Last night during the Droid Life Show, we received a tip about a potential security risk through Google Play. Apparently, when you buy an application through Google Play, certain information is sent to the developer of the app such as your full name, billing zip code (sometimes the town as well), and your email address. What has some people worried is that either someone with a malicious intent could be either taking this information and selling it or that your more important information, such as credit card info and banking credentials could be at risk.
On the show we had Dave Kover as a guest, a developer who sells applications on Google Play, and brought it up to him. He gave us insight into what developers actually see in the developer console and what takes place inside Google Checkout when you make a purchase using your credit card on Google Play. He was also kind enough to share some screenshots with me for the intent of putting people’s minds at ease.
The below shot is a broad overview of what developers see when you buy an application. Without going into an individual sale, you have an order number, the total price charged, order details (name of buyer and what they bought), and the sale date.
Once you go into a more detailed look of a sale in Google Checkout, this is where some information could be deemed “at risk” if under the right circumstances. We have our very own Kellex’s sale record to look over and as we can see, it is pretty detailed, but only detailed enough to make for a secure buying process on both sides of the table. We see his name, billing zip and town, what he bought, how much it was and that’s it.
Such information may also be used to assist third parties in the provision of products or services that you request from them.
I think that the real issue here is that this system is simply not designed for selling/purchasing of digital content. While it works just fine for now, I asked Mr. Kover to give me a better reasoning into why Google Checkout could use some work in this area of buyer/seller information sharing.
The fact that the order system contains references to items being charged and shipped separately. You receive emails about canceled orders, which would make sense if you had physical products which you might not want to mail out. For a digital marketplace, not so much.
To sum it up, we know that bad people will do bad things. Given that logic, should that mean Google needs to rework how much information is shared in order for a buyer to feel safer when buying apps off of Google Play? I think that is something we as consumers should answer on an individual level. Allow users to opt-in or out of a more detailed transaction possibly. As for me, I’m not against a developer having my billing zip or my email address, as long as they don’t stalk me after I give them one star on their crappy app.
Update: There was a mention that developers could take any type of personal information and still sell it to another party. In fact, there is a very lengthy section in the Seller’s Terms of Service that prohibits such usage of a buyer’s information. This is Section 7 part 1 named “Confidentiality and Proprietary Rights.” You can view that here, since it would take up too much space if I copied and pasted.
What do you think? Is there a potential risk here?
Cheers Michael and Aadi!