In fact, this is not just a glitch in Google’s app store software, but rather Google’s app store policy, which appears to be by design which it states in its Privacy Notice. The loophole was discovered by Sydney app developer, Dan Nolan who informed news.com.au that he was uncomfortable being the custodian of this information and that there was no reason for any developer to have this information at their finger tips.
Without taking permission, Google sends developers the personal details of everyone who purchases their app from Google Play. Now, privacy advocates believe that Google has not publicized the policy enough for consumers to fully understand that their personal data is being shared with developers.
As usual, the Terms of Service document for Google Play does not mention the practice of sharing details with developers of purchased apps. However, it does note that email and address details can be shared with magazine publishers.
But, as for the “how we use information we collect” section of its broader Privacy Statement only indicates that Google shares user information between Google services, excluding Double-Click, and that it “will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.”
According to Nolan, he unmasked the trove of customer data on his “merchant account” recently while updating his seller payment details. He says that Google sends him the name, suburb and email address of consumers that his app – enough to “track down and harass users who left negative reviews”.
In fact, the main problem is that Google is not asking explicit permission from buyers to share that information with developers, Nolan said. “This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it is made crystal clear to them that I’m getting this information,” Nolan posted on his blog on Tuesday.
Furthermore, Nolan also noted that he was not sure whether Google also gave out customer details to developers of free apps, but added that the same practice for paid apps was applied globally. By contrast, Nolan mentioned that Apple only sent the quantity of sales in each country to developers.
“If you bought the app on Google Play (even if you canceled the order), I have your email address, your suburb, and in many instances your full name,” said Nolan. “This is a massive, massive privacy issue Google. Fix it. Immediately,” he added.
In addition, the sharing of customers’ details is not described in either the terms of service on Google Play or in the company’s privacy statement, according to AppleInsider.
Lastly, what happens if these details are stolen via a malware attack on some developers’ machine? Will Google take responsibility? Or will it still claim to be a company that does no evil?
Google has not responded to news.com.au’s request for comment. And ZDNet is awaiting responses from other Android developers.