Data Privacy Labels for Most Top Apps in Google Play Store are False or Misleading, Mozilla Study Finds 17
Mozilla researchers find discrepancies between Google Play Store's Data Safety labels and privacy policies of nearly 80 percent of the reviewed apps. From the report: Google Play Store's Data Safety labels would have you believe that neither TikTok nor Twitter share your personal data with third parties. The apps' privacy policies, however, both explicitly state that they share user information with advertisers, Internet service providers, platforms, and numerous other types of companies. These are two of the most egregious examples uncovered by Mozilla's *Privacy Not Included researchers as part of a study looking at whether Google Play Store's new Data Safety labels provide consumers with accurate information about apps collect, use, and share personal data. In nearly 80 percent of the apps reviewed, Mozilla found that the labels were false or misleading based on discrepancies between the apps' privacy policies and the information apps self-reported on Google's Data Safety Form. Researchers concluded that the system fails to help consumers make more informed choices about their privacy before purchasing or downloading one of the store's 2.7 million apps.
The study -- "See No Evil: How Loopholes in the Google Play Store's Data Safety Labels Leave Companies in the Clear and Consumers in the Dark," -- uncovers serious loopholes in the Data Safety Form, which make it easy for apps to provide false or misleading information. For example, Google exempts apps sharing data with "service providers" from its disclosure requirements, which is problematic due to both the narrow definition it uses for service providers and the large amount of consumer data involved. Google absolves itself of the responsibility to verify whether the information is true stating that apps "are responsible for making complete and accurate declarations" in their Data Safety labels. In a statement Google said: "This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects. The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information."
The study -- "See No Evil: How Loopholes in the Google Play Store's Data Safety Labels Leave Companies in the Clear and Consumers in the Dark," -- uncovers serious loopholes in the Data Safety Form, which make it easy for apps to provide false or misleading information. For example, Google exempts apps sharing data with "service providers" from its disclosure requirements, which is problematic due to both the narrow definition it uses for service providers and the large amount of consumer data involved. Google absolves itself of the responsibility to verify whether the information is true stating that apps "are responsible for making complete and accurate declarations" in their Data Safety labels. In a statement Google said: "This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects. The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information."
I'm shock! Shocked I tell you! (Score:5, Funny)
Who would have thought an honour based system with minimal to no consequences would have failed. This was completely unforeseeable by anyone.
Re: (Score:2)
What's frustrating about that Data Safety Form (Score:5, Interesting)
I have some free apps on Google Play that use Google's Ad Mob api for advertisements.
So, when filling out that form, there's no way to tell the users that "I, myself" don't collect any information but it is Google that does via the Ad Mob api.
One of the apps has a "disable ads for a $1" button, in which case not even Ad Mob would be collecting anything.
I could care less about any of the user information. I just wanted to create something fun and maybe collect a little extra cash.
Looking at my store listings though it just says, "this app may collect these data types" and "this app may share these data types with third parties". I actually do no such thing but we know Google does but Google lets my Apps take the fall for them.
Re:What's frustrating about that Data Safety Form (Score:5, Insightful)
From the user perspective: If you include an API in your application that does something -your application does that thing.
Re:What's frustrating about that Data Safety Form (Score:5, Insightful)
As an alternative, you could sell your own ads and place them in your app. Then you could say that you are not collecting private data and that would be completely true.
Re: (Score:2)
But to be completely transparent, the use of your app does do this. So from the view of the consumer, it makes no difference if it is your app that collects these data or an external entity that is given access to the customer through your app...
There is a small but important difference: If the add does it, it can be stopped with getting the add-free app for 1.99. If the app is doing it, that won't stop it.
Re: What's frustrating about that Data Safety Form (Score:2)
Not looking good for third-party App Stores (Score:2)
Every time I see an article like this I get reminded why pushing for third-party stores is likely worse for user and not better.
Google kinda vets, but then misses things like this; Amazon has fake listings; Epic brings malware. Apple has its issues, but so far is the one Iâ(TM)d most likely trust for filtering and banning suspect apps. The main problem with Apple is banning anything that seems to allow 18+ content.
In this scenario if a kinda trusted big player canâ(TM)t vet content properly, then
Re: (Score:2)
Until recently I had a de-googled android phone. There was no app store other than fDroid and it vets very well comparatively.
Then Verizon turned on 5G ( shutting of the 3G I had been using which was plenty of bandwidth for my uses ) and I couldn't figure out how to get my phone ( which does support it ) to connect to their network.
So I got a flip phone with non-de-googled android which can be used as a wireless hotspot. I still use my de-googled phone connected to the hotspot as before, when needed, but
Do what the IRS and accountants do - AUDIT (Score:1)
Audit covers the "paper/click" T's & C's that no one reads vs. the xml that's posted along with a security check - is the app leaking data that isn't being disclosed?
Top 1000 apps - automatically audited. ...
Next top 10% of apps - 20 % audited.
with some sort of logarithmic / power scale that fans out.
What happens if you are found to be out of compliance? Email with detail describing the discrepancy and kicked off the platform until the discrepancy is resolved.
Google doesn't need to be the arbitrator on
Believing that companies won't share data (Score:2)
Believing that "free apps" won't compromise your privacy is like being in the vicinity of a train crash with toxic chemicals and hoping the gov't will be there to help you. The time for you to worry has long since passed.
Re: (Score:2)
You seem to think that just because you paid for an "app", it won't siphon off your data. I see no reason to believe that unless there's a method of validating that. Open source is one such method. It's far from perfect, but it's better than any alternative I know of. (Well, you could monitor all transmissions and figure the maximum number of bytes of info that was being transmitted by applications you couldn't identify as having reasons to do so. But then what?)
Cesspool--I Mean Android, is Safe : ) (Score:2)
In Other News (Score:2)
Scientists have determined that water is wet.
Film at 11
IANAL (Score:2)
Remember the original plan was to stop listing the permissions used: With 90% of Play Store being adware, it's obvious that 90% of apps are tracking users and hiding permissions also hid the level of privacy-rape. The no-audit Data Safety Form can only be described as an attempt to deceive the user: Which is a breach of contract for paid apps, even when the US government refuses to provide data privacy.
Something I've noticed (Score:3)