Closed maxieds closed 3 years ago
maxieds
commented
5 years ago There's also this, which was really just the first bit of user data I could click my way through on the developer console:
I think I'm finally ready to pay for a private email account. Have a nice night.
maxieds
commented
5 years ago Here is the link: User Privacy Policy.
maxieds
commented
5 years ago And for the record, I don't think that this is an overraction. Is anyone else vaguely concerned that a "security" app supporting a dev board that only a cracker/hacker would buy had a leak of user privacy details (or advertising IDs, which are about as detailed)? Surely, I am not the only one who can get my chain pulled by Google? Their policies towards privacy and aggregations of user data are not to protect the users, they're formulated by skyscraper deep teams of landsharks to obscure any attempts by users to make them accountable for the ***t they do and profit from.
I will pose one more observation, that it may provide someone else with some insight to what this (could) means. There is now a privacy policy in place which I have had to endorse by no minor feat of coersion, which now puts them in a position of absolutely no liability for any leakages of user data associated with this application. Now, let's say as I insist was the case, that there has been some massive security flaw introduced by them pushing Android 9.whatever out the door too soon. The sensitive user data has been leaked, they know it, and by threats to be blacklisted I had to comply with posting a legally binding document per their policy (which I and you agreed to to use play store). They are now legally absolved of any responsibility should this happen again. And, I cannot get an even close to accurate account from their "policy team" about the discovery of this leakage with the app.
What are the chances in hell that this point could ever be made after next week, say? This is not an acceptable use of their power to bully developers into contractual agreements which cannot (ever) be unbound. I think that my data is more sensitive and important than most. As a user of the application I am upset that my identifying information was allowed to escape their framework. Why is this not completely offensive and unacceptable business practice to anyone else? I'm not afraid to stick my shoe in my mouth to insult this company and I hope that at least it gets registered that I am trying to force a decent technical explanation to this problem. However, they are larger, and not afraid to ignore my emails, on a platform they ultimately control anyway. Hell, if I get hacked tonight for opening my mouth and being a bitch, their servers may just drop my request entirely. Then, I can go get a court order by a federal judge since their server farm is out of state. Since I am so good at predicting the future, I will already tell you how this ends, my request is denied on the grounds that I mishandled user data, hacked myself, and for good measure something else happens.
Honestly, for a group of hackers who hang out on a software site, I would like to expect that I'm not the only one with misplaced, but still large enough body parts to at least bitch and moan about it. Consider the grave state of politics in the US. If I am never heard from again it's because I hero of the flame succeed in lighting the analytics devil's tail on fire and ended up disappeared for it. Good night again.
maxieds
commented
5 years ago Thanks for contacting the Google Play Team.
Status: Chameleon Mini Live Debugger (com.maxieds.chameleonminilivedebugger) App not available on Google Play
I’ve reviewed your appeal request and found that your app still violates Google Play Policy. I’ve included details below about the specific issue with your app and what you can do to get your app back on Google Play.
Step 1: Fix the policy violation with your app
During review, we found that your app violates the Usage of Android Advertising ID and User Data policy:
Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. We’ve identified that your app collects and transmits the Android advertising identifier, which is subject to a privacy policy requirement. If your app collects the Android advertising ID, you must provide a valid privacy policy in both the designated field in the Play Console, and from within the app.
If your app handles personal or sensitive user data (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data) then your app must: Post a valid privacy policy in both the designated field in the Play Console and from within the Play distributed app itself. Handle the user data securely, including transmitting it using modern cryptography (for example, over HTTPS). The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it’s shared. Please update your app to fix the issue. You may also want to double check that your app complies with all other Developer Program Policies, as additional enforcement could occur if there are further policy violations.
This rejection doesn't impact the standing of your Google Play Developer Account, but repeated violations can result in the suspension of this app or your Google Play Developer account.
Step 2: Submit your updated app or APK
Read through the Usage of Android Advertising ID and User Data policies, as well as the Developer Distribution Agreement, and make appropriate changes to your app. If you decide to collect sensitive user information, be sure to abide by the above policies, and include a link to a valid privacy policy on your app's store listing page and within your app. Make sure that your app is compliant with all other Developer Program Policies. Additional enforcement could occur if there are further policy violations. Sign in to your Play Console and submit the update to your app. Unfortunately I'm not able to comment on your planned implementation. If you think your app is in compliance, please submit your app for another review. Please let me know if you have any other questions. Thanks for working with us to fix the policy issue and for your continued support of Google Play.
