Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Store Sends User Information To App Developers

Posted by timothy on from the always-the-first-to-know dept.

Several readers have passed on news of a privacy hole in the Google app store. Reader Strudelkugel writes with the news.com.au version, excerpting: "Every time you purchase an app on Google Play, your name, address and email is passed on to the developer, it has been revealed today. The 'flaw' — which appears to be by design — was discovered this morning by Sydney app developer Dan Nolan who told news.com.au that he was uncomfortable being the custodian of this information and that there was no reason for any developer to have this information at their finger tips."

23 of 269 comments (clear)

  1. "Flaw"? by elephant_hunter · · Score: 5, Insightful

    Today I learned that app developers don't deserve to be treated like real merchants

    1. Re:"Flaw"? by Anonymous Coward · · Score: 5, Insightful

      Hey, go build your app store and sell your apps...until you do no...your not a merchant...your a supplier. Google App store is the merchant.

      You seem to not understand your role here. You are not the making the sale. Google is. You simply getting your book/album/software distributed by a merchant. /really is that simple

    2. Re:"Flaw"? by dagamer34 · · Score: 5, Informative

      If this were the iOS or Windows Phone stores, then yes, that would be true. But with Google Play, the developer actually IS the merchant. The Play Store itself is only an intermediary. The system is setup like any other online store where there are "ordered" and goods are "shipped". Blame the fact that Google basically grafted the paid Android store onto a system that was meant for real-world goods. Honestly though, this isn't news. Every Android developer has known this for YEARS. And this is no different than any other online store out there.

    3. Re:"Flaw"? by elephant_hunter · · Score: 5, Insightful

      Hey, go build your app store and sell your apps...until you do no...your not a merchant...your a supplier. Google App store is the merchant.

      You seem to not understand your role here. You are not the making the sale. Google is. You simply getting your book/album/software distributed by a merchant. /really is that simple

      Does that mean that people who sell apps on Amazon or eBay aren't merchants either?

      You're the one who seems not to understand. The middle man doesn't matter. If I am making a transaction with a customer, I am a merchant.

    4. Re:"Flaw"? by gstoddart · · Score: 4, Insightful

      Today I learned that app developers don't deserve to be treated like real merchants

      If you buy ketchup at a grocery store, do they send your personal information to Heinz?

      Of course they don't.

      The app developers don't need to know anything more than how much they get paid. And in some cases, if Google is doing this -- it would be considered illegal.

      This is just colossal stupidity, there's no reason those companies should be getting any of this information.

      --
      Lost at C:>. Found at C.
    5. Re:"Flaw"? by node+3 · · Score: 4, Insightful

      Coke doesn't get my name when I buy their products in a store or at a restaurant. Levi doesn't either. Nor does Adobe when I buy their software at Best Buy. Or Lenovo or Microsoft or Sony. Neither does Rovio when I buy their apps on the App Store.

      The problem here is that Google really doesn't care at all about privacy. It's not part of their corporate culture, and it can't be, when their entire business model is centered around exploiting data, not protecting it. Primary to any Google service is Google's wholesale commercial access to every bit of data you provide. Privacy is then applied secondarily, usually in the sense of keeping the personal data within Google's proprietary control, and only releasing aggregated and somewhat anonymized data to third parties, but that's just an afterthought. It's window dressing to make the initial privacy violation more digestible. Which for most of us here, it is... up to a point.

      There are many things to like about Google, and I'm sure many here will (quite hypocritically) give up privacy in order to keep using the things they do like. I have no problem with this tradeoff if made knowingly, though it is annoying to hear people harp on with Benjamin Franklin quotes, then sell him down the river as fits their fancies.

      It's things like this which makes Apple's system so appealing for many. With Apple, you can trust that your privacy is an inherent part of the system. With Google, you privacy is inherently compromised from the get-go. Even MS is miles ahead of Google with regards to privacy, and MS has historically been one of the most cynically profit-driven companies to ever exist!

      Anyway, to your point, the developers already have my money. That's all they deserve from the transaction. If they want my name, email address, and location, they can ask for it. And if I'm willing to grant it, they can have it. Otherwise, they'll just have to settle for my money, which should be more than sufficient. If it's not, they can raise their prices, as I'd much rather pay up front for the things I use, rather than be on the hook with hidden costs that, unlike my checkbook, are often out of my control.

    6. Re:"Flaw"? by daniel78 · · Score: 5, Informative

      This is simply not true. Stupid as it may seem, Google has set up the Play store so that they are merely the "card processor". I agree that it seems a bit of a stretch, but that's the way it is. As such, the app developer really is the merchant. That's why you get receipts (via google checkout) from Joe Bloggs LLC rather than from Google itself.

