End the Lie

Report: Google sends personal information to app developers without user knowledge or consent

Decrease Font Size Increase Font Size Text Size Print This Page

By End the Lie

(Image credit: androidpolice)

(Image credit: androidpolice)

In a disturbing new report, it is revealed that every person who downloads an application through Google Play has had their personal information including name, email and address passed on to the developer without their knowledge or consent.

While this might be troubling, perhaps even more troubling is the highly secretive relationship between Google and the U.S. National Security Agency (NSA), their ties to the U.S. intelligence community and the lack of transparency in their so-called transparency reports.

Still, this “flaw,” uncovered by an app developer in Sydney, Australia, is no small matter. Perhaps the most concerning aspect of the report by news.com.au is the point that the “flaw” actually “appears to be by design.”

The developer, Dan Nolan, has created an application that hit number one in the Australian app store and he says that he does not feel comfortable being the custodian of all of that personal information.

Furthermore, Nolan says that there is no reason any developer should have all of this highly personal information at their fingertips.

“Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred,” writes Nolan on his blog.

“With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase,” Nolan writes.

Nolan argues that the only way app developers should be able to get this information is if the users knowingly opt into it and “it’s made crystal clear that I’m getting this information.”

Currently, none of that takes place.

Claire Porter, the technology editor of news.com.au, points out that the problems posed by malware are even more serious than potential harassment from disgruntled app developers.

“With Google customers’ details just sitting in developers accounts, all it would take is a half decent piece of malware software for that information to be accessed,” Porter writes. “These personal details could then be used to access the users’ bank details. That’s also more than enough information to be able to access your other devices which could also be mined for more data – insurance information, other credit cards – which could then be used to access your banking credentials.”

In other words, this could present a quite attractive target for hackers looking to commit fraud on a massive scale.

According to Nolan, this could impact tens of millions of Google customers who have downloaded apps.

“As far as I can tell this impacts every person who purchased an App on the Play Store,” Nolan said to news.com.au.

“I can’t see any way to opt out of providing that information and it seems to be a feature of the Google checkout process,” Nolan said. “I don’t know whether it applies to free apps, but there are hundreds of thousands of apps that are available for pay on the play store and there are millions of people who buy Android apps out there, I’d say easily millions or tens of millions of people.”

“It’s active in every market that Google accepts payment for apps,” Nolan continued. “That’s a lot of people having their personal information handed over without them knowing.”

Even more disturbing is that Nolan says user information has always been provided to developers as far as he can tell.

Nolan said he thinks the only reason it hasn’t been discovered and exposed until now is “because the people who would have paid attention to it were likely exploiting it and selling users’ personal information, it using it as an extra source of revenue on top of what they were making off their Google Play/Android app.”

According to Nolan, the amount of data provided by Google is ludicrous compared to that provided to developers by Apple.

“In comparison to the information you get from Apple which is just a quantity of sales in a Country and then a check three months later, this is absolutely absurd,” Nolan said.

“I doubt anyone expects to have their contact information, name and suburb sent to a developer purely because they decide to buy an app off the Play Store,” he added.

Porter points out that while the Google terms of service indeed states that the company may store this type of personal information, the Google privacy statement says nothing about giving that information to developers whenever you pay for an app.

That being said, the terms of service does say that Google will hand over your address and other personal information if you purchase a magazine subscription but that is the only type of app mentioned.

“This is a massive, massive privacy issue Google. Fix it. Immediately,” Nolan concludes.

Unanswered questions remain: how many people have had their personal information released to developers without their knowledge and consent? How large is the security risk posed by the huge amount of information in the hands of potentially less-than-scrupulous developers?

Furthermore, how many developers have sold this information to third parties without user knowledge or consent? Will we ever know?

It will be fascinating to see how Google responds to this. They did not respond to news.com.au for comment, although the article was apparently changed in some way as an update reads, “This story has been amended at the request of Google.” without stating how it has been amended.

UPDATE: News.com.au revealed the changes they made to the original piece at Google’s request, they “took out the words “massive” and “huge” – referencing the size of the security ‘flaw’. The word ‘flaw’ was also put into inverted commas.” There is also an update with more information including more quotes from Nolan. Definitely worth a read for those who want to learn more. See that here.

Did I forget anything or miss any errors? Would you like to make me aware of a story or subject to cover? Or perhaps you want to bring your writing to a wider audience? Feel free to contact me at [email protected] with your concerns, tips, questions, original writings, insults or just about anything that may strike your fancy.

Please support our work and help us start to pay contributors by doing your shopping through our Amazon link or check out some must-have products at our store.

4 Responses to Report: Google sends personal information to app developers without user knowledge or consent

  1. cybik February 15, 2013 at 8:46 PM

    So basically you’re also against brick-and-mortar stores having your address?

  2. Anonymous February 17, 2013 at 7:08 PM

    yet another reason not to use google products

    • Javier Romero November 7, 2013 at 6:27 AM

      So you’ll prevent yourself from ever using Google products because if you purchase an item from a developer your name, address, and email address will be presented to the developer who you just made a transaction with yet you’re OK with browsing this website that surely (possibly unknowingly) uses tracking information on a personal level to sell you products, who’s CMS surely has exploits and you’re commenting information is not secure (oh no, they’ve got you’re IP). There are boundaries that many corporations have crossed but to deduce a stigma based on probable misinformation (or lack of complete detail) is how the insane stay insane (and paranoid stay paranoid). Now make sure to stay inside with foil on your head so that aliens can’t scan your brain.

  3. Javier Romero November 7, 2013 at 6:10 AM

    Talk about paranoia… Oh no the NSA will get my address (?!). It appears that the only users who’s information is displayed to the developers are those users that have PURCHASED a product. I don’t know about Australia but in the U.S. that’s required information for taxing purposes of digital products. Unlike local transactions such as a local store front the purchase of digital goods can be placed from anywhere in the U.S. and therefore if more than a certain amount of transactions are placed within a given state you must pay state taxes. At least, that’s how it was a few years back and I assume it hasn’t changed.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>