Invalid account/data deletion link listed in Google Play Store data safety form

[mikehardy]

Checked for duplicates?

• [X] This issue is not a duplicate

Does it also happen in the desktop version?

• [X] This bug does not occur in the latest version of Anki

What are the steps to reproduce this bug?

Click the AnkiWeb account deletion link as specified in our Play Store listing / Privacy Information form: https://ankiweb.net/account/remove-account

Additionally, the user should have an easily discoverable path to account deletion from within the ape

Expected behaviour

• See a page that conforms with the Google Account Deletion policy if user clicks the account deletion link

• See an account deletion option related to synchronization in the app (probably in the Settings -> Synchronization preferences are)

Actual behaviour

There is no link in the app in the synchronization area

And apparently the AnkiWeb page does not comply, they provide this information:

---

It is declared within the app that the user can create an account, but the deletion link provided to the user is invalid.

• Such web links must be functional (e.g., load without errors)
• televant in scope e.g.,
  • have a pathway for requesting account deletion prominently displayed on the page
  • and easily accessible
• The name of the app or developer must be known (that is, it must match the name shown in the Google Play store listing)

Apps whose issues are not fixed by May 06, 2024 may be subject to additional measures.

Debug info

AnkiDroid Version = 2.18alpha9-debug (41346ee1622c9b415e305beb31bdd16c4efbfb32)

Backend Version = 0.1.37-anki24.04 (24.04 429bc9e14cefb597646a0e1beac6ef140f226b6f)

Android Version = 14 (SDK 34)

ProductFlavor = play

Manufacturer = Google

Model = sdk_gphone64_arm64

Hardware = ranchu

Webview User Agent = Mozilla/5.0 (Linux; Android 14; sdk_gphone64_arm64 Build/UE1A.230829.036.A2; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/113.0.5672.136 Mobile Safari/537.36

ACRA UUID = a7cee435-bcba-4201-89b2-53da5b70e098

FSRS Enabled = false

Crash Reports Enabled = false

(Optional) Anything else you want to share?

Deadline for this is May 6th, 2024, though we may remove the URL and ask for an extension, it would only delay the work not remove the need for the work

More information here https://support.google.com/googleplay/android-developer/answer/13316080?sjid=10448148736023107502-NA#account_deletion (and note we should probably link to the Privacy Policy at the same time, in the same area as the account deletion policy

I think the page may be deficient for these reasons vs their explanation and the policy:

• [ ] the path for requesting deletion is not prominently displayed (for example a little process diagram of "1) access this page 2) log in to the account 3) click delete account link" 4) confirm ?
  • [ ] note that the destination URL of "remove-account" is not remembered for redirect after login if not authenticated which would be nice to have. So currently steps are "click remove-account link", "log in", "click account", "click remove account", "confirm", account is deleted...
• [ ] the name doesn't match - we are "AnkiDroid Flashcards" on Play Store listing but that is not listed on the page at all. This is difficult. We need to have that name on the Play Store, but the account is an "AnkiWeb" account based on the webpage. Is there a way to include some information on the deletion page that this account is used by all compatible Anki ecosystem apps including Anki Mobile, Anki Desktop, and AnkiDroid Flashcards?

Research

• [X] I am reporting a bug specific to AnkiDroid (Android app)
• [X] I have checked the manual and the FAQ and could not find a solution to my issue
• [X] (Optional) I have confirmed the issue is not resolved in the latest alpha release (instructions)

[mikehardy]

@dae curious if you can help us out on the account deletion page with the specific items I've made checkboxes of above - that is, detailing the account deletion path for users that land on the page, and 🙏 including, somehow, anyhow "AnkiDroid Flashcards" on the page as one of the applications that use the service and that will have associated data deleted

We need to add a link to the remove account page and privacy policy page in app as well

Note that if we use the account services that's enough to trigger the responsibility, we cannot avoid this by just removing in-app account creation as near as I can tell, and frankly that's user-hostile anyway as AnkiWeb is such a vital part of what makes Anki amazing. We've got almost all the pieces anyway this is just some tiny changes around the edges IMHO

[dae]

From that page:

The entity (for example, developer, company) named in the app’s Google Play store listing must appear in the privacy policy or the app must be named in the privacy policy. Apps that do not access any personal and sensitive user data must still submit a privacy policy.

I think rather than directly pointing to AnkiWeb's privacy policy, AnkiDroid will need its own privacy policy, which also covers usage of things like ACRA. In that, you could have a section on AnkiWeb, pointing out that it is a third-party service, and linking to its privacy policy. The person who listed the problems above does not seem to be aware that it's a third-party service.

[mikehardy]

From that page:

The entity (for example, developer, company) named in the app’s Google Play store listing must appear in the privacy policy or the app must be named in the privacy policy. Apps that do not access any personal and sensitive user data must still submit a privacy policy.

I think rather than directly pointing to AnkiWeb's privacy policy, AnkiDroid will need its own privacy policy, which also covers usage of things like ACRA. In that, you could have a section on AnkiWeb, pointing out that it is a third-party service, and linking to its privacy policy. The person who listed the problems above does not seem to be aware that it's a third-party service.

I believe this is a misunderstanding of the requirement.

AnkiDroid already has it's own Privacy Policy which covers the use of things like ACRA.

I believe the thing is that if you can sign up for an account in-app (which we can) it is not considered 3rd party, so there needs to be a page somewhere where you can delete the account outside-of-app that needs to have the Play Store name included so users have some confidence.

Looked at from a concerned-user perspective, it makes sense, and rather than seem onerous, it seems fairly user-friendly both to have in-app account creation (as we do) and also a quick short-list (for confidence) on AnkiWeb of the apps that are known to use it ("Anki Desktop, AnkiMobile, AnkiDroid, among others..."

I think at this point the only thing missing is actually that named call-out of AnkiDroid on the account deletion page on AnkiWeb

Is that possible or is this a sticking point for you so that we need to cast around for some other solution?

[mikehardy]

@dae meant to tag you for the above 👆

[dae]

Sorry for the delay, I'm swamped at the moment.

I'm not really convinced that this is something AnkiWeb should have to do, but I realise these restrictions are imposed on you, and you're looking for the easy path. I will try to get the page updated soon, but one complicating factor is that something in the AnkiWeb build pipeline has succumbed to bit rot, and I haven't yet had a chance to get to the bottom of it.

[mikehardy]

@dae had a thought on this and it occurred to me I/we can host a page on ankidroid.org that serves the purpose, with that page then handing off to ankiweb remove-account, which would remove the need for you to do anything on ankiweb

it appeared to me that you hadn't done the change yet - so hopefully this will save you some work? We're about to promote 2.18.0 on play store and I'll do the ankidroid.org interstitial-type page + re-point our Play Store removal URL to it before promote so Google can (hopefully) bless it and we can move on

[mikehardy]

https://github.com/ankidroid/ankidroiddocs/pull/140 + altering play store data handling URL to go to that new page should have this completely handled now