    7. Re:"Flaw"? by node+3 · · Score: 4, Insightful

      If this were the iOS or Windows Phone stores, then yes, that would be true. But with Google Play, the developer actually IS the merchant.

      The problem here is that it's not presented that way. The Play Store appears, to the customer, exactly like any other storefront. If it's really more like a flea market with individual merchants all collected together under one roof, instead of like a retail store, then this is something that is not only obscured to the buyer (which is a gross deception), it's also not even obvious to the developers, who seem quite surprised to receive this amount of info.

      The Play Store itself is only an intermediary. The system is setup like any other online store where there are "ordered" and goods are "shipped". Blame the fact that Google basically grafted the paid Android store onto a system that was meant for real-world goods.

      I blame the fact on the combination of Google not caring one whit about end user privacy, coupled with Google's greatest strength: they do things in the quick-and-dirty somewhat Unix-style. Instead of creating a monolithic retail system, they slap together a few subsystems and call it a day.

      This is a strength when it comes to flexibility and speed of execution, but is a weakness when it comes to making something consistent and reliable for the user. I prefer products with well thought out designs, where every detail is worked over and refined, but I do also understand the appeal of the infinitely flexible. I won't tell anyone which they should prefer, but I will say that end users are being presented something that doesn't match the reality of the system being presented.

      Honestly though, this isn't news. Every Android developer has known this for YEARS. And this is no different than any other online store out there.

      The developers have known this, but this has been unknown to the users. I had no clue this happened (but assumed Google was nowhere near as protective of my privacy as Apple, so have kept that in the back of my mind when using the Play Store).

      However, I really would have greatly preferred to know this ahead of time. This isn't some design detail which needn't be exposed to the end user, but something that really needs to be openly and clearly made aware of. For me, this is a breach of trust, and while I won't eschew Google's services altogether because of it, I also won't quickly forget this breach either.

    8. Re:"Flaw"? by node+3 · · Score: 4, Insightful

      This! I've sold software on Google Checkout/Wallet since day one, and always expect/demand customers data. I would like to get data from iOS sales too! This developer needs to get a job.

      If you want my data, you are free to ask me for it. I'm quite offended to hear you "expect/demand" it. Why? It belongs to me, and if you want it, you may ask. If it's for income, just ask me to pay what your product is worth instead of tricking me with a low price and making up the difference with the theft of my personal data.

      This is exactly why I prefer Apple's iOS ecosystem. I know what I'm getting into, and am in full control over my personal data. I'm much more happy to part with a bit more money than with most of my privacy.

    9. Re:"Flaw"? by samkass · · Score: 4, Interesting

      If this were the iOS or Windows Phone stores, then yes, that would be true. But with Google Play, the developer actually IS the merchant. The Play Store itself is only an intermediary. The system is setup like any other online store where there are "ordered" and goods are "shipped". Blame the fact that Google basically grafted the paid Android store onto a system that was meant for real-world goods.

      Honestly though, this isn't news. Every Android developer has known this for YEARS. And this is no different than any other online store out there.

      Apple does not give you a 1099-- you are the seller, and Apple is acting only as an intermediary. That being said, Apple does not share ANY of this information with publishers. Even magazine sellers via Newsstand on an iOS device can only receive customer information if the customer opts-in to it. Apple's profit model is to sell more devices, and keeping strict privacy guarantees for customers helps sell devices. Google's profit model is to sell advertising, so people expect far less protection from Android. But legally they're both intermediaries between the buyers and the sellers.

      --
      E pluribus unum
    10. Re:"Flaw"? by PopeRatzo · · Score: 4, Insightful

      This! I've sold software on Google Checkout/Wallet since day one, and always expect/demand customers data.

      Can you give us a list of the software you sell via Google? I'd like to put it on my list of software to never buy.

      If you want to "expect/demand" by personal information, then expect/demand it from me, not from someone I'm doing business with.

      --
      You are welcome on my lawn.
  2. I thought it was creepy, yeah... by seebs · · Score: 4, Insightful

    It did seem a little... more information than I really needed, yes.

    I sort of assumed everyone knew, because when has Google ever cared about privacy?

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
  3. Re:this is stupid by the+computer+guy+nex · · Score: 4, Insightful

    literally every single person that's ever sold at least one app on the app store since the beginning of the app store has "discovered" this

    The problem is literally (almost) every single person that has ever purchased an app doesn't know this, and those people outnumber the developers.

  4. Comment? No comment. by ljw1004 · · Score: 4, Interesting

    From the article:

    Google has not responded to news.com.au's request for comment.
    UPDATE: This story has been amended at the request of Google.

    So has Google responded or not?

