A Mozilla Foundation study has harsh criticism for the Google Play Store labels that ostensibly inform consumers about the data sharing habits of Android apps, saying that almost 80% of those that they sampled either did not match up with statements made in the privacy policy or were worded in a misleading way.
The Data Safety labels were rolled out to all users in April 2022, in an effort to keep pace with Apple’s transparency and data privacy policies. There have been questions about the usefulness of this “privacy nutrition label” system since it was announced, in part due to prior shortcomings in Apple’s own system (rolled out in 2020) in terms of developer confusion about what to include and lack of enforcement when they get things wrong.
Google data safety labels given a failing grade by study
Mozilla’s study sampled 40 of the most popular Android apps (by number of downloads), split evenly between paid and free apps. Of these, only six received a rating of “OK” in terms of representing their data collection accurately. 15 needed improvement, 16 were considered “poor,” and three did not bother to fill out the form used for data safety labels at all despite having millions (in one case billions) of downloads.
Surprisingly, UC Browser (which touts itself as a safe privacy-focused browser) was one of those that did not submit a form; the app currently has over one billion downloads. The other two that did not report in, at least at the time of the study, were the popular video games League of Stickman and Terraria. Among the Android apps receiving a “poor” grade for accuracy in data safety labels were Twitter, Facebook and Minecraft. Many of Google and Facebook’s line of apps and subsidiaries (such as Instagram) fell into the “needs improvement” category.
The report notes several key areas where these data safety labels usually go awry. The first is that the submission form itself has flaws that allow developers of Android apps to dodge out of reporting certain data, such as information shared with “service providers” (or third parties that are under the direct instruction of the developer). There is also some wiggle room in Google’s definition of how data is collected and shared that allows developers to conceal some of this activity if they choose to.
Google also exempts “anonymized” data from these reporting requirements for Android apps, but among this is data that could potentially be de-anonymized when combined with other data sources. And, as ultimately happened with Apple’s app store, enforcement appears to be a problem. Google leaves it up to Android app developers to accurately fill out their data safety labels, presumably doing spot checks after the fact as a means of keeping everyone honest; the results among 40 of the most downloaded apps on the platform indicate that these checks are not presently adequate.
Paying for Android apps also doesn’t appear to offer consumers any greater level of privacy protection or accurate information; in fact, the free apps actually did better in terms of presenting accurate data safety labels. 10 of the paid apps, including Minecraft, received the study’s lowest grade. Compare this to six of the free apps, but nearly all of these were social media apps (Facebook, Twitter, Snapchat and Facebook Messenger). Surprisingly TikTok, which has been at the center of controversy lately, managed a “needs improvement” grade rather than hitting bottom.
80% of privacy labels not conveying what Android apps are collecting
The study notes that the original nutrition labels for food, introduced in 1973, were widely regarded as unhelpful and lacking in key information until they were standardized by the FDA in 1990. Mozilla suggests that Google, Apple, and other app stores adopt a universal standard for data safety labels that is recognizable to (and understandable by) everyday consumers.
In terms of suggestions specific to Google and Android apps, the researchers call for a clear statement on data safety labels that the information is self-reported and that Google may not have verified that it is accurate. It also calls for more regular reviews of these labels, documented by quarterly public reports that also describe actions taken against developers that did not complete their forms or that provided inaccurate information.
Both Google and Apple have been facing antitrust scrutiny involving their app stores for some time now, and the Biden administration once again turned up the pressure in February by characterizing their market position as a monopoly in the wake of a Commerce Department investigation that was initiated in 2021. Both companies have been pressured to stop using confidential business data garnered from the app stores to develop their own competing products, and Apple has been taken to court over the fees it charges developers. However, the Commerce Department report did not recommend any specific action, instead passing the issue to Congress and related agencies to take up.
