide accurate Privacy Nutrition Labels

00:36

and integrate App Tracking Transparency.

00:39

This is because the apps you build are integral parts of people's lives.

00:44

There are many apps to choose from, and as a refresher,

00:48

Privacy Nutrition Labels help people learn more about how your apps

00:52

collect and use their data.

00:55

People often want to know:

00:57

What are the categories of data that apps collect about them?

01:01

Is data used to track them?

01:03

Is data linked to them?

01:05

Privacy Nutrition Labels demonstrate the great privacy work

01:08

that you've done in your apps,

01:10

and they give people the information they need to make great choices.

01:14

For all new and updated apps on the App Store,

01:17

developers like you have been providing Privacy Nutrition Labels.

01:22

And you've been using App Tracking Transparency

01:24

to give people control over when their data is used to track them.

01:28

It's now easier for you to provide accurate Nutrition Labels

01:32

and integrate App Tracking Transparency.

01:35

You are responsible for all code included in your apps,

01:38

per the App Store Review Guidelines.

01:40

This includes any data collection and tracking practices.

01:44

A large part of your app's privacy story often depends on third-party SDKs.

01:49

We have heard from developers like you that it can be challenging

01:52

to get all the information you need

01:54

from the great third-party SDKs that your apps depend on.

01:58

Privacy manifests are a new way for third-party SDK developers

02:01

to provide information about their privacy practices.

02:04

This information helps you accurately represent privacy in your app.

02:10

Third-party SDK developers can include a privacy manifest in their SDK.

02:15

They can create a new privacy manifest right from the Xcode navigator,

02:19

by creating a file named "PrivacyInfo.xcprivacy".

02:25

This file is a property list that declares what data types the SDK collects,

02:30

how each data type is used,

02:32

whether they are linked to the user,

02:34

and whether they're used for tracking

02:36

as defined by the App Tracking Transparency policy.

02:40

Taking a closer look at this manifest,

02:42

the Example Sharing SDK is listed as not tracking.

02:47

It collects name and user ID, linked to the user,

02:50

for both app functionality and product personalization.

02:55

It also collects photos or videos,

02:57

linked to the user, for just app functionality.

03:02

Check that the privacy manifest matches your understanding

03:05

of the third-party SDK's functionality.

03:08

The definitions for types of data and data use for privacy manifests

03:12

are the same as for the Nutrition Label,

03:14

so refer to the Apple developer documentation on app privacy details.

03:20

And the new privacy report brings all this information to one place.

03:25

Let me show you how that works.

03:28

When you're building your app to submit to the App Store,

03:31

Xcode 15 can aggregate all the privacy manifests in your app's project,

03:36

and produce a privacy report that summarizes the declared data uses.

03:40

To view this, go to Xcode Organizer,

03:43

show the context menu for an archive,

03:46

and select "Generate Privacy Report."

03:51

The privacy report is a PDF and easy to use.

03:54

It is organized in a similar way to Privacy Nutrition Labels.

03:58

So you can easily reference this report

04:01

when you provide your app's privacy details in App Store Connect.

04:05

This helps you review, understand, and describe the privacy practices

04:09

of your app and its dependencies.

04:14

To learn more about Nutrition Labels,

04:16

watch the WWDC22 video: Create your Privacy Nutrition Label.

04:23

Another feature of privacy manifests is helping you manage tracking domains,

04:28

by making it easier for you to understand

04:31

and control network connections from your app.

04:35

While you don't intend to track people without their permission,

04:38

there may be edge cases that create un-intended network connections

04:41

to domains that are used for tracking.

04:44

For example, many third-party SDKs check tracking permission status

04:48

before tracking people.

04:49

However, some third-party SDKs rely on you to manually disable tracking

04:54

when the user has not granted permission.

04:57

The third-party SDK might default to tracking

05:00

unless you specify otherwise,

05:02

either through a function in their library,

05:04

or some configuration change.

05:06

This could lead to edge cases.

05:08

To make it easier for you and third-party SDK developers

05:11

to avoid tracking people without their permission,

05:14

privacy manifests that declare tracking include tracking domains.

05:18

In cases when a user has not provided tracking permission,

05:21

iOS 17 automatically blocks connections to tracking domains

05:25

that have been specified in any privacy manifest included in your app.

05:29

This helps you eliminate those edge cases.

05:32

In addition to the privacy manifests included in third-party SDKs,

05:37

you can also choose to create a privacy manifest for your app,

05:40

which may also include tracking domains.

05:44

By preventing accidental connections,

05:46

this feature helps to preserve your intention to not track users

05:49

without their permission.

05:51

Tell iOS your tracking domains, and the system will help.

05:56

For more information about tracking,

05:58

visit the Apple Developer website,

06:00

or watch the WWDC22 video,

06:04

Explore App Tracking Transparency.

06:08

In some cases, domains may be used for both tracking

06:11

and non-tracking functionality.

06:14

An approach that you or a third-party SDK developer could take

06:18

is to separate the functionality into different host names.

06:22

For example, you can host tracking functionality at tracking.example.com,

06:27

and non-tracking functionality at non-tracking.example.com.

06:32

Then, declare tracking.example.com

06:35

as a tracking domain in the privacy manifest.