  5. And why would that be? by Let's+All+Be+Chinese · · Score: 5, Insightful

    Real merchants don't "deserve" your personal details any more or less than appstore merchants. There may be a need to take your address for shipment, and in that case a phone number, email adress, or even additional shipment instructions may be useful. But they ought not be required without good reason.

    Note that credit cards muddle the picture by virtue of being a credit facility: You haven't actually paid yet so you are in debt and those obligations add identification requirements. Though strictly speaking all the merchant is supposed to do is pass it on to the credit facility for turning into money, and passing it in the clear is rather outdated, and well-known to be dangerous. Without credit as in payment by cash there and then, much of the need to identify you personally goes away.

    That this information is useful for profiling and all sorts of marketeering and so it's nice to gather, well, plenty furrin places you're not even allowed to do that. I'd say the practice to pass on information that really isn't needed is a dangerous habit that needs reconsideration.

    N'mind that it may possibly be useful to send emails in case of updates or whatnot. Passing that information automatically without need is a flaw, yes. Even if done by design.

  6. Seems legit by Animats · · Score: 4, Insightful

    I'm not sure I see a problem here. The seller is told who the buyer is. That's reasonable enough. It also keeps Google honest with respect to sellers - you can have some people make test buys and make sure that Google pays you for them.

    I'm generally critical of Google's non-approach to non-privacy, but here, there's a real transaction, with money.

  7. This is new? by Niris · · Score: 5, Informative

    Wait, this is new? I released my first paid app in November, and the only information you get is email, zipcode/city and name. I've been using the zipcode information to put pins in a map to see everywhere in the world I've sold to, heh.

  8. i use it to find and kill anyone who writes a bad by alen · · Score: 5, Funny

    review

    i don't tolerate any bad reviews on my apps. i either kill them myself or take a hit out

  9. I didn't realise this was a secret by Bogtha · · Score: 4, Interesting

    I understand that it might not be immediately obvious, but I don't think this was a secret by any means. It uses Google Wallet for payments, which is essentially Google's answer to PayPal, and this gives your contact details to the person you are buying from. The first time I bought anything from Google Marketplace, I received a confirmation email from the developers themselves, it never occurred to me that people might not realise this.

    I can see both sides of the argument. I've seen what happens when developers don't have this information, such as with Apple's App Store - it's very frustrating as you want to reach out to customers that have had problems and posted negative reviews to try to solve their problem and prevent it from happening to anybody else, but you've got no way of contacting them.

    On the other hand, I've been spammed by people I've bought goods from through Amazon's Marketplace, so I'm not keen on that happening again. The ideal solution would be for Google to provide a forwarding, anonymised email address to the developers, like Facebook do with Facebook app developers.

    --
    Bogtha Bogtha Bogtha
  10. this is simply not true by spottedkangaroo · · Score: 5, Informative

    You do get name, city name, and zip... you do not get an address. That's simply false.

    --
    Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
  11. Inaccuracies in the article! by Agent0013 · · Score: 4, Informative

    I am a Google Play developer. I have noticed that I get the names, email, and location of the purchases. This does not include the address though. Only the town, zip, and country. I have looked back at old records and see the email address listed in the purchase records, but I seem to recall this being obscured previously. Unless I am mistaken in some way, it used to give a long apparently randomly created email address for each purchase. I had assumed that this would forward or link to their real email address through Google's records of the purchase, but it looks like they did away with that and now just have your email address listed in the purchase record.

    Personally, I find no reason to have the email address. There is nothing I would want to contact them about. But the sales are in a more general form. It's actually Google Checkout that does the sales for the Google Play store. You could sell knitted sweaters through your Google Checkout account and the shipping and delivering and returns are all a part of the processing procedures. When someone cancels a Play purchase, the entry has a notice to me that I should not ship the product to them. This is even though it is an Android App that Google itself handles all the delivery of. So I can see why some contact with the buyer might be necessary in some cases, but not with a typical Play store purchase.

    <Rant Begin> The people I would really like to be able to contact would be the ones who leave stupid reviews. "One Star - It really needs so and so feature!" Hey dumbass - it has that feature! Of course I am much more polite with my real communications to bug reports and such, but it amazes me how many people don't even pay attention to the hints, instructions, and preferences that I have given to make sure they see what they can change. <Rant End>

    --

    -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
  12. Re:And this is a surprise how? by kllrnohj · · Score: 4, Informative

    and voluntarily pipes all of it to various 3 letter agencies in the U.S

    Bull. Fucking. Shit.

    Google only hands over data when legally required to and documents complied requests publicly: http://www.google.com/transparencyreport/userdatarequests/

    And FYI, every web server logs every request you make - that's web server admin 101.

  13. Re:That Depends by markana · · Score: 4, Informative

    I have free apps in the Play store - and have *never* recieved customer information about those apps. Never. The customer info is only for paid apps, to facilitate tax collection.