The makers of the world’s most popular Android app are providing false or misleading information in the “privacy nutrition labels” in Google’s Play Store, according to a new study from Mozilla’s *Privacy Not Included project.
The study looked at the privacy information that app developers are supposed to fill out in the Google’s Play Store and compared those details to the apps’ privacy policies. The privacy labels are supposed to give you information about an app’s data practices so you can make informed choices, but the study found the labels are close to useless. Just six apps of the 40 apps in the study got a passing grade. 16 apps that researchers dug into had major discrepancies between their privacy policies and their app store privacy labels.
“These labels are a total failure” said Jen Caltrider, the project lead for Mozilla’s *Privacy Not Included. “If you care about privacy but you’re not super well-informed about data collection and sharing, you could look at these things and come away with a false sense of security. It’s hugely misleading, and I would argue it’s harmful.”
The study looked at the top 20 most popular free apps in the Play Store, and the same number in Google’s paid apps category. With most, the data practices in the apps’ privacy policies were far more invasive than what developers disclosed. Among those receiving a “Poor” grade were Facebook, Facebook Messenger, Twitter, and Minecraft, which means Mozilla found major discrepancies. Apps including Instagram, Spotify and several of Google’s own apps were marked “Needs Improvement”—a little better, but not great.
Only a few got an “OK” grade (the best grade you can get, Mozilla isn’t giving out participation trophies for telling the truth). The winners were mostly games, including Subway Surfers and Candy Crush. That’s somewhat surprising, given that free games generally run on ads.
The other apps that didn’t get passing grades had similar glaring issues. Facebook, Microsoft (which now owns Minecraft), Spotify, TikTok, and Twitter did not immediately respond to requests for comment.
Google announced the privacy labels in 2021 and rolled them out last year, celebrating them as a win for transparency. The change followed similar additions to Apple’s App Store, which has its own labels, complete with similar falsehoods, and similarly lax enforcement policies.
“This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual data safety labels, which inform users about the data that a specific app collects,” said a Google spokesperson. “The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.”
Gizmodo asked the spokesperson which company-wide policies were being conflated. They didn’t respond.
“There are two main problems here,” Mozilla’s Caltrider said. “The first problem is Google only requires the information in labels to be self-reported. So, fingers crossed, because it’s the honor system, and it turns out that most labels seem to be misleading.”
Google promises to make apps fix problems it finds in the labels, and threatens to ban apps that don’t get in compliance. But the company has never provided any details about how it polices apps. Google said it’s vigilant about enforcement but didn’t give any details about its enforcement process, and didn’t respond to a question about any enforcement actions it’s taken in the past.
The Google spokesperson explained that developers alone are responsible for making sure their labels are accurate and in compliance with Google’s detailed guidelines. The spokesperson said Google evaluates apps’ privacy practices to the best of their ability, but the company has no way to determine how apps handle data once it leaves your phone, or whom apps share your data with.
Of course, Google could just read the privacy policies where apps spell out these practices, like Mozilla did, but there’s a bigger issue at play. These apps may not even be breaking Google’s privacy label rules, because those rules are so relaxed that “they let companies lie,” Caltrider said.
“That’s the second problem. Google’s own rules for what data practices you have to disclose are a joke,” Caltrider said. “The guidelines for the labels make them useless.”
If you go looking at Google’s rules for the data safety labels, which are buried deep in a cascading series of help menus, you’ll learn that there is a long list of things that you don’t have to tell your users about. In other words, you can say you don’t collect data or share it with third parties, while you do in fact collect data and share it with third parties.
For example, apps don’t have to disclose data sharing it if they have “consent” to share the data from users, or if they’re sharing the data with “service providers,” or if the data is “anonymized” (which is nonsense), or if the data is being shared for “specific legal purposes.” There are similar exceptions for what counts as data collection. Those loopholes are so big you could fill up a truck with data and drive it right on through.
“It’s really disappointing, because this is information consumers need. We need a labeling system with a universal standard that holds companies accountable,” Caltrider said. “I think pointing out these flaws is a step in the right direction, even if it’s discouraging. If people can see how broken this all is, maybe they’ll start to push back”