back to article Mozilla says 80 percent of Google Play's app safety labels are inaccurate

The Mozilla Foundation has accused Google of incorrectly labelling apps as "Data Safe" as much as 80 percent of the time in its Play digital bazaar – with TikTok, Facebook and Twitter among the misdescribed software. "Google Play Store's Data Safety labels would have you believe that neither TikTok nor Twitter share your …

  1. Neil Barnes Silver badge
    Headmaster

    I love how the word 'sharing'

    Has become synonymous with 'selling'.

    1. Anonymous Coward
      Anonymous Coward

      Re: I love how the word 'sharing'

      It's everywhere. Just look at Top Level Domains. These below we block 100% automatically as we've never seen them used for anything but spam & malware. They exist for IANA to make money.

      .email

      .shop

      .cloud

      .ltd

      .live

      .site

      .rest

      .website

      .bar

      .best

      .today

      1. teknopaul

        Re: I love how the word 'sharing'

        Lockdownfm.live is a top radio station and does nothing nefarious.

  2. wiggers

    I use the DuckDuckGo browser that has an app tracker-blocker. Astonishing to see the number of tracking attempts. Santander's app is the worst, 10,000-20,000 in a day most days. When I've raised this with them they seem completely clueless, mutter something about essential cookies. One app, Eufy Clean, they didn't even know the app had trackers until I pointed it out to them!

    1. devin3782

      I complained to lloyds bank about all the tracking they were doing on their website and was told "Its for your security" even my personal bank statement data is pulled from a CDN

      1. ITMA Silver badge

        RBS are just as bad

        And the RBS android mobile banking app has a serious bug which RBS refuse to fix despite the Financial Services Ombudsman ruling against them.

        If you go into the "Manage my card & Google Pay" it blocks access to the card management section and insists you select one of the Google accounts on your phone - even if you have NOT nor any intention of setting up or using Google Pay.

        There is NO WAY to get past it.

        If you select one of the Google accounts just to get at the card management function - minor things like BEING ABLE TO BLOCK A LOST/STOLEN CARD, there is NO WAY to tell it to forget that account. The only way is to uninstall their app and re-install it.

        Utterly shite programming and blatant disregard for GDPR which even after numerous complaints and the Ombudsmans ruling, RBS REFUSE to fix.

        1. MachDiamond Silver badge

          Re: RBS are just as bad

          I'd never do any banking on a mobile. They are too easy to nick and that's your whole bank account gone if somebody gets the phone when it's unlocked (maybe even when locked). If you get pickpocketed all they get is your cash and possibly can use a card up to the daily limit (which is why a sensible limit is a good thing).

          1. teknopaul

            Re: RBS are just as bad

            For the record Deutsche Bank is a disgrace too.

          2. ITMA Silver badge

            Re: RBS are just as bad

            As the old saying goes - don't put all your eggs in one basket.

            Have multiple accounts with different banks. Ideally, banks NOT part of the same group.

            Keep the bulk of your funds in accounts NOT accessed via a mobile app.

            NEVER have credit cards from the same bank (or bank group) as your main account(s). They can use "right of offset" to help themseves to money in any of those accounts to service any debt on the card even if it pushes those accounts into unauthorised overdraft and then hit you with all sorts of additional fees for that too.

    2. ludicrous_buffoon

      My bank requires installation of not one, but TWO apps just to avail of mobile banking (the other is an authenticator which could be easily handled by any ready-existing OTP app). One of the required permissions was location.

      Location seems an odd one for what should just be a ledger and some forms to let me check my balance and move my money, unless they're trying to recreate the 'so what were you doing today' conversations I used to have with bank clerks while they pattered away at the computers.

      1. graeme leggett Silver badge

        location could be a warning sign - two money transfers an hour apart, one in Lanzarote, the other in London might indicate a security problem (though could be just VPN-ing)

        it could equally be to show you where the nearest branch is.

        Not telling you which is the problem.

        1. teknopaul

          Fraud would not use real location would it.

  3. imanidiot Silver badge

    "This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data Safety labels, which inform users about the data that a specific app collects"

    Because those company wide policies should be informing those individual Data Safety labels and if the policies are shit the labels will be too?? Maybe?

  4. Pascal Monett Silver badge
    Thumb Down

    I call bullshit

    "This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data Safety labels, which inform users about the data that a specific app collects"

    You put a Data Safe label on the Facebook app, ergo you are wrong.

  5. ludicrous_buffoon
    Black Helicopters

    How many billions?

    We asked to manage our data privacy, not have our perceptions of data privacy managed by PR hacks. Somehow that was misheard by the advertising corporations.

  6. Mxm

    Admob opaqueness

    I have an app in the Play Store, so was forced to complete Google's Data Safety form, but frankly, I had to guess most of my answers. My own code collects zero user data, but the app does use Google's ad service and getting any clear information out of Google about what they do with the data and how it should be entered in their own form was impossible. There should have been a simple checkbox on the form just to say that the app connects to Admob, but instead they forced every single developer to blindly complete a long list of detailed questions. Most developers probably gave wildly different answers for exactly the same thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Admob opaqueness

      So you are responsible to any data collection performed by Google's service.

      If you don't want to be responsible, remove it.

