Mozilla: Nearly 80% of Google Play Store apps have discrepancies in privacy reporting

Nearly four out every five apps in Google’s Play Store are not accurately reporting how they handle user data despite filling out required forms intended to increase transparency, researchers have found. 

Mozilla researchers analyzed the 40 most popular free and paid apps and how their data collection policies line up with what was disclosed on Google’s Data Safety Forms.

According to the researchers, there were so many significant discrepancies between the apps’ own privacy policies and the information provided on Google’s forms that they believe “the apps aren’t self-reporting accurately enough to give the public any meaningful reassurance about the safety and privacy of their data.”

The form asks for information about what data the apps collect from users, why they collect it and who they share it with. Google says all 2.7 million apps in the Play Store are required to fill out the form, but researchers say not all have done so. 

According to Mozilla — a nonprofit foundation that maintains the Firefox web browser and other software — apps on Google Play earned $48 billion in worldwide gross revenue in 2021. 

“Google isn’t doing enough to ensure the information provided in their Data Safety Form is accurate and informative for consumers,” researchers Jen Caltrider, Ali Talip Pınarbaşı and Anne Stopper said.

“The result is that consumers who want to protect their privacy and trust the information on Google’s Data Safety Form are being misled, leading them to believe these apps are doing a better job protecting their privacy than they are.”

A Google spokesperson criticized the report in comments to The Record, claiming it conflates the privacy policies of entire companies with what app developers submitted to Google about the specific data collected from users.

“The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information,” the spokesperson said. 

Paid Apps

Of the 20 paid apps examined, 10 received Mozilla’s lowest grade — representing the lowest degree of similarity between Google’s Data Safety Form and their privacy policies. Sixteen out of 40 apps, or 40%, had major discrepancies between their privacy policies and their Data Safety Forms, earning a “Poor” grade.

The 10 apps in the lowest grade include Minecraft, Human Sniper, and Geometry Dash – three of the top five most installed paid apps on Google’s app store. Minecraft alone has at least 10 million installations yet only provides a link to Microsoft’s privacy statement with no specific information about how Minecraft handles data or privacy. 

Mozilla said Minecraft received one of the lowest grades because its own privacy policy says it collects and uses consumers’ purchase history data, which was left out of the form it sent to Google. 

On the Google form, the app claims it does not share data but its own privacy policy states it does share personal data with Microsoft-controlled affiliates, subsidiaries, vendors and agents.

Minecraft is just one example of a larger trend Mozilla researchers found in which apps use loopholes in the form to omit crucial information about the data it collects and shares. 

Free apps

Mozilla said the top 20 free apps fared better than paid ones, with the majority having privacy policies that aligned with what they disclosed to Google. Only six apps received the lowest grade, including Facebook, Messenger, Snapchat and Twitter. 

Some of Google’s own apps, ranging from Gmail to YouTube and Google Maps, received middling grades due to some discrepancies, while apps like Google Play Games, Subway Surfers, and Candy Crush Saga received the highest grade. 

But many of the free apps also took advantage of loopholes that allow them to get around reporting whom they share user data with. 

Google makes it optional for apps to say whether they share data with a service provider, which is defined as an agency that provides some form of service based on consumers’ data for use by the app developer. Google itself is a service provider through tools like Google Analytics and Google Translate. 

As an example, the researchers cited TikTok, which says on its Google form that it does not share data with third parties. In its own privacy policy it provides a list of third parties it does in fact share data with, including platforms like Google and Facebook. 

TikTok also left off the Google form that it retains the right to share user content and data with advertisers or post any content on other social media platforms. 

Twitter similarly did not say on the Google form that it shares data from tweets with advertisers and other third parties. 

"When I see Data Safety labels stating that apps like Twitter or TikTok don't share data with third parties it makes me angry because it is completely untrue,” Caltrider, one of the researchers, said. “Of course, Twitter and TikTok share data with third parties. Consumers deserve better. Google must do better."

Google also allows apps to use very narrow definitions for data sharing and collection, allowing companies to effectively lie about how they operate. Data that is allegedly “anonymized” is exempt from being disclosed, which Mozilla said is problematic because some question “whether true anonymization is even possible.”

The tech giant also takes no responsibility for the information provided by the companies, openly saying that apps “alone are responsible for making complete and accurate declarations.”

Google told Mozilla that it works “with the developer community to ensure they understand the importance of providing accurate information so users can make informed decisions about what apps they use.” They would not explain what enforcement mechanisms are in place for apps that mislead, only telling Mozilla that they require developers to correct inaccurate information. 

More harm than good?

The Google spokesperson did admit that the safety labels are a relatively new offering in the app space and noted that they are always looking for ways to evolve the safety label process as well as enforcement practices. 

Mozilla's Caltrider said she was disappointed because on its face, the effort to create safety labels is a worthy cause to take on, but she worries that the safety labels actually “do more harm than good” because they don't allow consumers to make informed decisions about their privacy.

The “misleading” labels give users a “false sense of security,” she explained, adding that it's time people “have honest data safety labels to help us better protect our privacy."

A Washington Post investigation in 2021 found that Apple’s App Store had similar issues with its data privacy labels. Caltrider noted that the Biden Administration recently criticized both tech giants for their outsized control over the app industry. 

A report from the U.S. Commerce Department’s National Telecommunications and Information Administration published three weeks ago stated that Apple and Google’s dominance over the app market was “harmful to consumers and developers.”

Caltrider suggested Google and Apple work together with consumer privacy advocates to develop an industry standard for the privacy and data safety labels they present to consumers in their app stores.

The tech giants should also help educate consumers about why their data privacy matters and how companies make money off their personal information, she explained. 

“Consumers can’t make good decisions with bad information. Is this still a little like the fox guarding the hen house? Probably,” she said. “But if we don’t hold these companies accountable, things are only going to get worse.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.