Google Play Flaw Gives App Developers Purchaser's Information

from the uh,-why? dept

Google, being the undisputed search engine king, is no stranger to concerns over the privacy of its users. Everything from odd fears over their privacy policy to the images on Google maps has been hurled at them, with most of the intelligent analysis of said concerns amounting to indifferent shoulder shrugs. Privacy is important, of course, but there's yet to be any sense of malicious intent or gross oversight in these cases. Rather, they tend to fall into the category of potentially yet unlikely dangers brought about by the very nature of expanded technology.

Perhaps that's why it feels so strange to learn that Google's Play store is so callous with user data, offering up names, street addresses, and email addresses to app developers when their products are purchased. This, according to developer Dan Nolan in Australia.
"Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred," Nolan wrote on his blog. "With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase."
If accurate, Google making that information available is at best stupid. As the selling platform, there's simply no reason to do it. Why does the guy or girl who created the Fat Booth app that so delights my friends need to know where I sleep at night? It might be a case where there's confusion about the roles each one is playing. If Google merely views itself as a platform for others to create a store, then you could kind of see where this made sense. App developers are then setting up their own "store" where there are advantages to them having a direct relationship with their customers. The problem, however, is that users don't view it this way. They think of Google as "the store" and this looks like them handing over their private info to the suppliers. And that certainly feels like a pretty massive privacy breach.

More importantly, as the article notes, the implications on how malware creators could exploit this are even more worrisome.
With Google customers' details just sitting in developers accounts, all it would take is a half decent piece of malware software for that information to be accessed. These personal details could then be used to access the users' bank details. That's also more than enough information to be able to access your other devices which could also be mined for more data - insurance information, other credit cards - which could then be used to access your banking credentials.
Due to these very concerns, Nolan expresses his displeasure and discomfort with having that information at all. Worse, if there's any way to opt out of receiving it, he can't seem to find it. Just as worrisome as the flaw is the fact that no one else bothered to report it. Whether this was laziness, ignorance, or the very real possibility that many developers were doing something underhanded with their customers' information is unclear, but all three possibilities are damning to Google, which certainly should have known better. Worse yet, Google is quite clear in their TOS that it can store this information once you provide it, but there's is no mention of their passing along that data to app developers in their privacy statement.

While there's yet to be any response from Google as of the time of this writing, the original article did note that Google had already requested an amendment to the story, meaning what remains of it is likely accurate. The speed with which Google needs to fix this would be mach-infinity.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Glen, Feb 13th, 2013 @ 11:05am

    I've said this before, I'll say it again. I love 85% of what Google does. If this is true, this would fall under the 15%.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    A Dan (profile), Feb 13th, 2013 @ 11:10am

    Not street addresses

    He says "Suburb" and "sans exact address", which would fall into the category of Town or City, not street address.

    Of course, in most cases, Name + Suburb is probably enough to uniquely identify an individual.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 13th, 2013 @ 11:22am

    "The speed with which Google needs to fix this would be mach-infinity."

    That should be minus mach-infinity. As in, go back in time and slap the moron that implemented this "feature" very hard.

    There is no justification for giving developers this kind of information.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 13th, 2013 @ 11:24am

    I'm still curious why businesses have any right to give out data. It shouldn't even be in the TOS. The only way they should be able to do it is if the user options in. I can see a small incentive being okay for that, but it shouldn't be able to be required to use a service (other than basic requirements of a system...)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 13th, 2013 @ 11:43am

    ... software developers get all of the information ... for an order of an app that they would get from the order of something physical.

    And that's a problem because ?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Feb 13th, 2013 @ 12:02pm

      Re:

      With Google customers' details just sitting in developers accounts, all it would take is a half decent piece of malware software for that information to be accessed. These personal details could then be used to access the users' bank details. That's also more than enough information to be able to access your other devices which could also be mined for more data - insurance information, other credit cards - which could then be used to access your banking credentials.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      jackn, Feb 13th, 2013 @ 12:53pm

      Re:

      First, its not true, and if was, you're right, what is the problem. When paying with credit card, your address is standard fare. The developer console won't even give an email if the customer wants it that way.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Feb 13th, 2013 @ 1:42pm

      Re:

      And that's a problem because ?


      Because I should not have information disclosed to third parties without my knowledge and approval. App developers don't need any of that information. They aren't handling payments, Google is.

      If I had known this was happening, I would not have purchased any apps. Now that I know, I won't be purchasing any more until/unless this is fixed. If the app developers want my personal information, they can ask me for it.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Tor, Feb 13th, 2013 @ 12:07pm

    Couldn't the same argument be made about Paypal payments for digital products? (where transferal of the buyer's street address is not really needed)

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Eric Lamb (profile), Feb 13th, 2013 @ 12:08pm

    Sounds more like FUD to me...

