Google Play App Purchases Found to Transfer Personal Information to Developers Without Consent

(Image: AP/Google Inc.)

An Australian app developer has unveiled what he calls a “massive” privacy issue for those making purchases on Google Play, the store for Android apps.

Dan Nolan wrote on his blog that after logging onto his Google Play “merchant account” to see orders of his app, he found he had access to email addresses, suburbs and sometimes full names of people who made purchases, even if the person canceled their app order.

“Each Google Play order is treated as a Google wallet transaction and as such software developers get all of the information (sans exact address) for an order of an app that they would get from the order of something physical,” Nolan wrote. “Even underneath the order information there is a flag that says ‘Email Marketing’ with a value next to it, because of course scrupulous developers would always obey that flag.”

Nolan goes on to say with such information Google Play customers could be harassed for, say, leaving negative reviews or asking for an app refund. He calls this a “massive oversight by Google” and noted that there is no reason developers should be able to obtain such information unless users opted in to allow for it to be shared.

“Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred,” he wrote. “This is a massive, massive privacy issue Google. Fix it. Immediately.”

In an interview with News.com.au, Nolan said he thinks this could impact everyone who has purchased an app through Google Play, noting he hasn’t found an opt out feature during the purchase process.

“I don’t know whether it applies to free apps, but there are hundreds of thousands of apps that are available for pay on the play store and there are millions of people who buy Android apps out there, I’d say easily millions or tens of millions of people,” Nolan said to News.com.au.

Here’s what Google’s privacy policy states about sharing information with outside parties:

We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.

This “sensitive personal information” is defined by Google as “confidential medical facts, racial or ethnic origins, political or religious beliefs or sexuality.”

Google has not responded to News.com.au’s request for comment.

Learn more about Google Play as a service for Android devices in this promo video:

(H/T: Drudge Report)