Google, better not trust the privacy policies on its app store

Google, better not trust the privacy policies on its app store


It's virtually impossible to keep track of what all the mobile apps we download do, what data they share, and with whom, or when, they do it. This is why in the last couple of years Apple and Google have added mechanisms to their app stores that work as a sort of privacy nutrition label, giving users some insight into how apps behave and what data they can share. These transparency tools, however, are populated with information entered by the app developers themselves. A new study analyzing Google Play Store data security information indicates that the details provided by developers are often inaccurate.

The report

Researchers from the non-profit software organization Mozilla – the same behind the Firefox search engine – examined the data security information of the forty most downloaded apps from the Google app store, rating them as "poor", "needs to improve" or "ok". The judgments were based on the degree of alignment between the information on data security and that contained in the privacy policy of each app. Sixteen of the forty apps, including Facebook and Minecraft, received the lowest rating, while fifteen apps were given an average grade. Among the latter are the Instagram and WhatsApp apps, owned by Meta, but also YouTube, Google Maps and Gmail, which are controlled by Google. Among the six apps that received the highest rating were Google Play Games and Candy Crush Saga.

" When you arrive on the Twitter or TikTok app page and click on Data Security, the first thing you see is that these companies claim they do not share data with third parties. This is ridiculous: "You can tell right away that something's wrong," says Jen Caltrider, project manager at Mozilla. if he read, he would surely come away with a false sense of security".

Google requires all developers who want to place their app on the Google Play Store to fill out a data security form. The idea behind the measure is that developers have the information about how their product handles data and interacts with other parties, and not the app store that facilitates its distribution.

" If we become aware that a developer has provided inaccurate information in the data security form and violates our policy, we ask them to correct the issue to bring it into compliance. Non-compliant applications are subject to controls," Google told Mozilla researchers. The company did not respond to US's questions about the nature of its checks or their frequency.

Google's response

However, Google rejects the methodology used by the researchers : " This report confuses company-wide privacy policies, which are intended to cover a variety of products and services, with individual data security labels, which inform users about the data collected by a specific app – the company specifies in a release – The arbitrary ratings the Mozilla Foundation has given to apps are not a useful measure of safety or labeling accuracy, given flawed methodology and lack of supporting information.”

In other words, Google claims that Mozilla researchers misunderstood the scope of the privacy policy they were looking at, or even consulted the wrong policy. In contrast, the researchers claim that the privacy policies used in their analysis are exactly the policies each developer links to on the Google Play Store, which would indicate that they do indeed apply to the apps in question.

" The response from Google in our research highlights precisely the problem that we have highlighted - explains Caltrider of Mozilla - Which information consumers can trust and rely on if the information declared by app developers in the Data Security section is different from the privacy policies linked to on the same page as the app? Ultimately, our goal is to help Google give consumers what they need to make informed decisions about their privacy. This starts with improving information about data security by of Google ".

Waivers and poor reliability

Mozilla's report also illustrates how the current Google's data security module creates blind spots and opportunities that allow developers to withhold information about how their apps behave and share user data. For example, the form provides broad waivers on reporting where developers share user data with "service providers" and for "specific legal purposes". The researchers found that the definitions Google uses for the words "collection" and "sharing" are limited, which means that developers may not be required to report activities that users might consider data collection and sharing. Mozilla also points out that Google does not require app developers to disclose data collection if the information is anonymised. This is especially noteworthy when considered in the context of the debates about whether data can truly be anonymized and the many precedents where developers have made mistakes trying to anonymize data.

Google and Mozilla point out that Google Play's data security mechanism is still new. Researchers say it can be refined and thus become a valuable indicator for users. But without urgent change, they argue, information about data security is currently doing more harm than good, giving users an inaccurate picture of what's going on inside their apps with regards to privacy.

This article originally appeared on US.

Powered by Blogger.