    First, let me preface this by saying that I'm a HUGE fan of Techdirt and the writing here. I'm very much inline with about 99% of what you guys write here. Please don't think of me as one of the trolls who usually get beat up.

    That said, to be frank, this is crap and FUD of a level I've never witnessed here before. You're pretty much taking worst case scenarios and trying to drum up panic. That's despicable and you should be ashamed.

    Now, my background is selling apps too, in a different eco system than Google Play, though it works in much the same way. I write software that is sold on a third party site. I too get customer details (if they exist; with Paypal orders they do not) and, as a developer/business, I find this to be crucial to building a database of customers I can continue to work with and reach out to.

    For me, as a business owner, I find this data invaluable. For example, I do like to reach out to customers who returned a product to find out the "why" (I want to improve things and this is sometimes the only way). I have yet, out of a few dozen returns, had anyone *ever* complain or feel this was crossing a line. Your pointing that out as a possible failure point just doesn't jive with my reality. At all.

    I find it ridiculous that the store providing customer details to the software creators would be worthy of note much less concern. Building fear, uncertainty, and doubt over this should be an embarrassment to you all.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Dark Helmet (profile), Feb 13th, 2013 @ 12:28pm

      Re: Sounds more like FUD to me...

      Thanks for the thoughtful feedback. I would contend that this kind of data sharing without consent of the user is a problem. That the possible negative outcomes of such unilateral sharing have to be speculated is a valid point, but in the context of user privacy it's still an issue. Most app developers may indeed use the data in benign ways, or not at all, but the malware problem still exists in a very real way.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        mithra62 (profile), Feb 13th, 2013 @ 1:21pm

        Re: Re: Sounds more like FUD to me...

        Holy crap! Dark Helmet!! Ok, ok, breathe Eric... breathe...

        Big fan sir. Your comments and insight are some of the funniest, thought provoking, and interesting I've read and I'm flattered that you would take the time to respond to me.

        I agree there is a possibility of negative outcomes but there are possibilities of negative outcomes with pretty much everything. Any time you give out personal information there's a possibiilty of negative outcomes. Focusing on this as a possible issue just seems more to fit an agenda than to actually solve a real problem.

        I guess what go me thinking about this (and wanting to post my first comment to Techdirt ever), was the idea that developers having personal details of their customers was a bad thing. Especially considering there's no evidence in the article, anecdotal or otherwise, to back that up. I find it borderline insulting to presume that I (and other developers) would be less inclined to protect our/your data than many of the fortune 500 companies who have had HUGE data breaches (many of whom are written about here).

        More, to bring up malware as a point of concern when it comes to developers data systems seems sort of silly. What I mean is that, in my experience, developers tend to be highly concerned when it comes to security concerns. Our reputations can be ruined by security issues so it's very much in our best interest to worry a great deal about this. By the way, not to imply we're better at that or that bad things don't happen, just that developers are more "power users" when it comes to their systems than, again, many of the larger companies who have had data breaches. Why worry about developers as the problem?

        Personally, I think this is more a privacy policy issue than anything else. I just checked the site I sell my software on and their privacy policy makes it clear that they will share some of your information with developers. To me that's perfectly acceptable. They're plainly stating that your data may be shared and with whom. I do wonder though, how does Steam, Apple, Xbox/Zune, and others handle this? Truly, I have no idea, but I am curious. As a developer, and business owner, if I couldn't have access to my customers information I would definately think twice about using that third party to sell my software. And maybe that's just me (Dan Nolan certainly seems to disagree).

        To me, the privacy policy is the story here and not any concern over malware or data breaches from developers having their customers information. "The Lie That Is The Google Privacy Policy" would make a cool title I think ;)

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          mithra62 (profile), Feb 13th, 2013 @ 3:52pm

          Re: Re: Re: Sounds more like FUD to me...

          Just to follow up to my own comment, it looks like the Google Play privacy policy does state, quite clearly, that they share your information with others. They're being upfront about their usage; it's just that customers and developers alike never bothered to research these things.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            nasch (profile), Feb 14th, 2013 @ 6:33am

            Re: Re: Re: Re: Sounds more like FUD to me...

            Just to follow up to my own comment, it looks like the Google Play privacy policy does state, quite clearly, that they share your information with others.

            Like I said earlier, it doesn't just say they share your information with "others". It specifically indicates when they will share your information and with whom, and app developers are not on that list. This violates their privacy policy.

