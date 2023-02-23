The privacy “nutrition labels” designed to help you understand how an app treats your data may be empty calories, according to a new report from the Mozilla Foundation, creator of the Firefox web browser. Its new report found that there are serious discrepancies between what apps on the Google Play Store, which includes Android’s app store, reported when it came to how they share and gather data and what their terms of service or privacy policies state. Google’s data privacy reporting tools went into effect in April 2022.

When they compared the top 20 most popular paid and free apps on the Google Play Store (which amounted to more than 150 billion installations), Mozilla researchers found that almost 80 percent had discrepancies between their actual privacy policies and the information they reported on Google’s Data Safety form. The authors found that major apps like Facebook, TikTok and Twitter were among the offenders.

The report did not look at Apple’s app store, which popularized the use of privacy labels for app users.

“There isn’t a lot of enforcement, so you’re just trusting companies to be honest when our research shows they’re not. And that’s one problem,” said Jen Caltrider, who leads Mozilla’s *Privacy Not Included series, which aims to help safeguard consumers’ privacy and spur action on the subject. “But companies being less than truthful in their self-reporting is not that shocking.”

What was shocking, she said, is that the rules for reporting on Google’s Data Safety form are lax — by Google’s own design.

The findings

The report examined the privacy policies and data safety labels of 40 apps, categorizing them in three categories — “Poor,” “Needs Improvement” or “OK.” The ones that received a rating of “Poor” had “major discrepancies” in terms of what data was shared or collected and the reason this was done. The roughly 80 percent of the apps the report found to have input false or misleading data into Google’s Data Safety form include Minecraft, Twitter and Facebook, which received a grade of “Poor.” Other popular apps like YouTube, TikTok, Google Maps and Gmail received grades of “Needs Improvement.”

The reasons for this are varied. Take Twitter, for example. The company says it “shares personal data from users’ tweets with advertisers, third-party content and integrations, APIs, and ‘partners’ it says help it operate Twitter’s products and services,” according to the report. But none of these are mentioned on Twitter’s Google’s Data Safety form.

Meanwhile, TikTok says it doesn’t share data with third parties on its data safety form, but the company’s privacy policy lists a variety of “third-party integration partners,” including companies like Facebook and Google.

Caltrider said that one thing to keep in mind is that it’s not just the failure of companies to self-report, which isn’t surprising — it’s also Google’s broad loopholes that create gray areas around what things like “third parties” even mean.

Google’s form, for example, allows apps an exemption from declaring if they transfer user data to a third party if “the data transfer to a third party is prominently disclosed in the app and the app requests your consent in a way that meets the requirements of Google Play’s User Data policy.”

For Caltrider, that’s not enough, given that few people read privacy policies and even fewer know what they’re consenting to when they sign up for any app. Especially when considering apps like Minecraft and TikTok, as their audiences are predominantly younger people.

“Google also exempts transfer of data to service providers,” said Caltrider. “‘Service providers are vast. If you read any privacy policies, know that lots of data is being transferred to service providers for lots of different reasons. And so I absolutely think that should be declared as well as the vaguely stated specific legal purposes.”

Google also exempts fully anonymized data — though there are questions about whether data can ever be fully anonymized, especially location data.

While the report did not examine Apple’s App Store, Caltrider said her impression is that it’s not much better as far as accurately telling users about apps’ privacy policies. She is still confused by exactly what the labels are telling her.

The Mozilla report recommends that Google and Apple develop a unified framework to address user privacy issues for apps. At this point, Caltrider is loath to trust what she reads, and given the comparison to food nutrition labels, it’s worth keeping in mind even though those took decades to make effective.

“I don’t trust the labels in either store,” said Caltrider. “I do my own research, in part because that’s my job. And I do my research to help other people so they don’t have to do. They don’t have to go read privacy policies. But in doing that research, I’ve learned I don’t trust them; I go to the source. And usually, even at the source, it’s still confusing. So there’s just, unfortunately, no good system for consumers right now to know what’s going on.”

