Australian developer Dan Nolan, creator of the Paul Keating Insult Generator app, this week voiced concerns over what he sees as a “Massive Google Play Privacy Issue”. In a blog post on his personal site, Dan found that “every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred”.
The details in question are shown to developers through the Google Checkout merchant interface, a site which allows developers to review the details of their sales transactions – a common feature in any e-commerce system.
The story was initially picked up by Gizmodo Australia, then spread fairly quickly across the web from there, even ending up on Fairfax and News Limited sites. It’s resulted in a lot of fear-mongering and concerns from users, accusations of Google playing fast and loose with user data have come hand-in-hand with this added scrutiny on the Play store, and Android.
We all seem to love a good privacy scare, IT or otherwise, especially when it involves a giant of the industry who’s been caught out before. Before we get the jump to conclusions mat out though, let’s take a deep breath and examine the issues at play here.
What’s the hubbub?
First and foremost, there’s disclosure of personally-identifiable information upon the purchase of an app. Your name, email address, suburb, state and postcode are currently available to the developer in the Google Checkout site, and in some cases this is enough information to allow someone to find you (should they be so-inclined). In general, disclosure of such information earns a black mark, and the concern raised in this case is that a developer could use the information to take some kind of action against users who attract their ire — perhaps by leaving a bad review. It’s worth noting that in some countries (especially the UK), a postcode could be enough information to walk up to someone’s front door.
Chris Lacy, the developer of Tweet Lanes and Action Launcher, noted that this information was being disclosed to him in a post on his site in November 2012 – soon after Action Launcher went on sale in the Play Store. His opinion on the matter is pretty straightforward, stating “I don’t want this information about my customers”. He’s also concerned that developers who do something as simple as selling a Live Wallpaper are receiving this information, adding “I don’t want such information about me being transferred when I buy a live wallpaper”.
Russell Ivanovic of Shifty Jelly told Ausdroid that Google used to anonymise the email address that was provided to developers when a customer purchased their app. This practice seems to have changed in late 2012, and now the user’s real email address is disclosed. He commented, “I hadn’t even noticed that change until I went to have a look today. From what I can tell that’s a very recent thing, and a tiny bit worrying.”
This issue also raises concerns over less scrupulous developers. Occasionally, high-profile fake apps make it into app stores (both Google and Apple have this problem), and customers get suckered into paying for an app that isn’t what they thought it was, or something they don’t want. Given the Play store’s 15 minute refund window, it’s likely these users get their money back, but the developer will still get their email address. These addresses are particularly valuable to spammers, as they are absolutely linked to valid, working and currently-in-use Google Gmail accounts.
Policies and Reports
Disclosure of this information is covered under Google’s terms and conditions.
The Android Developer Distribution Agreement states in section 4.3:
“You agree that if you use the Market to distribute Products, you will protect the privacy and legal rights of users”
Google’s full Privacy Policy – which governs all users, developers and customers alike – states in a section titled External Processing:
“We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.”
Google’s Wallet Privacy Policy states that it will
“only share your email address with a seller if you make a purchase from their store” and “Sellers may have access to your name, address, telephone number and email address, as necessary to complete your transaction.”
It’s worth noting that I didn’t find this policy in my initial search, and was only pointed towards it recently.
The Developer Agreement prohibits the developer from disclosing this data and stops them from using it for their own nefarious, revenge-driven ends. The section about External Processing in the full Privacy Policy is interesting, because of the relationship between Customers, Google, and Developers.
Unlike Apple’s App Store, where you buy apps from Apple, Google Play’s checkout process is different. The app developer is the merchant, in a similar way to purchasing an item on eBay and paying with PayPal. The customer’s relationship is with the developer, rather than Google itself. The Wallet Privacy Policy covers disclosure of the customer’s email and physical address, although it’s questionable whether they require your address in order to complete the transaction.
Information down to the suburb level could be required in some areas for calculation of sales tax at a Federal, State and even Municipal level although this is less important in Australia where we don’t need to go to this granular level. Russell also noted that Shifty Jelly doesn’t use this information for tax calculations, because Google provides aggregated reports that are custom-built for that purpose: “Those don’t contain any info about you”.
Providing location accurate to the state level also allows the developer to adhere to relevant fair trading laws that may apply based on the location of their customer, and the customer’s email address also allows the developer to initiate contact with customers if needed, without waiting for customers to contact them first.
