There has been a backlash over Google’s decision to ditch app installation permissions in its Play Store on Android OS in favour of a developer-written informational ‘Data Safety’ blurb.
The new measures override the request for consent that would occur before installation of an app, instead opting for a dedicated section in the Play Store for each apps' individual data practices.
In an informational video and support page, Google outlines the new Data Safety section as split into three distinct areas, being ‘Collected Data’, ‘Shared Data’ and ‘Security Practices’.
The Collected and Shared data sections detail the information collected by apps, such as location data, app activity and personal information, as well as which data is shared to third party entities.
Furthermore, the data types outlined in the ‘Shared Data’ section are separated by mandatory and optional qualifiers, which indicate whether a user is able to manually opt out of certain data sharing functions.
Under ‘Security Practices’, users can expect to find information regarding the safety measures used by the application, such as data encryption, deletion practices, and whether the app has undergone an independent security review.
Google claims this new approach would require developers to "give people more information about how apps collect, share and secure users' data."
Google faces outcry
Whereas the previous app permissions employed by Google provided a factual, computer generated record of the permissions an app can request, the new Data Safety section is written by the developer of the app.
These changes have sparked major criticism from security and privacy experts, with one of the most common concerns being a lack of appropriate regulation in the Play Store.
Sunny Nehra, founder of cyber security startup Secure Your Hacks, pointed out "in most of the apps, as of now, there is no info available in the Data Safety section."
"Seems Google launched it in a hurry." he added.
In a post on the Risky Biz news website, news curator Catalin Cimpanu said, "this latest controversy just shows once again the lack of regulation, oversight, and insight we all have over some data brokers' practices."
While Google has stated that app developers will face "enforcement" if they lie about information they provide, they also specified they would take action "when Google becomes aware of a discrepancy" between an app behaviour and app declaration.
Furthermore, the Google Play Help page specifies outlying circumstances wherein a developer can forgo declaration of data being transferred to others as "shared".
This includes situations wherein "data is transferred to a service provider to process it on the developer's behalf", such as a third-party hosting provider, or where "the data is transferred for specific legal purposes, such as in response to a government request”.
The latter exception gave way to particular concerns regarding data transits through internationally-operated services.
For example, China's National Intelligence Law of the People's Republic of China, potentially compels businesses who "have operations in China" to hand over information to Chinese intelligence agencies.
This law notoriously led to bans of apps such as TikTok in certain countries, yet the Play Store seems to apply exceptions to data sharing declarations when it comes to this type of government-requested data sharing.
The data outlined in the Data Safety section is separated into a number of categories and subcategories, including personally identifiable information such as name, email address and phone numbers.
Other kinds of data categorised by Google include "Race and Ethnicity", "Political or religious beliefs" and "Sexual orientation", which are all used heavily in modern algorithmic models.
Given the amount of backlash Google has received following this news, it has since taken to Twitter to state it will roll back the applied changes.
The tweet on the official Android Developers twitter account states, "We heard your feedback that you find the app permissions section in Google Play useful, and we've decided to reinstate it".
For the time being, the new Data Safety section will display concurrently to existing app permissions, rather than entirely replacing them.