      1. Mxm

        Re: Admob opaqueness

        Unfortunately, advertising is the only viable business model for most apps and Admob is by far the biggest player.

        And even if you found an ad network that was fully transparent about what it does, a lot of the questions on the form are quite vague and open to multiple interpretations. My point is that most developers will have tried to complete Google's Data Safety form honestly, but it wouldn't surprise me at all if 80% of them still made errors.

  7. DJV Silver badge

    80%?

    I'm surprised it was as low as that!

    1. Version 1.0 Silver badge

      Re: 80%?

      The data is being safely copied, "We do not steal your data, we just sell copies of it so it's still your data." Welcome to today's world, we get told things but so often completely different things are happening:

      Q: "Is it safe to jump out of a plane?"

      A: "Yes, you have a parachute"

      Q: "But it's only 6 inches in diameter"

      A: "It's OK, you will just land quicker"

    2. Kevin McMurtrie Silver badge

      Re: 80%?

      I could see it being only 80% wrong according to the app's privacy policy. It's 98% wrong if you check the app's logs.

      You can flag an app and send logs to Google but nothing happens. The only thing more dangerous than a Google Play Store app is a sideloaded app found in Google's search results.

  8. Anonymous Coward
    Anonymous Coward

    I'm now waiting ..

    .. for someone attempting to state with some convoluted logic (or simply made up "facts") that the Apple app store is just as bad. The Apple app store that, if you recall, started with all this fun privacy labelling, to the immediate and immense dislike of a certain Mr Zuckerberg.

    The problem with Google is a massive conflict of interest that you simply cannot explain away (although they certainly try). There is simply no valid argument to trust them. That said, maybe someone could use Android's ability to side load for good by starting an app store which checks apps properly, with some evidence so you could judge if they were worthy of your trust. Could actually be a nice business in itself, but it is , of course, based on an assumption that the OS itself doesn't leak - probably not impossible to achieve but most likely not for free..

    1. Kevin McMurtrie Silver badge

      Re: I'm now waiting ..

      Apple does everything evil that Google does, but Apple is more sophisticated about it. They're both still collecting data in a way that's illegal and dangerous to some people.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm now waiting ..

        Really? I wouldn’t claim that Apple is squeaky clean, but its business is not built on the sole basis of gathering, and selling, data about its users.

  9. heyrick Silver badge

    Sometimes the self reported rubbish is just...rubbish.

    I came across an app a couple of weeks ago that stated both "this app doesn't collect personal data" and "you can request your personal data to be deleted".

    Wait, what?

    1. Mxm

      Re: Sometimes the self reported rubbish is just...rubbish.

      The Data Safety form is the problem here. Even if the developer first ticks the box that says their app doesn't collect data, they still get asked if they provide a way for the user to delete their data. It would be a brave developer who decided to leave that second box unticked - it's far too easy to get your app accidentally de-listed with very little explanation or recourse from Google.

  10. heyrick Silver badge

    We only need two options

    A big green icon that says collection of personal data (anonymous or not) is opt in and disabled by default.

    And a big red icon for everything else.

    Note: By definition the "app" is what the user installs. If there are fifty advertising services baked in, these count as part of the behaviour of the app.

    1. Mxm

      Re: We only need two options

      So you click the red button and quickly discover that your app has no internet connectivity (IP address=personal data). Then you click the other button and the flood gates open...

  11. Jamie Jones Silver badge

    Remember when "internet access" was a permission an android app had to request?

    ... that disappeared silently...

  12. JWLong

    Android Is The Problem!

    It was by design that Android would spill user data to any app that wanted it.

    This shit is nothing but lipstick on a pig, and end users need to pull their collective heads out of their asses sometime soon!

  13. Rol

    He who pays the piper!

    In the UK, and I suspect USA as well, company accounts are audited by the very accountancy firm that bent over backwards to win the company's business in the first place. Despite that being a massively obvious conflict of interest, with a very long and fully documented history of not working as it should, it carries on. Even when caught, the accountancy firm and the company manage to convince a handful of nonentities to fall on their swords and take one for the team, undoubtedly well recompensed in some untraceable manner, for their "selfless" act in protecting the company and the wider community that leans heavily on this ridiculous set up to rumble on forever.

    I can see Google's situation with it's self-declaring model to be no different.

    It wouldn't hurt to have the folk at Mozilla be the ones who audit the apps and declare them as they should be, but how to pay them for their services without again creating a conflict of interest?

    Perhaps the users could donate to them, in recognition of their service to the public?

  14. teknopaul

    Fdroid

    Any app that's free as in beer should be in Fdroid, they appear to lable stuff honestly.

    Foolish that appndevs don't do this, since it would increase their collective bargaining power to be in multiple app stores.

  15. aregross

    Well, maybe...

    "Labelling scheme offers developers easy loopholes to play down personal info spreading"

    For some reason I read that last word (spreading) as sporking.

  16. therobyouknow

    Google drive permissions are too wide and coarse. Fixing those would solve a lot.

    For example for an ebook reader app to access books on your Google Drive, the only option available is to modify/delete all your files as well as just read access.

    I've raised this issue here.

    https://issuetracker.google.com/issues/204692011

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like