Explanation and Further Investigation
Barry Schwartz argues in his post at Marketing Land that this relationship between the developer and the customer is important for processing refunds in the case of a dispute that might occur outside of the standard 15-minute refund window. Developers can refund some or all of the purchase price of their app to a user at any time should the need arise. While this is true, it shouldn’t be necessary for the developer to have your email address in order to do so – your order number is identifier enough for the transaction, and indeed is the method used by Shifty Jelly should they need to confirm a user’s purchase details.
Further to this, Google may in fact be required to disclose some or all of this information in order to allow the developer to comply with local trading laws, which may vary from state to state and apply based on the location of the customer. It’s also hard to see how a developer might initiate contact with a customer to advise them of urgent fixes without having access to the email addresses of its customers.
Upon further investigation on Thursday, Russell found that in some cases Google used to provide more details (two of my older purchases from Shifty Jelly – September 2011 and January 2012 – included my full credit card billing address and phone number). It seems that at some point in 2012 past this dataset was tightened to reveal only the suburb. This was a surprising result, and it’s unclear what particular detail about my Google account caused so much information to be supplied at purchase time.
Perspective
It’s also important to take a step back and examine the importance of this information relative to the outrage it’s generated.
In purchasing an item on eBay, the seller in most cases gets your full postal address and a couple of methods of contact. In paying for a meal at a restaurant, you may be giving the waiter your full credit card number – and depending how often you dine there, or conversations you have with the staff, they could deduce your home address in detail. Many retail stores require that you give up contact details such as a phone number, email address, postal address and identification documents when purchasing big ticket items, yet we think nothing of it.
In each of these cases you’re handing your information over to an individual on behalf of the business, and seldom paying attention to whether they’re mentally stable, have a grudge against your, or even if they’re your sworn enemy. If we’re concerned that a developer could go to such great lengths to exact retribution over a negative app review, perhaps we should also be concerned about the cashier on the other side of the counter.
Perspective is all well and good, but it does nothing to make any of us feel better about the likelihood of a shady developer somewhere getting their hands on our information.
The Way Out?
Navigating the waters of privacy scares requires a careful, sensitive response to outraged users, regardless of whether the outrage is justified.
Google has been here before – in 2010 it was revealed that its Street View cars collected information from wifi access points as it passed by, and having just won a landmark case against the ACCC it likely doesn’t want to head back into court to test how its policies stand up to Australian Privacy Regulations. It seems given the policies and agreements developers need to enter into, that no laws have been broken, although the experience now stands out as a sore point in the public eye.
There are a few things Google can do to address users’ concerns.
- Disclosure of location down to suburb and postcode could be dependent on country and state requirements. Google already has granular controls over regions in the Developer Console, and they are aware of the countries, states and regions around the world where this information is required.
- Customers’ email addresses – which aren’t required for identification – could be anonymised, or omitted entirely. There are other ways in which Google could facilitate communication between developers and customers — in fact, such an approach may make sense using the urgent fixes scenario. Google could provide a feature to contact all purchasers of app version X between date Y and date Z. Easy to do.
- If a user wishes a developer to be able to see their contact details, they could be offered an opt-in to provide their details – perhaps a link on the developer’s Play store page could provide such a function, which after activation would show developers the full contact information for the customer in Google Checkout.
This morning, Russell told me that the two transactions he found yesterday had been changed – they now only display my suburb, state, postcode and email address. While Google is yet to make an official statement on the matter, it seems they’re watching the issue more closely than we think.
Excuse me, but what is the difference if I do a mailorder where I tell the business my personal contact info in order for them to send me their product? I don’t get it? Of course in this case there is no need if you don’t want to maintain a relationship, but is it a reason to be upset?
A nice simple improvement here would be to add an android ‘permission’ to all purchases (in-app would be the same I guess). The permission would explain what ID you are giving and you’d have to OK it just like normal app permissions.
A sensible suggestion Greg.. I like it.
The important thing to realise is that this level of user data is almost certain to be considered to be an illegal act in the EU. Given google are already contravening EU rules, they are likely to have to change this, and pay cold hard cash in compensation. Millions at the least.
Its almost as if they have learnt nothing. Privacy matters, at least in the EU.
How though, when they’ve clearly stated in their terms, conditions and privacy policies that they will disclose the information, which you’ve agreed to by proceeding to use the service? I don’t know the EU rules.. but usually, if you’ve agreed (consented) it’s not that much of an issue.. An example: regardless of what information our database collects before NAB gets involved, the Ausdroid Foundation receives – from NAB – your name, email, usually your address, phone number, and in some instances, the first six and last three digits of your card number, together with details of what you’ve paid. This… Read more »
A really good article – well done.