Starting today, apps on the Google Play Store will have to mandatorily share details about their data collection and sharing practices, which will be listed under the new Data Safety section. However, as some people have noticed, Google now expects people to trust these developer-provided privacy considerations instead of the old Google-generated list of privacy permissions. “We know that to meaningfully engage users, software systems themselves must inspire trust, and any effort to that end on their part is undercut by an app store that presents self-disclosure as its policy,” Vuk Janosevic, CEO of privacy software vendor, Blindnet, told Lifewire over email. “If developers need to self-declare what data they are collecting and for what purposes, the question becomes: what is Google going to do to ensure compliance and correctness?”
Open for Abuse
Google began rolling out the Data Safety section in May, pitching it as a way to give people more visibility into the data collection policies of the listed apps. Google isn’t the first to do this, Apple rolled out something similar in December 2020. The new section shares exactly what data an app collects and discloses what data it shares with third parties. It also details the app’s security practices and the security mechanisms its developers employ to protect the collected data and tells people whether they have the option to ask the developer to delete their collected data, for instance, when they stop using the app. However, not only will Google trust developers to provide accurate details, but it’s also doing away with the old list of auto-generated app permissions. The focus on developer-provided details doesn’t sit well with some privacy experts. “Consumers deeply distrust online systems nowadays,” argued Janosevic. “Companies, and their apps, need to go an extra mile to prove that they are not a bad guy and win their customers’ trust.” Janosevic agrees that the change opens up the potential for developers to misrepresent their intent and collect more data points about their users than they claim. “But I think the bigger issue at play here is that any failure on Google’s part to regulate and enforce these rules and publicize that compliance ultimately threatens to erode user trust in the marketplace and the applications listed there,” opined Janosevic.
The Right Way
Jeff Williams, CTO and co-founder of Contrast Security, said the switch to the self-attested privacy labels is more important than doing away with the permission list. “It’s the best way to balance the interests of software consumers and producers in the software market,” Williams told Lifewire over email. “I think this, and other efforts like the software security labels being used in Singapore and Finland, are really important.” Praising the switch to the nutrition-style labels, Williams argues that the vast majority of users didn’t pay much attention to the often cryptic permissions list, and simpler labels are more effective in shaping user choices, as has been observed across various other products. William empathizes with people who want Google to automatically list an app’s permissions, but believes it’s very unlikely that the new system will be abused. He said anyone who cheats is likely to get called out or banned, since discovering discrepancies isn’t difficult. “This move doesn’t change the fact that users will get pop-ups to authorize apps to use any dangerous permissions,” explained Williams. “Anyone who really cares can still get this information.” Furthermore, he pointed out that the new scheme still allows third-party reviews, specifically pointing to the OWASP Mobile Application Security Verification Standard (MASVS) that can thoroughly vet apps considering several security aspects beyond their permissions. “Perhaps someday we will get to third-party labels from a trusted source, maybe Google, maybe someone else [built into the Play Store],” said Williams. “But for now, I welcome a great label that will help ordinary people to understand how the apps they use protect their data.”