Google’s Play store is being assailed online by an Australian software developer who alleges that the company is sharing too much personal information about buyers who come to the Google Play store to purchase apps.
The developer, Dan Nolan, wrote in a Feb. 13 post on his Internet Hugbox blog that he accidentally discovered the issue when he logged in to his Google Play merchant account to update his payment details.
What Nolan discovered there angered him so much that he titled his post “Massive Google play Privacy Issue” and described it in detail.
Nolan said that in his merchant account he could see the email addresses, cities and in many cases the full names of the people who bought his app through the store, even if they had cancelled their orders.
“Each Google Play order is treated as a Google wallet transaction, and as such, software developers get all of the information (sans exact address) for an order of an app that they would get from the order of something physical,” wrote Nolan.
The problem, he wrote, is that developers don’t need such information and shouldn’t be getting it because that is private data that shouldn’t be shared.
“With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase,” he wrote. “This is a massive oversight by Google.
“Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it’s made crystal clear to them that I’m getting this information,” he wrote. “This is a massive, massive privacy issue, Google. Fix it. Immediately.”
Nolan has not responded to a request for additional comment from eWEEK.
Nolan’s app, the Paul Keating Insult Generator, is a parody app which generates random phrases of words that are jokingly described as being from former Australian Labor Prime Minister Paul Keating, who had his way with words. The app is also available in the Apple Store. “Mr. Keating has not uttered these phrases himself,” stated the description of the app in the Apple Store. “Mr. Keating has not authorized this application and has no association with it. Much like the Australian population, we think it would be great to have such a magnificent orator back in politics.”
So what’s up with Google’s privacy policies as they related to the Play store? A close look at Google’s privacy policies for the Play store and for the Google Wallet service that conducts the transactions shows that the policy that Nolan writes about has been in existence for some time.
The sign-up process for Google Wallet tells prospective users that they will need to share some basic information with merchants to conduct their transactions. In addition, merchants who are signed up to use Google Wallet to make their sales are required to sign two different agreements in which they are bound to protect the private information of their clients, according to Google.
Other online payment services, including PayPal, have similar information-collection processes.
Google Play’s Privacy Policies Assailed by Software Developer
In an email reply, a Google spokesman told eWEEK that “Google Wallet shares the information needed to process transactions, and this is clearly stated in the Google Wallet Privacy Notice.”
Alan Webber, an analyst who covers digital risk at The Altimeter Group, told eWEEK that the fast-changing world of online sales and interaction, coupled with changing technologies, makes it hard for companies like Google to keep up with privacy policies. And many users of online services don’t even read the privacy policies of online vendors with whom they do business, he said.
“Everybody likes all the free stuff that’s out there,” Webber said. “And the fact of the matter is that there is no such thing as a free ride. The payment you are making is the data you give up to use that free service.”
What consumers need to decide for themselves, he said, is whether the information they have to give up is too much in their own minds. “Personally, I wouldn’t do it because I think it’s giving up too much personal information, but for somebody else, it might not be giving up too much information.”
Webber said he thinks the reason Google collects more user information than other companies, such as the Apple Store, is that Google’s prime business is advertising and marketing and that’s where it makes its money. In comparison, Apple’s business model is to sell apps and hardware, which doesn’t require the collection of so much information.
“Apple can afford a much more restrictive approach on collecting private information than Google can,” said Webber. “They have other revenue streams. I don’t think that it’s an oversight. Let’s just be honest here. Google just doesn’t see the need to do this yet.”
Justin Brookman, director of consumer privacy for the Center for Democracy and Technology, said Google could help itself by making such policies more transparent to users on an everyday basis.
“This is not necessarily nefarious” policy, Brookman told eWEEK. “But it could be messaged better. They could be clearer about it.”
Online users should have good privacy so that they know their online activities aren’t being tracked, he said. “I don’t want every Website that I use to know my name. If they were doing that, I would be concerned. The fact that they collect it for [the] legitimate reason to give [it] to the developer, I think that’s fine. They should make sure that people understand that better, though.”
Google Play’s Privacy Policies Assailed by Software Developer
Google’s privacy policies for its customers have been in the cross hairs of governments around the world in recent years.
In October 2012, Google’s privacy policies were assailed by the European Union in connection with how the company uses the data it collects about its online users who employ their extensive services. In a report, the EU said that Google’s efforts to track users across services such as YouTube and Gmail do not meet European standards of privacy. The EU recommended a series of steps that Google could take to improve compliance, including offering opt-out measures for users to control the data that is collected about them by Google.
In January 2012, Google announced major changes to its data privacy policies, which folded 60 of its 70 previously separate product privacy policies under one blanket policy and broke down the identity barriers between some of its services to accommodate its then-new Google+ social network, according to an earlier eWEEK report. Google’s streamlining came as regulators continued to criticize Google, Facebook and other Web service providers for offering long-winded and legally gnarled privacy protocols. The Google privacy policy changes went into effect March 1, 2012.
The biggest change that was enacted concerned Google’s user accounts. When users are signed in, Google may combine identity information users provided from one service with information from other services. The goal is to treat each user as one individual across all Google products, such as Gmail, Google Docs, YouTube and other Web services.
In May 2012, French regulators accused Google of not being cooperative with investigators looking into privacy issues concerning the company and its practices there. A French regulatory agency said it had sent Google a questionnaire about the new privacy policy in March, and that Google’s answers, which were received in April, were “often incomplete or approximate.” A follow-up survey also left questions remaining.
In July 2012, Google reached a record $22.5 million settlement with the FTC to resolve charges that Google bypassed Apple Safari browser privacy settings that blocked cookies for their users.