An investigation into data security labels for Android apps available in the Google Play Store has revealed “serious loopholes” that allow apps to provide misleading or outright false information.
A study conducted by the Mozilla Foundation as part of the *Privacy Not Included initiative compared the privacy policies and labels of the top 20 paid apps and the top 20 free apps on the app market.
It found that for roughly 80% of the apps it examined, “labels were false or misleading due to discrepancies between the apps’ privacy policies and the information apps self-reported on Google’s privacy form.”
“Apps do not report themselves accurately enough to provide the public with meaningful assurances about the security and privacy of their data,” Mozilla said, adding that consumers are led to believe that “apps protect their privacy better than they do.”
Three of the apps – UC Browser – secure, fast, private; League of Stickman Action; and Terraria – they did not fill out the Data Security sections at all. Only 6 of the 40 applications received an “OK” rating.
Last year, Google began rolling out a new data security section in the Play Store that describes the privacy and security practices of apps. It’s also the company’s response to Apple’s app privacy labels, which went into effect in December 2020.
However, there are some important differences. Apple’s tags highlight what data is collected, including what is collected for tracking purposes and information related to users.
Google’s tags, on the other hand, allow developers to provide more context about why such data collection might be necessary and what security principles are in place to protect the information.
However, both systems rely on developers to transparently manage their applications’ data. While Apple has implemented routine checks to ensure tags don’t create a false sense of security, Google lets developers make “full and accurate statements.”
According to Mozilla, these self-proclaimed labels do not necessarily accurately reflect the data collection policies of applications, questioning the effectiveness of such a framework in increasing privacy transparency and empowering users to make informed decisions.
“For example, Google exempts apps that share data with ‘service providers’ from disclosure obligations, which is problematic both because of the narrow definition of service providers and the large amount of consumer data,” Mozilla said.
To that end, Mozilla refutes Snapchat, TikTok and Twitter’s claims that their apps “do not share user data with other companies or organizations,” stating that the apps’ privacy policies specifically mention sharing user information with advertisers and ISPs, among others. .
It is worth highlighting here that applications can be exempted from the obligation to share data if the users’ consent has been requested, if the data is shared with the developer’s service provider, or if the data is completely anonymized.
The US nonprofit is also recommending that Apple and Google adopt a universal nutrition labeling standard and urging the tech giants to “explain their enforcement actions against non-compliant apps and take some responsibility for the accuracy of what information apps report.” . .”