I can’t speak for how this worked for Apollo, however I can explain the reasoning behind marking it like this.
Apple’s policy on whether something is linked to an identity or not:
Data collected froman app is usually linked tothe user’s identity via these means, unless specific privacy protections are putin place before collection to de-identify or anonymize it, such as:
Stripping data ofany direct identifiers, such as e-mail address or name, before collection.
Manipulating data to break the linkage and prevent re-linkage to real-world identities.
Additionally, in order for data notto be linked toa particular user’s identity, you must avoid certain activities after collection:
You must not attempt to link the data back tothe user’s identity.
You must not tie the data to other datasets that enable itto be linked tothe user’s identity.
Note: “Personal Information” and “Personal Data”, as defined under relevant privacy laws, are considered linked tothe user.
Your auth token is (in my opinion) tied to your identity. With that auth token, we technically have access to your email address (among the rest of your Lemmy settings) because that data can be retrieved from the API using the same auth token. Note You must not tie the data to other datasets that enable it to be linked to the user’s identity.
This is, to me, an issue that cannot be resolved because of the current state of authentication. It is not possible to request a “read only” scope, where we could simply have you create a new token for us to store that only gives us access to your notifications. Lemmy does not currently support this. This is also why there is a notification to users before enabling push notifications. We want to be completely transparent in what we could do with the data transmitted before you transmit it.
Now I might be wrong in my interpretation of the actual policies and what does constitute linking. If that is the case, I’m totally fine with someone correcting me and we can go from there.
Edit: Markdown messed that up.
Again, I should also note that the token transmitted to us is NOT a token that can be used for tracking. It is not unique to your device, and if you were to just uninstall the app this ID would change and you’d need to update it by re-enabling push notifications. However, Apple does not specify which device ID they refer to in this requirement, instead saying “Such as the device’s advertising identifier, or other device-level ID”
Edit 2: Also, for reference here is a list of possible reasons for using the device ID:
I’d just like to say thanks for taking OP’s question so seriously and going beyond mere transparency and into genuine user education. Understanding your decision-making process on this is really awesome from a “can I trust this app?” perspective, in addition to the source code being open to all.
I can’t speak for how this worked for Apollo, however I can explain the reasoning behind marking it like this.
Apple’s policy on whether something is linked to an identity or not:
Data collected from an app is usually linked to the user’s identity via these means, unless specific privacy protections are put in place before collection to de-identify or anonymize it, such as: Stripping data of any direct identifiers, such as e-mail address or name, before collection. Manipulating data to break the linkage and prevent re-linkage to real-world identities. Additionally, in order for data not to be linked to a particular user’s identity, you must avoid certain activities after collection: You must not attempt to link the data back to the user’s identity. You must not tie the data to other datasets that enable it to be linked to the user’s identity. Note: “Personal Information” and “Personal Data”, as defined under relevant privacy laws, are considered linked to the user.
Your auth token is (in my opinion) tied to your identity. With that auth token, we technically have access to your email address (among the rest of your Lemmy settings) because that data can be retrieved from the API using the same auth token. Note You must not tie the data to other datasets that enable it to be linked to the user’s identity.
This is, to me, an issue that cannot be resolved because of the current state of authentication. It is not possible to request a “read only” scope, where we could simply have you create a new token for us to store that only gives us access to your notifications. Lemmy does not currently support this. This is also why there is a notification to users before enabling push notifications. We want to be completely transparent in what we could do with the data transmitted before you transmit it.
Now I might be wrong in my interpretation of the actual policies and what does constitute linking. If that is the case, I’m totally fine with someone correcting me and we can go from there.
Edit: Markdown messed that up.
Again, I should also note that the token transmitted to us is NOT a token that can be used for tracking. It is not unique to your device, and if you were to just uninstall the app this ID would change and you’d need to update it by re-enabling push notifications. However, Apple does not specify which device ID they refer to in this requirement, instead saying “Such as the device’s advertising identifier, or other device-level ID”
Edit 2: Also, for reference here is a list of possible reasons for using the device ID:
I love that we have this level of engagement. Well done team! If I could help out in some way, I would. But I’m but a lowly SQL/Python dev.
Keep up the great work
I am but a lowly PHP dev by day. Don’t hurt me 🫣
I’d just like to say thanks for taking OP’s question so seriously and going beyond mere transparency and into genuine user education. Understanding your decision-making process on this is really awesome from a “can I trust this app?” perspective, in addition to the source code being open to all.