Privacy concerns MSAL.framework: Name, E-mail, Phone, Other.. Linked to user identity

[Volodymyr-13]

I've recently incorporated the latest MSAL into my application, and upon generating a privacy report in Xcode, I discovered concerning data collection practices.

The extent of data collection outlined in the report is excessive and likely to unsettle my app's users when they encounter it on the App Store. Could you please assist in removing all data collection, tracking, and user identity linking functionalities?

[Volodymyr-13]

Currently, my intention is to completely eliminate MSAL from my application. It's the primary source of data collection, including phone numbers and email addresses. Therefore, I need to specify this on my App Store page, indicating that my app will collect such information. I don't want potential users to perceive that my app is gathering their phone numbers or email addresses.

[Volodymyr-13]

Ok, after removing this SDK I'm getting just this in privacy report:

This is NOT linked and just minimum required. Thats how it should be..

Also, I'm using Google Drive and Dropbox SDK's to integrate their cloud services into my app.

[oldalton]

MSAL SDK doesn't directly collect this information, but this information will be processed as part of the authentication and identity validation services that MSAL SDK is relying on. Any other SDK that does the same should have the same minimum set of privacy declarations, including your own app if it's calling Entra ID endpoints directly. By eliminating MSAL SDK, you're not fundamentally changing privacy stance of your app, as long as you still do authentication for your end users.

[MiuraKairi]

Privacy labels declared by MSAL may not be required to be disclosed, as it applies to Optional disclosure. ref: https://developer.apple.com/app-store/app-privacy-details/#:~:text=to%20your%20app.-,Optional%20disclosure,-Data%20types%20that

The same OAuth library, AppAuth-iOS, does not declare any privacy labels. Please consider and confirm the above information.

[oldalton]

Thanks for your inputs, @ika020202. One of the bulletpoints in the optional disclosure list is the following:

Collection of the data occurs only in infrequent cases that are not part of your app’s primary functionality, and which are optional for the user. and

Examples of data that may not need to be disclosed include data collected in optional feedback forms or customer service requests that are unrelated to the primary purpose of the app and meet the other criteria above.

Verifying user's identity is the primary functionality of both MSAL and AppAuth SDKs, and that is considered a primary functionality. Therefore, I don't think it classifies as optional disclosure.

[MiuraKairi]

Thanks for the reply, @oldalton.

As you point out, it may not be possible to make all privacy information optional disclosure. However, I suppose there are excessive privacy declarations in relation to the following.

To speculate on the flow of privacy information between MSAL and IDProvider or App,

MSAL To MS IDProvider

• Only authentication information such as user ID and password is sent.

MSAL To App

• Which data the App collects depends on the scope of the oauth and the App specification, and these privacy declarations are optional

• The user interface presents a screen that asks the user for permission.

It would be possible to omit some privacy label declarations, except for Identifiers privacy labels such as User ID, which are required in the above flow.