A privacy issue has gotten quite a bit of attention in recent days. At issue is the type of data Google Play users are unknowingly giving to developers each time they download an app.
According to Australian developer Dan Nolan, Google provides individuals like himself a user’s email address, city location, and sometimes their full names when a purchase is made. Additionally, this information is forwarded even when an order is canceled.
Nolan believes that armed with this information, developers could go after users that leave bad reviews. Because of this, he concludes that at the very least, Google should better inform customers of this situation. Better still, the company should provide an opt out feature during the download process.
With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase. The problems on android of app permissions (and subsequent potential for malware aside) is one of active negative behaviour on the part of an app developer.
In conclusion, he says: “This is a massive, massive privacy issue Google. Fix it. Immediately.”
The reason this issue has upset privacy experts, and probably quite a few Google Play users too, is that Google doesn’t implicitly mention to users that these types of data transactions are occurring.
For example, within the policy, Google states:
We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.
This sounds about right, if it actually covered information such as email, city location, etc.
Instead, this “sensitive personal information” refers to “confidential medical facts, racial or ethnic origins, political or religious beliefs or sexuality.”
The only place in the policy where Google does mention that a user’s email and mailing address may be shared with others is when magazine subscriptions are referenced.
Here, Google states:
If you purchase a subscription of any length on Magazines on Google Play, Google will share your name, email address, mailing address and a unique identifier with the magazine’s publisher.
In Google Play, each developer acts as their own merchant. As such, those who buy an app from Google Play are purchasing directly from the developer, and the user’s personal information is sent for billing and tax purchases.
Apple, however, acts as the sole merchant on record for the company’s App Store. As a result, third-party developers see no personal information.
The only time that this is slightly different is when a user buys a magazine subscription in iTunes. Here, users are given a choice whether to provide the publisher with their name, email address, and zip code.
Although Google probably has enough legal cover to share personal information after each app transaction, they should almost certainly do a better job at spelling this out to users. Better still, give users an opt out. As it stands now, Google looks to have buried this information, which is never a good thing.
Apple and Google have often been accused of not protecting a user’s private information. However, as you can see, it is Google that still has a lot of work to do.