It is basically impossible to keep track of what all your mobile apps are doing and what data they share with whom and when. So in recent years, Apple and Google have both added mechanisms to their app stores that are intended to act as a kind of privacy nutrition label, giving users some insight into how apps behave and what information they can share. However, these transparency tools are filled with self-reported information from app developers themselves. And a new study focusing on the data safety information in Google Play indicates that the details developers provide are often inaccurate.
Researchers from the nonprofit software group Mozilla looked at the data safety information of the 40 most downloaded apps from Google Play and rated these privacy statements as “Poor,” “Needs Improvement,” or “OK.” The ratings were based on whether or not the data safety information matched the information in each app’s privacy policy. Sixteen of the 40 apps, including Facebook and Minecraft, received the lowest rating for their data safety disclosure. Fifteen apps got the middle class. These include the Instagram and WhatsApp meta apps, as well as Google-owned YouTube, Google Maps, and Gmail. Six of the apps received the highest marks, including Google Play Games and Candy Crush Saga.
“If you land on Twitter or TikTok’s app page and click on Data Safety, the first thing you see is that these companies state that they do not share data with third parties. That’s ridiculous – you know right away something isn’t right,” says Jen Caltrider, Mozilla’s project lead. “As a privacy researcher, I could see that this information would not help people make informed decisions. What’s more, an ordinary person reading it would surely walk away with a false sense of security.
Google requires all app developers who submit to Google Play to complete the Data Security form. The rationale is that the developers are the ones who have the information about how their product handles data and interacts with other parties, not the app store that facilitates the distribution.
“If we discover that a developer has provided incorrect information in their data security form and is in violation of the policy, we will require the developer to correct the issue to comply. Apps that do not meet the requirements are subject to enforcement action,” says Google told the Mozilla researchers. The company did not respond to questions from WIRED about the nature of these enforcement actions or how often they have been taken.
However, Google refutes the researchers’ methodology. “This report merges the company-wide privacy policy, which is intended to cover a variety of products and services, along with individual data safety labels, which inform users about the data a specific app collects,” the company said in a statement. . “The arbitrary numbers that Mozilla Foundation assigns to apps are not a useful measure of label safety or accuracy given the flawed methodology and lack of supporting information.”
In other words, Google says the Mozilla researchers misunderstood the scope of the privacy policies they were looking at or even completely consulted the wrong policies. But the researchers say the privacy policies they used in their analysis are the exact policies each app developer links to on Google Play, indicating they apply to the apps in question.
