Mozilla says 80 percent of Google Play's app safety labels are inaccurate
Labelling scheme offers developers easy loopholes to play down personal info spreading
The Mozilla Foundation has accused Google of incorrectly labelling apps as "Data Safe" as much as 80 percent of the time in its Play digital bazaar – with TikTok, Facebook and Twitter among the misdescribed software.
"Google Play Store's Data Safety labels would have you believe that neither TikTok nor Twitter share your personal data with third parties," declares the Foundation's report on the matter. "The apps' privacy policies, however, both explicitly state that they share user information with advertisers, Internet service providers, platforms, and numerous other types of companies."
A privacy-focused research group at Mozilla examined 40 apps (out of 2.7 million on the Play store) and the accuracy of the self-reported information their developers submitted to Google's Data Safety Form – used to determine the ad giant's data safety labels.
Mozilla's folk found four out of five of the resulting ratings were inaccurate, while 40 percent had major discrepancies that should have earned apps a "Poor" rating for data safety. Only 15 percent would have received an "OK" grade, had Mozillans done the grading.
- NASA: Yup, thousand-pound meteorite exploded over Texas
- Save $7 million on cloud by spending $600k on servers, says 37Signals' David Heinemeier Hansson
- Microsoft hijacks Google's Chrome download page to beg you not to ditch Edge
- China's Zhurong rover may be dead: NASA images show no sign of life
- Titanic mass grave site to be pillaged for NFTs
Apps that earned the researchers' stamp of approval included: Stickman Legends Offline Games, Power Amp Full Version Unlocker, League of Stickman: 2020 Ninja, Google Play Games, Subway Surfers, and Candy Crush Saga.
Paid apps were mostly worse than unpaid apps. Half of Google Play's top 20 paid apps landed in the “poor” category, including Minecraft, Hitman Sniper, and Geometry Dash. Six of the store's top 20 free apps rated as “poor,” including Facebook, Messenger, Samsung Push Services, SnapChat, Facebook Lite and Twitter.
According to Mozilla, one major flaw with the self-reporting scheme is that it doesn’t require developers to report that their apps share data with "service providers" – and uses a problematic definition of "service providers". The scheme also uses narrow definitions for data "collection" and "sharing" which allow app developers to escape negative labels via loopholes. Data deemed "anonymous" is also exempt.
The researchers conceded that while Google's Data Safety form is flawed, it at least constitutes a step toward proper privacy disclosures for consumers. But the Mozillans also wrote Google and app developers "share the blame for the failure to improve data privacy transparency in Google's Play store."
"But the responsibilities of each are not the same," wrote the Mozilla privacy team. "Google has an additional responsibility as the host of the Play store to ensure that bad actors aren't permitted to flourish at the expense of the consumer, many of whom are from vulnerable populations, like young people."
And, as Mozilla also points out, Google – which has a profit motive – "has not devoted the resources necessary to counter the threat."
Google has unsurprisingly criticized the report.
"This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data Safety labels, which inform users about the data that a specific app collects," a spokesperson told The Register. "The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information." ®