06:39

You may not always realize if your app, or a third-party SDK,

06:43

is connecting to a tracking domain.

06:45

In Xcode 15, the Points of Interest instrument

06:48

can help you with this during your testing.

06:51

It now shows connections to domains that may be following people

06:55

across multiple apps and websites to combine their activity into a profile.

07:01

This puts you in the driver's seat,

07:03

and you can assess whether a domain is used for tracking

07:06

under the App Tracking Transparency policy.

07:09

If it is, then you or your SDK developer

07:13

should declare the domain as a tracking domain in the privacy manifest.

07:18

With the user's permission, tracking is allowed.

07:22

However, fingerprinting is never allowed.

07:25

Fingerprinting is using signals from the device

07:28

to try to identify the device or user.

07:31

Regardless of whether a user gives your app permission to track,

07:34

fingerprinting is not allowed.

07:37

There are existing APIs in our platforms

07:40

that have the potential of being mis-used for fingerprinting.

07:43

However, these APIs also provide powerful user experiences

07:47

when accessed appropriately.

07:49

To support important use cases that benefit the user

07:52

while avoiding fingerprinting,

07:54

there is a new category of APIs called Required reason APIs.

08:00

We have begun by grouping these APIs into categories,

08:04

taking into consideration their functionality

08:06

and the information they provide.

08:09

For each category, there is a list of approved reasons

08:12

to access these APIs, based on their use cases.

08:16

For example, one Required reason API is NSFileSystemFreeSize,

08:21

which indicates the amount of free space on the file system.

08:25

One of its approved reasons supports using this API

08:28

to check whether there is sufficient disk space before writing files to disk.

08:33

The list of Required reason APIs and approved reasons,

08:36

including any future updates,

08:38

is published in the Apple developer documentation.

08:43

The total number of Required reason APIs is small,

08:47

but it is likely that you use one or more of them.

08:50

If you have a use case for an API category that is not already covered

08:54

by an approved reason,

08:55

and the use case directly benefits the user,

08:58

the documentation will link to a feedback form where you can let us know.

09:04

To protect users from possible fingerprinting,

09:07

apps and SDKs are allowed to access

09:09

the Required reason APIs only for the approved reasons.

09:13

Data returned from these APIs may not be used for other purposes.

09:18

To help you clearly state why you use Required reason APIs,

09:22

and to make it easy for third-party SDK developers to do the same,

09:27

privacy manifests include this information.

09:30

An app or third-party SDK that accesses a Required reason API

09:34

declares the API category, and all of its reasons for using the API.

09:39

These must be selected from the list of approved reasons for that category.

09:45

Just like Nutrition Labels in the App Store,

09:47

which help people make choices about your app,

09:50

privacy manifests help you make decisions about your dependencies.

09:54

Each privacy manifest also gives you a better picture

09:57

of your app's privacy story by making the Xcode privacy report more complete.

10:02

It's a great idea to leverage third-party SDKs that provide privacy manifests,

10:07

and SDK authors can add manifests to existing versions of their SDKs.

10:13

Looking at the app ecosystem,

10:15

we have identified some third-party SDKs

10:17

that have particularly high impact on user privacy.

10:21

These are called privacy-impacting SDKs.

10:24

A list of these third-party SDKs, and any future updates,

10:28

is published in the Apple developer documentation.

10:32

Because it is especially important for you to get information

10:36

from privacy-impacting SDKs,

10:38

apps that include a privacy-impacting SDK

10:41

will be required to include a copy of that SDK with a privacy manifest.

10:46

Xcode 15 also supports SDK signatures,

10:49

which help you protect your app

10:51

and verify the integrity of third-party SDKs.

10:55

Including a signature is a best practice for all third-party SDKs.

10:59

To help you confirm that the developer you expect provided the privacy manifest

11:03

for privacy-impacting SDKs,

11:06

apps that include a privacy-impacting SDK

11:08

will also be required to ensure that the SDK is signed.

11:13

For more information about SDK signatures,

11:15

watch "Verify app dependencies with digital signatures."

11:20

Starting in Fall 2023,

11:23

App Store will check if new and updated apps

11:25

include a library from a privacy-impacting SDK.

11:29

If the privacy-impacting SDK does not include a signature and privacy manifest,

11:34

Apple will send an informational email to the app developer.

11:39

Apple will also send informational emails for apps

11:41

that access Required Reason APIs without declaring approved reasons.

11:47

Starting in Spring 2024, these will be expected and become part of App Review.

11:52

You'll need to address any issues before you can submit

11:54

new and updated apps to the App Store.

11:58

Okay, here's what's next.

12:01

App developers: Ask for SDK privacy manifests

12:05

from your third-party SDK developers.

12:07

Always refer to the Xcode privacy report when you are submitting your app

12:11

to keep your Nutrition Label up to date.

12:14

SDK developers: Adopt signatures and manifests.

12:18

These are super helpful to your customers.

12:21

All developers: Document and declare tracking domains

12:25

and Required Reason API usage in your app or SDK's privacy manifest.

12:30

With the new privacy manifests, providing accurate, complete,

12:34

and clear privacy information to your users will be easier than ever.

12:39

Thanks for watching.

12:41

♪ ♪