Google asks journalists to tone down story of "massive" Google Play security flaw

By Daniel Eran Dilger

After reporting that Google Play now distributes Android app buyers' location and contact information to developers, a journalist was contacted by the search giant with a request to tone down the story, its headline and its SEO information.

Google Play's "massive oversight" in undisclosed sharing of customer data

The original story, run by Australia's News.com.au, was headlined "Massive Google security flaw puts users' details on display for all to find."

It outlined a recent policy shift at the Google Play online software and media store run for Android users, which now forwards developers the personal information of buyers, including their neighborhood and email address. The sharing of customers' data is not outlined in either Google Play's Terms of Service or in the company's privacy statement.

The undisclosed sharing was discovered by Australian developer Dan Nolan, who noted in a blog entry, "every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred."

One risk to the undisclosed sharing noted by Nolan was that, "with the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase."

A greater risk its that, with millions of names being distributed to every vendor of paid apps on Google Play, the likelihood of a security breach through malware becomes very high. Customers who entrusted their details to Google are now having their information spread across a variety of developers who may not even have a security policy.

Nolan told the site that nobody has been talking about Google Play's undisclosed sharing because "the people who would have paid attention to it were likely exploiting it and selling users' personal information, using it as an extra source of revenue on top of what they were making off their Google Play / Android app."

He added, "This is a massive oversight by Google."

Google seeks to bury story, tone down articles and SEO on the subject

After publishing the story, News.com.au reported that "this story was amended at the request of Google. News.com.au took out the words 'massive' and 'huge' - referencing the size of the security 'flaw'. The word 'flaw' was also put into inverted commas."

Google wouldn't comment on the record, but apparently views the issue of sharing customers' data as non-newsworthy policy that shouldn't be reported as a security flaw, especially not as a serious one that users should take notice of.

The author, Claire Porter, added a comment on the story after its headline had been neutered to the nicer "Google 'flaw' puts users' details on display" that stated, "For the people asking how the story was amended: Despite the fact that Google refused to comment on the record, I was asked to change the headline (both the homepage headline and SEO headline inside the story), as well as the standfirst and lead (first paragraph). Google's issue was with the use of the word 'flaw.'

"Apparently a system that is designed to share users information with developers without their knowledge or permission and without explicitly saying so in any terms of service is not considered to be a flaw," Porter wrote.

"I have no problem amending stories if they are factually incorrect but the fact is neither developers nor customers were aware of this information sharing and Mr Nolan is not the only developer to express concern over having this information at his disposal. There's little reason app developers should have this information. If Google was going to share this information they should have been clear about this from the start. Hope this clears things up."

Developer bonus or customer privacy flaw?

Many of the user comments on the issue were found no problem with Google sending users' personal data to developers, with one complaining that the issue was just a matter of unfairly comparing Google with Apple's higher standard for security in the App Store.

Developer David Brown wrote, "Apple hide[s] all of these details because they're control freaks! I have details of every customers I have, whether they paid through PayPal or credit card...does that mean I'll go and harrass [sic] them if they dislike my service?"

Customers have overwhelmingly chosen to buy more apps from Apple's iOS App Store than from Google Play, but this may have more to do with the selection and quality of apps available for iOS rather than an informed customer base that's done the research to know whether an online vendor is likely to share their personal data without notice or permission.

By leaning on reporters to remove unflattering portrayals of its security policy from their headlines and SEO (used to enable the discovery of articles via search engines), Google can help ensure that the issue isn't a factor in reducing sales in Google Play without needing to tighten up its security policy or enforce any constraints on its developers to product Android users' privacy rights.