             

            reply to this | link to this | view in chronology ]

          •  
            icon
            nasch (profile), Feb 14th, 2013 @ 6:35am

            Re: Re: Re: Re: Sounds more like FUD to me...

            Never mind, I saw your later comment. :-)

             

            reply to this | link to this | view in chronology ]

    •  
      identicon
      John Doe, Feb 13th, 2013 @ 12:46pm

      Re: Sounds more like FUD to me...

      I don't have a dog in this fight, other than to be a Google Play customer, but I don't see the problem here either. Normally I am a big fan of privacy, but in this case it seems that the app (seller) is receiving their customer information. If they didn't, then it could be argued that Google has inserted themselves into the transaction so deeply, that they get customer info but the app developer does not. So the app developer would know nothing about their customers other than they have some.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Dark Helmet (profile), Feb 13th, 2013 @ 12:49pm

        Re: Re: Sounds more like FUD to me...

        "So the app developer would know nothing about their customers other than they have some."

        Or there could be a middle ground option, such as how Apple handles things...

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        ComputerAddict (profile), Feb 13th, 2013 @ 1:23pm

        Re: Re: Sounds more like FUD to me...

        Yea the problem is not whether app makes should get the information, just how.

        As a google user I share my data with GOOGLE, I should have to give consent for them to share that with a 3rd party.

        If a developer wants to know more about their buyers, require in-app registration. Then it is very transparent where the personally identifiable information is going.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Feb 13th, 2013 @ 1:49pm

      Re: Sounds more like FUD to me...

      It's clear this information is valuable to developers. But it's also valuable to me to be able to withhold it. This should have been disclosed at the least, and there should be an obvious way to opt-out.

      I find it ridiculous that the store providing customer details to the software creators would be worthy of note much less concern


      You may find it ridiculous, but many people, like myself, find this a very big deal. I go far out of my way to avoid having information about me and my purchases disclosed. Even from the local grocery store, let alone random developers about whom I know nothing.

      What's to stop them from putting me on their mailing list, or selling my email address and other details to others? Nothing.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        mithra62 (profile), Feb 13th, 2013 @ 2:54pm

        Re: Re: Sounds more like FUD to me...

        But Google does say that they share your information with others. It's right there in their Privacy Policy; this is no secret.

        While I completely agree with you that personal information is valuable and something to covet (personally, that's why I'm not on Facebook) if you're going to use a service you would be well served to know what they do with your data before using it.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          nasch (profile), Feb 13th, 2013 @ 3:35pm

          Re: Re: Re: Sounds more like FUD to me...

          But Google does say that they share your information with others. It's right there in their Privacy Policy; this is no secret.

          "We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply: " The circumstances are:

          1. with your consent
          2. with your domain administrator (google apps users)
          3. for external processing ("We provide personal information to our affiliates or other trusted businesses or persons to process it for us")
          4. for legal reasons

          That's it. No mention of sending it to app developers.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            mithra62 (profile), Feb 13th, 2013 @ 3:59pm

            Re: Re: Re: Re: Sounds more like FUD to me...

            Uh-oh, it looks like you're right. I had read the Books Privacy Policy and missed it only applied to the Books section of Google Play (from the description next to the link).

            Apologies.

             

            reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Feb 13th, 2013 @ 5:47pm

      Re: Sounds more like FUD to me...

      That said, to be frank, this is crap and FUD of a level I've never witnessed here before. You're pretty much taking worst case scenarios and trying to drum up panic.

      That is the very DNA of Techdirt. SOPA, CISPA, PIPA, ACTA, you name it- the response is always a bizarre parade of horribles designed to create a panic, with little regard for the practicalities.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 13th, 2013 @ 12:58pm

    "Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred," Nolan wrote on his blog. "With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase"

    Did you check this out before publishing? this ain't true

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Phoenix84 (profile), Feb 13th, 2013 @ 1:20pm

    Sales tax

    IIRC, the transaction is actually between the seller and buyer. Google is only the middle-man.
    I'm a published developer with a paid app, and I've seen this. I thought it was odd at first. The customer can choose to hide their email, but I didn't see an option for hiding city location. However, I suspect this is so because of taxes.
    Each developer is responsible for paying sales tax for their jurisdiction (since they are the seller, not Google). Without that information it would be impossible for some people to do so (depending on the area).
    Google can handle this for you, but they have a disclaimer that the developer is responsible for any and all taxes, even if Google handles it.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      mithra62 (profile), Feb 13th, 2013 @ 1:24pm

      Re: Sales tax

      That is a very good point. I've never been audited (knock on wood) but wouldn't having customer details be extremely helpful if I ever was? How else would be able to prove transactions were legit?

