It looks like trusting developers to just tell the truth about data collection on Google Play isn’t working out. Just like on iOS, Android launched app privacy “nutrition labels” in the Play Store last year, with the idea being that users could quickly get a look at how much data each app collects. The obvious problem with this system is that the developers fill out the data-collection forms, and there’s nothing to stop them from lying or omitting certain data-collection policies. It’s no surprise, then, that when Mozilla recently audited the top apps on Google Play, it found that “most top apps” have “false or misleading” app privacy labels.
Mozilla says it surveyed 40 of the Play Store’s most popular apps by global downloads and found that “in nearly 80% of the apps we reviewed, we found some discrepancies between the apps’ privacy policies and the information they reported on Google’s Data Safety Form.” Each app received a grade of “Poor,” “Needs Improvement,” or “OK,” with 16 out of 40 apps getting the lowest rating.
Mozilla did not need to dig very deep to find flaws, saying that many apps’ privacy labels openly contradict their public privacy policies. Snapchat, TikTok, and Twitter all claim “No data shared with third parties” on the Play Store but detail third-party sharing in their privacy policies. For free apps, the list of recipients earning a “poor” grade isn’t very surprising: Facebook, Facebook Messenger, Facebook Lite, Snapchat, Twitter, and, the one surprise, Samsung Push Services. A lot of paid games like Minecraft make the “poor” list, too.
Mozilla says: “There’s little evidence that Google works diligently to ensure the accuracy of the submissions, and this lack of enforcement renders the quality of the information very poor in a great many cases.” Mozilla came up with several recommendations for Google, should it want to improve the situation, like having an actual punishment for lying on the form and clearly disclosing to users that Google doesn’t vet any of these answers. Mozilla also wants to see Google and Apple work together to standardize the design of app privacy labels across ecosystems. Just as a single food nutrition label has a standard design across products, Mozilla says a privacy label should have one design, too.
Mozilla rates a few Google apps like Gmail as “needs improvement,” but that’s missing the forest for the trees. The report doesn’t dive into this, but for Android, Google likes to do privacy sleight-of-hand and center the discussion around the idea of “app privacy,” when “OS privacy”—privacy from Google—should probably be more of a concern. Google and your device manufacturer both have system-level access to the OS that exists outside the app security model, so they can basically do whatever they want on your phone, including collecting all your data.
Even if the app privacy labels were accurate, Android is a class of company that doesn’t need the apps to vacuum up your data; it could just use a million various system-level services instead. One such service, Google Play Services, has a blank app privacy screen! If it were accurate, it would be a mile long, but Google would apparently rather you not look behind the curtain. The same “privileged permissions” model also applies to preinstalled apps, which is part of the reason Facebook works so hard to be preinstalled on most Android phones—more permissions means better spying. It would be nice if the Play Store labels were accurate, too, but nobody wants to talk about the entire OS.