Today, we’re announcing additional details for the upcoming safety section in Google Play. At Google, we know that feeling safe online comes from using products that are secure by default, private by design, and give users control over their data. This new safety section will provide developers a simple way to showcase their app’s overall safety. Developers will be able to give users deeper insight into their privacy and security practices, as well as explain the data the app may collect and why — all before users install the app.
Ultimately, all Google Play store apps will be required to share information in the safety section. We want to give developers plenty of time to adapt to these changes, so we’re sharing more information about the data type definitions, user journey, and policy requirements of this new feature.
This basically means Android and the Play Store are getting the same kind of privacy labels as Apple introduced in iOS and the App Store. This is competition at work, and it’s great that both platforms will soon offer this feature.
This is definitely a positive step, and it’s also positive that the requirements will apply to Google’s own apps too (although not to Android iteslf, of course, which makes it less significant). But I’m wondering how to read this part:
Does this mean “Developers shouldn’t expect us to fill out this details for them” or does it mean (more likely) “Developers must tell the truth, but we won’t be checking whether they do or not”.?
The inner workings of apps have been opaque to most users for far too long, which has led to developers getting away with things that they might not be able to do otherwise. The more information users get so they can make informed choices the better.
flypig,
This is a privacy vs security issue at core, plus a hint of limits of computation.
There are two *impossible bottlenecks*
1- The apps can ask for Internet connection for valid reasons, and that is okay. They can even ask for regular ads. However without extensive human investigation, it is technically not possible to know the exact data that is sent (limits of theory of computation).
2- The servers themselves can collect basic logs, like HTTP request logs. However without opening up all their infrastructure to another extensive human investigation, nobody can prove what is being done with that data (joined with 3rd party databases? sold for profit? kept for years even though they promise only 14 days?).
Yes, basic checks can be done for simple things (i.e.: if the code asks for contact lists in the background and then immediately sends those in clear text), or (i.e.: the company openly advertises user data for sale). However no amount of technical analysis will be sufficient to cover 100% of the possiblities.
I can’t help thinking that when I do care about feeling safe online, I don’t go near Google anything with a twenty foot pole.