An investigation into data safety labels for Android apps available on the Google Play Store has uncovered "serious loopholes" that allow apps to provide misleading or outright false information.
The study, conducted by the Mozilla Foundation as part of its *Privacy Not Included initiative, compared the privacy policies and labels of the 20 most popular paid apps and the 20 most popular free apps on the app marketplace.
It found that, in roughly 80% of the apps reviewed, "the labels were false or misleading based on discrepancies between the apps' privacy policies and the information apps self-reported on Google's Data safety form."
"The apps aren't self-reporting accurately enough to give the public any meaningful reassurance about the safety and privacy of their data," Mozilla further said, adding consumers are being led to "believe these apps are doing a better job protecting their privacy than they are."
Three of the apps – UC Browser - Safe, Fast, Private; League of Stickman Acti; and Terraria – did not have their Data safety sections filled at all. A mere 6 of the 40 apps received an "OK" grade.
Last year, Google began rolling out a new Data safety section on the Play Store that spells out the apps' privacy and security practices. It's also the company's answer to Apple's app privacy labels that came into effect in December 2020.
However, there are some crucial differences. Apple's labels emphasize on what data is being collected, including those that are collected for tracking purposes as well as information that's linked to the users.
Google's labels, on the other hand, allows developers to provide more context as to why such a data collection may be required and the security principles that are used to safeguard the information.
That said, both systems rely on developers to be transparent about how their apps use data. While Apple has instituted routine checks to ensure that the labels don't provide a false sense of security, Google leaves developers to make "complete and accurate declarations."
Now according to Mozilla, these self-reported labels may not be an accurate representation of an app's data-gathering policies, calling into question the effectiveness of such a framework in enhancing privacy transparency and enabling users to make informed decisions.
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.Supercharge Your Skills
"For example, Google exempts apps sharing data with 'service providers' from its disclosure requirements, which is problematic due to both the narrow definition it uses for service providers and the large amount of consumer data involved," Mozilla said.
To that end, Mozilla refutes Snapchat, TikTok and Twitter's claims that their apps don't "share user data with other companies or organizations," stating that the apps' privacy policies explicitly mention sharing user information with advertisers and internet service providers, among others.
It's worth pointing out here that apps can be exempted from disclosing data sharing provided they have sought users' consent, if the data is being shared with a developer's service provider, or if the data is fully anonymized.
The American non-profit is also recommending Apple and Google to adopt a universal nutrition labeling standard, alongside urging the tech giants to "explain their enforcement action against apps that don't comply and take some responsibility for ensuring the accuracy of the information apps report."