Do you know how Google Play Store shows you information about privacy for all apps? Surprise, surprise – it’s not all as it seems.
An investigation into data safety labels on the Google Play Store has allegedly uncovered “serious loopholes” that allow top apps such as Twitter, TikTok, and Facebook to provide misleading information regarding how user data is shared.
Conducted by the Mozilla Foundation, the study identified 40 of the most globally downloaded Android apps on the Google Play Store and discovered almost 80% had discrepancies between their privacy policies and the information listed on Google Play’s data safety section.
The data privacy section in the Google Play Store was launched last year with a note that developers had sole responsibility to provide “complete and accurate declarations” for the information collected by their apps through the Google Data Safety Form.
According to Mozilla, these self-reported privacy labels may not accurately reflect what user data is actually being collected due to shortcomings in the safety form’s honor-based system. The problems, they argue, are with the vague definitions for “collection” and “sharing” as well as with failing to require apps to report data shared with “service providers.”
Mozilla studied the top 20 free apps and top 20 paid apps and then graded them with a score of “poor,” “needs improvement,” or “OK” based on its findings:
- There were 16 apps with the “poor” grade — including Twitter, Minecraft, and Facebook, received a “poor” grade;
- 15 “needs improvement” apps — including TikTok, YouTube, Google Maps, Gmail, WhatsApp, and Instagram
- Only 6 apps had the “OK” grade — mostly games such as Candy Crush Saga and Subway Surfers.
- 3 apps hadn’t even filled out the Google Data Safety Form — including UC Browser-Safe, Fast, Private; League of Stickman – Best acti; and Terraria.
“Consumers care about privacy and want to make smart decisions when they download apps. Google’s Data Safety labels are supposed to help them do that,” said Jen Caltrider, project lead at Mozilla. “Unfortunately, they don’t. Instead, I’m worried they do more harm than good.”
In one example, Mozilla highlighted that TikTok and Twitter both claim to not share any data with third parties in their Data Safety Forms, despite clearly stating that data is, in fact, shared with third parties in their respective privacy policies.
“When I see Data Safety labels stating that apps like Twitter or TikTok don’t share data with third parties it makes me angry because it is completely untrue. Of course, Twitter and TikTok share data with third parties,” says Caltrider. “Consumers deserve better. Google must do better.”
Google dismissed the study, claiming that Mozilla’s grading system is inefficient. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data safety labels, which inform users about the data that a specific app collects,” says a Google spokesperson. “The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.”
To be fair, Apple is not without guilt either on this front; the iPhone maker has been criticized for its developer-submitted privacy labels, with a 2021 report from The Washington Post finding that many iOS apps similarly provided misleading information, with some of the apps falsely reporting that they didn’t collect, share, or track user data.
Mozilla suggests that both Apple and Google adopt a universal standardized data privacy system across their platforms to address these concerns and recommends that large tech companies take greater responsibility and enforce action against apps that fail to provide accurate information regarding data sharing.
“Google Play Store’s misleading Data Safety labels give users a false sense of security,” added Caltrider. “It’s time we have honest data safety labels to help us better protect our privacy.”