Google Play’s new “privacy” section actually hides app permissions

Google’s development deadline for the new “Data Security”section of the Play Store is next week (July 20), and we’re starting to see what the future of Google Play privacy will look like. The actual “data security”section started rolling out in April, but now that the development deadline is approaching… is Google turning off the separate “app permissions”section? This doesn’t sound like a great move for privacy at all.

The new “Data Security”section in the Play Store is Google’s response to a similar feature in iOS 14, which displays a list of developer-provided privacy considerations, such as what data the app collects, how that data is stored, and to whom that data is shared. At first glance, data security entries may seem very similar to the old app permission list. You get things like “location”and in some ways it’s better than a simple list of permissions as developers can explain how and why each bit of data is collected.

The difference lies in how this data gets into the Google system. The old app permission list was guaranteed to be the actual one because it was automatically generated by Google by crawling the app. Meanwhile, the data security system works based on the honor system. Here is Google’s explanation for developers on how the new section works:

You are solely responsible for providing complete and accurate statements in your app’s store listing on Google Play. Google Play checks apps for compliance with all policy requirements; however, we cannot make decisions on behalf of developers about how they handle user data. Only you have all the information you need to complete the data security form. When Google becomes aware of a discrepancy between your app’s behavior and your declaration, we may take appropriate action, including enforcement.

It wasn’t entirely clear that the permissions section would disappear once Data Safety was launched. A strange regression from computer-verified facts to the honor system. It’s also hard to trust Google’s ability to “know about non-compliance”on the “Data Security”screen when the Play Store already has a huge number of compliance and compliance issues. It seems like it would be better to combine the two systems – generate a list of permissions and let the developers describe how each is used.