Don’t Trust the ‘Data Safety’ Labels on These Android Apps

The “Data safety” labels in the Play Store listings for many Android apps may themselves need a warning label, according to a new study from Mozilla(Opens in a new window).

The non-profit organization behind the Firefox browser checked the Google-mandated labels(Opens in a new window) for the top 20 free and paid Android apps and found that most of the disclosures about data collection, usage, and sharing didn’t match the descriptions in the apps’ privacy policies.

“Overall, there were so many significant discrepancies between the apps’ own privacy policies and the information they revealed on Google’s Data Safety form that we’ve concluded the apps aren’t self-reporting accurately enough to give the public any meaningful reassurance about the safety and privacy of their data,” the report says. “Further, Google isn’t doing enough to ensure the information provided in their Data Safety Form is accurate and informative for consumers.”

Among the top 20 paid apps during the research period—Sept. 11 to Nov. 5, 2022—10 earned a grade of “Poor,” meaning a wide gap between the safety label and the developer’s privacy policy.   

For example, the report flunks Minecraft both for linking only to the overall privacy policy of its corporate parent Microsoft(Opens in a new window) and for then claiming no data sharing in its safety label when the Microsoft policy allows that in some circumstances. The other titles judged as “Poor”: Hitman Sniper, Geometry Dash, Evertale, True Skate, Live or Die: Survival Pro, Grand Theft Auto: San Andreas, The Room Two, Need for Speed: Most Wanted, and Nova Launcher Prime.

Five paid apps—Shadow of Death: Dark Night, Bloons TD 6, The Room, Modern Combat 4: Zero Hour, and Monument Valley—got a “Needs Improvement” grade, meaning their labels had “some degree” of overlap with developer privacy policies. And three paid titles—Stickman Legends Offline Games, Power Amp Full Version Unlocker, and League of Stickman 2020 – Ninja—came away with an “OK” verdict, which means the label and the policy essentially matched. 

Free apps did a little better in Mozilla’s analysis. Six apps got whacked with a Poor grade; three are Meta titles (Facebook, Messenger, and Facebook Lite) and the other are Samsung Push Service, Snapchat, and Twitter. 

TikTok, an app that in 2018 and 2019 was caught surreptitiously collecting device-level identifiers on Android, drew some special scorn in the report despite only landing in the “Needs Improvement” zone.

“TikTok’s Data Safety Form says it doesn’t share data with third parties, but its privacy policy provides a list of third parties it does share data with, including ‘third party integration partners,’ and third-party platforms like Facebook and Google,” the report says. “TikTok’s privacy policy also says it may share consumers’ personal data with advertisers and creators based on TikTok’s legitimate interests, without consumers’ prior consent.”

Nine other free apps got a “Needs Improvement” assessment alongside TikTok. Four came from Google (YouTube, Chrome, Google Maps, and Gmail) and two from Meta (WhatsApp and Instagram), with Free Fire, Spotify, and Truecaller: Caller ID & Block rounding out that list. Only three earned an OK grade: Google Play Games, Subway Surfers, and Candy Crush Saga.  

Three apps—League of Stickman – Best acti and Terraria, both paid, and the free UC Browser—didn’t get a grade because they either didn’t come with a safety label or had a privacy policy too vague to judge.

The report urges that Google adopt a standardized label along the lines of the FDA’s Nutrition Facts to display app data collection, usage, and sharing; require app-specific privacy policies to allow easier comparisons by users; warn users more clearly that it doesn’t fact-check these labels; conduct its own regular reviews of these labels; and insist on narrower definitions of “collection,” “sharing” and “anonymized.” 

Mozilla invited Google to comment on its findings and included its complete responses in the report: “If we find that a developer has provided inaccurate information in their Data safety form and is in violation of the policy, we will require the developer to correct the issue to comply. Apps that aren’t compliant are subject to enforcement actions,” one of Google’s responses reads in part. “Developers no longer can publish a new app or an app update if their Data safety form is incomplete or has unaddressed issues.” 

Google introduced these safety labels in April of 2022, almost a year and a half after Apple began enforcing a similar requirement in its App Store in November 2020. (The Mozilla report notes that Apple has had its own issues with label accuracy, as highlighted in a January 2021 Washington Post report(Opens in a new window).) For a while, Google intended for the labels to replace the feature-specific lists of app permissions for such data sources as a device’s camera or its precise or approximate location that have long been the primary app-privacy tool in Android, but it relented after a predictable outcry over the notion of replacing an objective list of what an app is and isn’t allowed to do with a subjective list self-certified by an app’s developer. 

Mozilla’s report is the latest output of its Privacy Not Included project(Opens in a new window), in which the non-profit attempts to point out privacy failings in the rest of  the tech ecosystem. See, for instance, its annual gift guides flagging privacy-invasive gadgets best avoided by holiday shoppers.