No sooner do I post something about the importance of service and content providers getting consumers to trust them with personal data than a story breaks that Google has been sending your personal data to developers every time you download an app from Google Play.
By personal data I mean your name, email address and in some cases the part of town where you live.
That’s a big deal – but not for the reasons you may think.
Australian Android developer Dan Nolan was the first to go public with this on his blog, blasting Google for not only sending him personal details of people who had downloaded his app, but clearly did so without seeking permission from downloaders first:
With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase. The problems on android of app permissions (and subsequent potential for malware aside) is one of active negative behaviour on the part of an app developer. This isn't. This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it's made crystal clear to them that I'm getting this information.
Other developers have since verified Nolan’s claims, as have privacy experts, according to FierceDeveloper. It’s also been pointed out that Apple doesn’t send customer info to apps developers for the App Store.
The question remains just how big a deal this is. Google’s official response, reports FierceDeveloper, is that developers need to have that data on hand because Google Play’s current business model – in which users pay for apps via Google Wallet, which then pays developers directly – is markedly different from Apple’s:
"With apple's app store you buy the apps from apple. With google play you buy the apps from the developer. If you are the merchant of record you need to know the address to correctly compute sales tax. This is documented on http://support.google.com/googleplay/android-developer/bin/answer.py?hl=en&answer=138000. Google cannot give tax advice, so we have to give you the data to make the determination yourself."
Indeed, as Mashable has already pointed out, all of this is stated in Google Play’s Terms Of Service for developers, who also have to agree not to use the personal data they receive for the kinds of abuse Nolan describes. And while some critics maintain that the real issue is that Google was doing this behind the backs of users, that’s covered on the consumer side of Google Play’s ToS.
So, if we’ve learned anything about Google Play’s handling of personal data, it’s this: no one reads the ToS. I know I don’t.
Still, that’s a valuable takeaway, because in the bigger picture of personal data and privacy, it raises a couple of important points:
1. Consumer expectations and perceptions will trump what the ToS actually says when it comes to your brand reputation (and that goes for telcos as well as OTT players like Google).
2. ToS agreements raise serious issues when it comes to personal data safeguards.
The ToS pretty much determines what the service provider can and cannot do with your personal data (outside of whatever local laws might be applicable). They are generally written for the benefit of the service provider, not end users. And in cases like last December’s Instagram fiasco, they’re not always written well.
BT chief security officer Bruce Schneier recently highlighted the issue on his security blog, using cloud-based presentation service Prezi as an example. It’s worth reading.