Strange that they do not actually disclose which brands have the high levels, and not sure I understand the logic in this statement:
“We do not disclose the names of companies we test in order to maintain fairness and consistency and to avoid potential conflicts of interest,” Bowen said.
Also note that later in their document (page 8) they do list brands that they certify as clean:
https://cleanlabelproject.org/wp-content/uploads/CleanLabelP...
One cynical take I read on this is that this is a way to get more companies to sign up for their certification.
The charitable reading is that this was done as a blinded study, so the testers/researchers would not know and would prevent bias in the testing and data analysis.
There should be a way to unblind in most experiment designs though
And some kind of legal penalty for the engineers as well. Just fining the company does nothing to change the behavior of the people who built it in the first place.
Joining in with some other comments on this thread, if the stamp of a certified person was required to submit/sign apps with more than 10K or 100K users and came with personal risk and potential loss of licensure, I imagine things would change quickly.
I'm personally not for introducing more gatekeeping and control over software distribution (Apple/Google already have too much power). Also not sure how you'd make it work in an international context, but would be simple to implement for US based companies if Apple/Google wanted to tackle the problem.
I think the broader issue is that we as a society don't see data exposure or bad development practices as real harm. However, exposing the addresses and personal info of people talking about potentially violent, aggressive or unsafe people seems very dangerous.