Hey developer community / CloudKit fans,
I'm making an application that utilizes CloudKit's identity system to provide my users a 'social' aspect of the app as well as their own identity. When filling out my App Privacy label, I'm torn if I should disclose Contact usage or not.
https://developer.apple.com/documentation/cloudkit/ckcontainer/1640421-discoverallidentities
Right now, I'm leaning to not specifying Contacts collection. Here are my thoughts:
- Data Collection defined by Apple, paraphrased, is transmitting data off device for longer than needed for the request.
How Apple implements the function of the CloudKit identity lookup is outside of our control as developers, however, it is reasonable to expect that Apple would not save your contact address book in CloudKit and the data does not live in CloudKit longer than it needs to.
- I don't access the Contacts app or API in the implementation.
Apple in fact use your contacts under the hood to service this request according to the documentation, however to the user, there is no contacts permission / access prompt for the application itself. The app doesn't get access to the full contacts db.
- When you receive a CKUserIdentity, the contacts identifier is just that, a lookup identifier string.
I'm not going further than just displaying the information on the user identity. I could back link the identifier to a contacts record, but I don't need to. If I did that, even then I would say no, because the operation all happens locally on device.
Does your app use CKUserIdentities? How did you answer the App Privacy question for Contacts?
If you have strong feelings one way or another, I'd love to hear your perspective.