Google draws fire over data sharing on app store


SAN FRANCISCO — When someone buys Sebastian Holst’s Mobile Yogi app in the Google Play store, Holst automatically gets something he says he didn’t ask for: that person’s name, location and email address.

No other app store transmits users’ personal information to third parties when they buy digital goods, he said. And he and other mobile app developers say many people are unaware that their personal details are being shared.

“Google is not taking reasonable steps to ensure that this data is used correctly,” said Holst, whose apps have 120,000 users.


Google is coming under fire just as regulators in the U.S. and overseas are stepping up their scrutiny of how all the players in the industry — mobile app developers, stores, advertising networks and others — handle consumers’ private information. Regulators are pushing for greater transparency of what information is collected by apps and how it’s shared.

Google defends its app store’s operation, saying it’s set up differently from other stores’ to let customers interact directly with the app makers.

With Google Play, which launched in October 2008, an app developer sets up an account through the mobile payment system Google Wallet, which makes the developer a merchant in the store. When someone buys his or her app from Google Play, that transaction — and the customer’s information — is sent to the developer.

The app developer has to comply with rules about what he or she can do with the information, Google says. Google sees itself more as an intermediary, whereas when consumers buy apps from Apple Inc., iTunes is the merchant, and app developers say they never receive customer information.

“Google Wallet shares the information necessary to process a transaction, which is clearly spelled out in the Google Wallet privacy notice,” Google said.

Barry Schwartz, news editor of the Search Engine Land blog and an app developer, said Google’s system works better for developers and for customers.


“They are my customers, not Google’s and not Apple’s customers. They download our products. They call the developer with questions. We provide them the tools and the content,” Schwartz wrote in a blog post. “Apple doesn’t tell us who our customers are, and when we need that information to verify ownership or to give refunds, we are left with blindfolds on. Google, in my opinion, does it right by making the user who downloads the app our customer.”

But Danny Sullivan, founding editor of Search Engine Land, said Google should make it clearer to consumers that their information is being shared with third-party developers.

“I sure had no idea that Google Play did this,” Sullivan said.

Nor did Dan Nolan, an Australian app developer. He said he was astonished when he found out that Google was sending him users’ personal information. He wrote a blog post Wednesday condemning the practice.

“Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it’s made crystal clear to them that I’m getting this information,” Nolan said.

App stores have become the engines of the mobile economy. Apple kicked off the mobile app boom in 2008, but Google is catching up. As of October, Google Play had the same number of apps — 700,000 — as Apple, although Apple’s app sales still generate several times the revenue of Google’s.

Google is trying to gain an advantage by making it easier for developers to build apps and easier for users to buy them. Apps help fuel the growing popularity of cellphones that run Google’s Android software.

But privacy watchdogs say Google is not playing fair with Google Play customers by not making it clear who has access to their personal information.

In a 2011 settlement with the Federal Trade Commission, Google agreed it would ask users before sharing their data with outsiders after the government alleged the company had violated users’ privacy with its social network Buzz. The settlement also required the search giant to submit to independent privacy audits every two years for 20 years. Last year Google had to pay $22.5 million to settle charges for bypassing the privacy settings of millions of Apple users. It was the largest penalty ever levied on a company by the FTC.

Google denied that Google Play’s handling of personal information violated its agreement with the FTC.

“This is not a violation of the consent decree,” it said in a statement.

A commission spokeswoman declined to comment.

Google is not the only company that has drawn criticism for how it shared information with app developers. In 2011, Facebook Inc. agreed to a 20-year privacy settlement with the FTC that required the company to get users’ permission before changing the way it treats personal information. The FTC alleged that Facebook engaged in deceptive behavior when it promised that third-party apps would have access only to user information they needed, when in fact many apps had unrestricted access to users’ personal data.

“The question is: What constitutes meaningful consent?” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. “The bottom line is that users are not able to control how their data is being gathered and disclosed.”