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Feb 13th, 2013 @ 3:38pm

      Re: Sales tax

      IIRC, the transaction is actually between the seller and buyer. Google is only the middle-man.

      That may be true legally, but may not be from a customer perception perspective. If I buy something on Amazon's web site that's actually sold by someone else, does that person get my credit card number? I never thought about it before but I hope they don't. Obviously they need my address to send me something, but Amazon (and Google) should only be sending sellers necessary information.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        mithra62 (profile), Feb 13th, 2013 @ 3:48pm

        Re: Re: Sales tax

        Google doesn't share credit card details and neither does Amazon. We're only talking about billing and shipping information only.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Phoenix84 (profile), Feb 13th, 2013 @ 3:56pm

          Re: Re: Re: Sales tax

          That is correct. I even tried to look up credit card information after reading this, and didn't see anything.
          Additionally, as a developer I found the information useful.
          My app is region specific, and several of the users who purchased my app didn't even live in the area the app is designed to work in (why they bought it, I don't know).
          However I used the location information Google provided me to add support for those regions into my app. Granted my use case is probably not as common, however it's valuable information.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            John Fenderson (profile), Feb 14th, 2013 @ 9:44am

            Re: Re: Re: Re: Sales tax

            Nobody is disputing that the information is useful to app developers. The issue is that it is being shared without the permission of the users. At a minimum, I should be able to know this is happening prior to my purchasing decision, so I can choose not to purchase. Best case, this wouldn't happen automatically at all, and sharing the information with developers would require a conscious act on my part.

             

            reply to this | link to this | view in chronology ]

        •  
          icon
          John Fenderson (profile), Feb 13th, 2013 @ 4:44pm

          Re: Re: Re: Sales tax

          But with apps sold over Google Play, there is literally no billing or shipping information required by the developers.

           

          reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Feb 13th, 2013 @ 5:28pm

      Re: Sales tax

      "Each developer is responsible for paying sales tax for their jurisdiction (since they are the seller, not Google)."

      Google is the merchant of record for the credit card transaction and the store is branded as belonging to Google. Both of those things together suggest that Google is the seller, and not the developer. While Google may wish to avoid responsibility for collecting taxes, I doubt it would survive a legal challenge from states in which Google has a physical presence.

      The way I see it, developers who sell through Google should no more get my information than Paramount does when I purchase DVDs through Amazon.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    KenK (profile), Feb 13th, 2013 @ 1:37pm

    email part seems true

    I made an app purchase on Google Play this past December 15th and received a 'Thank you" email from the developer on the 19th. He explained that it would be a one off email and suggested that I email him with any issues or queries.

    This had me wondering how he got my email address but it seemed like a reasonable response to my purchase and I had forgotten about it until now.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    heyidiot (profile), Feb 13th, 2013 @ 2:43pm

    They are welcome to my info...

    ...so long as they give me thiers.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    mithra62 (profile), Feb 13th, 2013 @ 3:22pm

    Using Services One Doesn't Know

    Ok; this is now silly. I went through and read the entire Privacy Policy on Google Play, both of them (yeah, there's two), and they make it clear, to my non lawyer mind at least, that they do in fact share this information. So all of this is based on the assumption of the world working one way when it works the other way.

    Look, I'm all for privacy and protecting personal information as much as the next guy but this is silly. Google says they share customer information with people who need it. If customers don't like this, shop elsewhere. If developers don't like it, don't sell there. I really don't think this is as big a deal as it's being made out to be.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 13th, 2013 @ 8:00pm

    I'm put in mind that Google operates in CA, and CA has some new and fairly stringent requirements regarding privacy policies. Would this violate those requirements? (I don't know... I'm asking/speculating.)

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    art guerrilla (profile), Feb 14th, 2013 @ 11:22am

    so far, i've only bought a couple apps on google play, but gotten a ton of freebies; does this ONLY apply to apps you pay for ? ? ?

    not really *too* bent out of shape about it, except as a matter of principle... and, well, shit, let's get real, who the fuck cares about steenking 'principles' anymore...

    morals, ethics, principles, decency, fair-dealing, justice, all archaic words that have no meaning any more...

    profit uber alles ! ! !

    art guerrilla
    aka ann archy
    eof

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Mike, Feb 17th, 2013 @ 5:36am

    Buyer gets the sellers info too!

    It's just as bad for the seller, as the buyer gets his information too!

    Just go to checkout.google.com and you can see everything you have ever bought. Click into one of the transactions and odds are you can see the name and address of the person or company that wrote it. So the seller loses all of his privacy as well.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This