As if the horrifying wave of malware affecting Android devices (which can now even infect your PC!) wasn’t bad enough, ZDNet reports that Google is also sending users’ personal information to Google Play developers (including names and addresses) without permission – a massive privacy violation if there ever was one.
Without asking permission, Google sends developers the personal details of everyone who buys their app from Google Play.
According to Australian developer Dan Nolan, Google sends him the name, suburb and email address of consumers that his app — enough to “track down and harass users who left negative reviews”.
Nolan discovered the trove of customer data on his “merchant account” recently while updating his seller payment details.
Nolan expands on the comments in a post on his personal blog, Internet Hugbox:
Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred. With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase. The problems on android of app permissions (and subsequent potential for malware aside) is one of active negative behaviour on the part of an app developer. This isn’t. This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it’s made crystal clear to them that I’m getting this information. This is a massive, massive privacy issue Google. Fix it. Immediately.
Needless to say, this is a very bad thing. Nolan gives Google the benefit of the doubt by assuming this is an oversight. For Google’s sake, I certainly hope that’s true – leaking private customer information intentionally would definitely cross the line of trust for a large number of their current (and potential) customers. You can count on there being some legal action related to this whether it was intentional or not – a customer’s private information should remain private.
Either way, shame on you, Google. You owe your customers an apology – and it would be worth addressing this concern sooner rather than later.