According to a new study by Mozilla(Opens in a new window), the “data security” labels in the Play Store listings of many Android apps themselves need a warning.
The nonprofit organization behind the Firefox browser reviewed the Google-mandated labels(Opens in a new window) for the top 20 free and paid Android apps and found that most of the data collection, usage, and sharing disclosures didn’t match the Descriptions in the privacy policies of the apps.
“Overall, there were so many significant discrepancies between the apps’ own privacy policies and the information they disclosed on Google’s data security form that we concluded that the apps are not self-reporting accurately enough to provide any meaningful assurance to the public about it.” to provide security and privacy for their data,” the report said. “Additionally, Google does not do enough to ensure that the information provided in its data security form is accurate and informative to consumers.”
Among the top 20 paid apps during the study period – Sept. 11-November 5, 2022 – 10 received a rating of Poor, indicating a large gap between the security label and the developer’s privacy policy.
For example, the Minecraft report fails because it only refers to the general privacy policy of its parent company, Microsoft(Opens in a new window), and then claims in its security label not to share data when Microsoft policy allows it in certain circumstances. The other titles rated Poor were Hitman Sniper, Geometry Dash, Evertale, True Skate, Live or Die: Survival Pro, Grand Theft Auto: San Andreas, The Room Two, Need for Speed: Most Wanted, and Nova Launcher Prime.
Five paid apps — Shadow of Death: Dark Night, Bloons TD 6, The Room, Modern Combat 4: Zero Hour, and Monument Valley — received “Needs Improvement” grades, meaning their labels align “to some extent” with the Developer privacy policies overlapped. And three paid titles — Stickman Legends Offline Games, Power Amp Full Version Unlocker, and League of Stickman 2020 – Ninja — got away with an “OK” verdict, meaning the label and policy were essentially the same.
Free apps performed slightly better in Mozilla’s analysis. Six apps were beaten with a bad grade; three are meta titles (Facebook, Messenger, and Facebook Lite) and the others are Samsung Push Service, Snapchat, and Twitter.
TikTok, an app caught stealthily collecting device-level identifiers on Android in 2018 and 2019, drew particular scorn in the report despite only landing in the “needs improvement” zone.
“TikTok’s data security form states that it does not share data with third parties, but its privacy policy includes a list of third parties with which it shares data, including ‘third-party integration partners’ and third-party platforms such as Facebook and Google. “, says the report. “TikTok’s privacy policy also states that it may share consumers’ personal information with advertisers and creators based on TikTok’s legitimate interests without consumers’ prior consent.”
In addition to TikTok, nine other free apps received “needs improvement” ratings. Four came from Google (YouTube, Chrome, Google Maps, and Gmail) and two from Meta (WhatsApp and Instagram), with Free Fire, Spotify, and Truecaller: Caller ID & Block rounding out this list. Only three received an OK mark: Google Play Games, Subway Surfers, and Candy Crush Saga.
Three apps — League of Stickman – Best acti and Terraria, both paid, and the free UC Browser — received no marks because they either had no security label or a privacy policy that was too vague to judge.
Recommended by our editors
The report calls for Google to adopt a standardized label modeled on the FDA’s Nutrition Facts to indicate the collection, use, and disclosure of app data. require app-specific privacy policies to allow for easier comparisons by users; Warn users more clearly that these labels are not fact-checked; conduct its own periodic reviews of these labels; and insist on narrower definitions of “collection”, “sharing” and “anonymized”.
Mozilla asked Google to comment on its findings and included its full responses in the report: “If we discover that a developer has provided inaccurate information in their data security form and is in breach of policy, we will request the developer to report the issue fix to meet. Apps that are not compliant are subject to enforcement action,” reads part of one of Google’s responses. “Developers can no longer release a new app or an app update if their data security form is incomplete or has unresolved issues.”
Google introduced these security labels in April 2022, nearly a year and a half after Apple began enforcing a similar requirement in its app store in November 2020. (The Mozilla report notes that Apple had its own issues with the accuracy of the labels, as highlighted in a January 2021 Washington Post report(Opens in a new window).) For a time, Google intended the labels to be the feature-specific lists of App permissions for data sources like a device’s camera or its exact or approximate location has long been the primary app privacy tool in Android, but it gave way after a predictable outcry over the notion of an objective list of what a app can and can’t do with a subjective list, self-certified by an app’s developer.
Mozilla’s report is the latest result of its Privacy Not Included project(Opens in a new window), in which the nonprofit seeks to highlight privacy gaps in the rest of the tech ecosystem. For example, check out the annual gift guides, which identify privacy-invading devices best avoided by holiday shoppers.
Get our best stories!
Sign up for What’s New Now to get our top stories delivered to your inbox every morning.
This newsletter may contain advertisements, offers or affiliate links. By subscribing to a newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe from the newsletter at any time.
