It’s basically impossible to keep track of what all your mobile apps are doing and what data they share with whom and when. So over the past couple of years, Apple and Google have both added mechanisms to their app stores meant to act as a sort of privacy nutrition label, giving users some insight into how apps behave and what information they may share. These transparency tools, though, are populated with self-reported information from app developers themselves. And a new study focused on the Data Safety information in Google Play indicates that the details developers are providing are often inaccurate.
Researchers from the nonprofit software group Mozilla looked at the Data Safety information of Google Play’s top 40 most-downloaded apps and rated these privacy disclosures as “poor,” “needs improvement,” or “OK.” The assessments were based on the degree to which the Data Safety information did or did not align with the information in each app’s privacy policy. Sixteen of the 40 apps, including Facebook and Minecraft, received the lowest grade for their Data Safety disclosures. Fifteen apps received the middle grade. These included the Meta-owned apps Instagram and WhatsApp, but also the Google-owned YouTube, Google Maps, and Gmail. Six of the apps were awarded the highest grade, including Google Play Games and Candy Crush Saga.
“When you land on Twitter’s app page or TikTok’s app page and click on Data Safety, the first thing you see is these companies declaring that they don’t share data with third parties. That’s ridiculous—you immediately know something is off,” says Jen Caltrider, Mozilla’s project lead. “As a privacy researcher, I could tell this information was not going to help people make informed decisions. What’s more, a regular person reading it would most certainly walk away with a false sense of security.”
Google mandates that all app developers submitting to Google Play complete the Data Safety form. The rationale is that the developers are the ones who have the information on how their product handles data and interacts with other parties, not the app store that facilitates distribution.
“If we find that a developer has provided inaccurate information in their Data Safety form and is in violation of the policy, we will require the developer to correct the issue to comply. Apps that aren’t compliant are subject to enforcement actions,” Google told the Mozilla researchers. The company did not address questions from WIRED about the nature of these enforcement actions or how often they have been taken.
Google refutes the researchers’ methodology, though. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data Safety labels, which inform users about the data that a specific app collects,” the company says in a statement. “The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.”
In other words, Google is saying that the Mozilla researchers misunderstood the scope of the privacy policies they were looking at or even consulted the wrong policies entirely. But the researchers say the privacy policies they used in their analysis are the exact policies each app developer links to on Google Play, indicating that they apply to the apps in question.
“Google’s own response to our research highlights the exact problem we highlighted,” Mozilla’s Caltrider says. “What information are consumers to trust and rely on if the self-reported information from app developers in the Data Safety section is different from the privacy policies linked on the same app page? Ultimately, our goal is to help Google give consumers what they need to make informed decisions about their privacy. This starts with Google improving their Data Safety information.”
The report also lays out how Google’s current Data Safety form creates blind spots and opportunities for developers to leave out information about how their apps behave and share user data. For example, the form has broad exemptions for app developers to report data sharing with “service providers” and for “specific legal purposes.” And the researchers found that the definitions Google uses for the words “collection” and “sharing” are narrow, meaning that developers may not be required to report activity that users would think of as data collection and sharing. Additionally, the researchers note that Google doesn’t require app developers to disclose data collection when the information is being anonymized. This is noteworthy because of debates over whether it is possible to truly anonymize data as well as a long track record of app developers making mistakes or using flawed schemes in their attempts to anonymize data.
Both Google and Mozilla’s researchers note that Google Play’s Data Safety mechanism is still new. And the researchers say it can be refined to be a valuable indicator for users. Without urgent reform, though, they argue that the Data Safety information is currently doing more harm than good by giving users an inaccurate privacy picture of what’s going on inside their apps.