Data Safety instead of App Permissions

Google Play’s app descriptions have a new Data Safety section now. We explain why this isn’t such great news.

Data Safety section on Google Play

Starting July 20, all developers who publish Android apps in the Google Play store must detail what data they collect and how they use it. However, this undeniably positive innovation has been rather overshadowed by the forces of “optimization”: now, before installing an app, you have no way of knowing what data sources it’s tapping. We give a brief overview of what’s changed and explain how to assess the risks to your privacy going forward.

What’s changed

In April of this year, Google implemented a new feature on Google Play to allow developers to specify what data apps collect and for what purposes. As of July 20, this option became mandatory: developers that don’t add such descriptions risk having their apps removed from the store.

This description in the special Data Safety section on Google Play looks something like this:

The section with information about collected data

Information about collected data can be viewed directly on Google Play before installation

You can also see a detailed list of collected data:

The Data Safety section on Google Play; information about data collected by apps

Developers are now required to disclose what data they collect

This positive change follows a similar move by Apple. Before, Google allowed you to assess an app’s interest in your personal data only indirectly — by examining the list of permissions it requested. In the app settings in Android, these permissions look as follows:

App permissions in the Android settings

Permissions describe the specific sources on your phone that the app will collect data from

Sometimes it needs permissions to function properly. For example, you can grant a mail app access to your contacts list. But you don’t have to! And remember, most permissions given to apps can be revoked at any time. But don’t be surprised if some features no longer work afterward.

On July 13, shortly before the introduction of the new rule for developers, someone tweeted about a small but significant change: the new Data Safety section was added in the app descriptions, but the app permissions list was removed at the same time. A somewhat controversial move, it can surely be said.

Why Data Safety is no substitute for App Permissions

Sure, the new section in the description can help you decide whether or not to install the app. For example, if a simple tool wants your name, e-mail address and access to photos, it makes sense to look for another one that will do the same job without asking for anything.

However, Data Safety and App Permissions are not quite the same thing. The former addresses the question: What data will be collected? The latter specifies the sources of this data. This can be important for assessing how critical this data collection is for you. Let’s say that information about your contacts can be collected from your friends list in the app itself, or from the contacts list on your phone. Clearly, these can be very different lists — just imagine, for example, it’s an online dating app.

And most importantly: Permissions in the description on Google Play were prescribed automatically, based on the actual features of the app in question. The Data Safety section, on the other hand, is filled out by the developers themselves, manually. Google can only hope they will do so in good faith.

How to live with the changes

The purpose of the Data Safety section is to provide users with more information about how apps affect privacy. At the same time, however, Google has reduced the amount of information for assessing this. When browsing apps on Google Play, you will no longer be guided by questions like “Why does an alarm clock need access to my photos and location?” Such data is no longer provided.

That said, for clarity’s sake, we should point out that only the list of permissions in the app descriptions on Google Play has disappeared. The Android permissions mechanism has not gone anywhere. As before, you can still permit or forbid an app to access certain sources of information within the operating system: camera, geolocation, contacts list, etc.

Therefore, we recommend a two-step procedure for assessing the potential privacy risk on Android. First, take a close look in the Data Safety section on Google Play at what data the app will collect about you. If you’re happy, install the app, then check what permissions it wants after installation. If something doesn’t feel right, don’t give unnecessary access to your data (or revoke it if already granted).

Bear in mind that neither Android’s existing privacy controls, nor the above-described innovation will solve the (albeit rare) problem of malware on Google Play. Therefore, as ever, we advise installing a reliable security solution on your Android smartphone.

Tips