Google Play privacy slip-up sends app buyers' personal details to developers

Google is sending user name, email and suburb details to Android developers without asking for permission, according to an Australian app developer.
Written by Liam Tung, Contributing Writer

Without asking permission, Google sends developers the personal details of everyone who buys their app from Google Play.

According to Australian developer Dan Nolan, Google sends him the name, suburb and email address of consumers that his app — enough to "track down and harass users who left negative reviews". 

Nolan discovered the trove of customer data on his "merchant account" recently while updating his seller payment details.

Logo of app for the sharp-tongued former Aussie PM, Paul Keating
Logo of app for the sharp-tongued former Aussie PM, Paul Keating. Credit: Synthetica Pty Ltd

The main problem is that Google is not asking explicit permission from buyers to share that information with developers, Nolan said. "This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it's made crystal clear to them that I'm getting this information," Nolan posted on his blog on Tuesday.

"This is a massive, massive privacy issue Google. Fix it. Immediately," he added.

The Android app that is providing Nolan with Google Play customer details is the Paul Keating Insult Generator, an app that spits slander in a style the former Australian Labor Prime Minister is famous for. One of many Keating insults was his take on former opponent John Hewson: "He's like a shiver waiting for a spine."

Nolan told news.com.au he wasn't sure whether Google also gave out customer details to developers of free apps, but added that the same practice for paid apps was applied globally. By contrast, Nolan noted that Apple only sent the quantity of sales in each country to developers.

"If you bought the app on Google Play (even if you cancelled the order), I have your email address, your suburb, and in many instances your full name," said Nolan.

Google had not responded to a request for comment at the time of publishing this article.

The Terms of Service document for Google Play do not mention the practice of sharing details with developers of purchased apps. However, it does note that email and address details can be shared with magazine publishers.

The "how we use information we collect" section of its broader Privacy Statement notes that Google shares user information between Google services, excluding Double-Click, and that it "will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy."

ZDNet is awaiting responses from other Android developers.

Editorial standards