Regards, Elaine The Google Play Team
maxieds
commented
5 years ago This is insanity! I received this email over a day after corrections and uploading. Sorry to users for any prospective downtime in dealing with the illiterate desk clerks who field these requests at Google.
maxieds
commented
4 years ago See #26 for the status here.
Google's selective policy and stance on disclosure is beyond me. The latest version of the application has remained untouched in its original binary upload on play store, but yet I have recently been issued the following non-negotiable ultimatum in my direction. It would take them longer to respond to and then subsequently deny an appeal based on my objections, so I have decided to comply with the advent of automated software that assists them in finding violations to their enormous list of policy. What's worse is that they are effectively unaccountable with respect to said policy, as digress by saying I have experienced before. The new privacy policy will be maintained on the WIKI site with this repository, will be linked on google's store, and will eventually work it's way onto your phone as an addendum to the About section in the app.
=====
I want to share with you all the email I was sent about this app (which to those unfamiliar to the Android API, requires negligible permissions as an app that actually provides more than hello world on it). Google likes to engage itself in a little subset of electronic policy pushing we can safely call selective disclosure, which is not unlike an amnesia of the same type. They are effectively not bound to protecting the privacy of their users in any way unless, you yourself, can shift the ground and convince a US district judge to issue you an order which requires them to even look at their logs on your behalf. This doesn't tend to happen in practice for those of us who have merely had our email accounts cracked by some malicious a....le who would. Microsoft buys GitHub, puts C# compilers for .NET on Ubuntu, and the analytics devil fills the void to make up for it.
As I'm sure most of the folks out in play store userland have not been advised of this breach of your security, it makes me feel better to provide you with what I can claim as full disclosure on my end. It also makes me happy to give Google the middle finger by doing this. There are after all enough users of the app at this point that you all, at your choosing, could generate a class action lawsuit for their neglect of your privacy rights. This of course causes the analytics devil stress, so I'm happy to oblige before I have to go and fix a broken months old copy of Gradle so Google doesn't cripple my app over the advertising IDs that we now know are unique on an Android phone.
=====
The email in question (boldface and links suppressed in translation)
Hello Google Play Developer,
Our records show that your app, Chameleon Mini Live Debugger, with package name com.maxieds.chameleonminilivedebugger, is currently in violation of Google Play policy. You must resolve this issue within 7 days of the issuance of this notification, or your app will be removed from Google Play.
Reason for warning: Violation of Usage of Android Advertising ID policy and section 4.8 of the Developer Distribution Agreement
Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. We’ve identified that your app collects and transmits the Android advertising ID, which is subject to a privacy policy requirement.
If your app collects the advertising ID, you must provide a valid privacy policy in both the designated field in the Play Console, and from within the app. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
Please note that the following examples do not qualify as a valid privacy policy URL:
URL does not load reliably or times out URL opens a home page or license agreement instead of a Privacy Policy, and does not provide the required privacy disclosure URL opens a page which does not clearly reference your app or company URL requires a special handler to read the file (.pdf, docx) - Privacy disclosure must be in text form (unless clearly accommodating for user accessibility purposes) Action required: Add a privacy policy to your store listing and app
Read through the Usage of Android Advertising ID and User Data policies, as well as the Developer Distribution Agreement, and make appropriate changes to your app. Be sure to include a link to a valid privacy policy on your app's store listing page and within your app. Make sure that your app is compliant with all other Developer Program Policies. Additional enforcement could occur if there are further policy violations. Sign in to your Play Console and submit the update to your app. Alternatively, you can opt-out of this requirement by removing any requests for sensitive permissions or user data.
Thanks for helping us provide a clear and transparent experience for Google Play users,
Regards,
Jared
The Google Play Team
My viewpoint and why I'm in such a pi$$y mood about having to compy
A privacy policy for the users of the software I take pride in developing in my free time is issued [here](). It is a respectful account which justifies the permissions the app assumes. Absolutely no data is transmitted to me or through my devices once I register the signed binary APK files with Google. That is not to say that statistics and massive amounts of user data are not being transferred, registered and cataloged about you through the play store (there is). It's just that I have not facilitated it.
It's curious that given all of the device data that is made available in the developer console, what really lights the analytics devil's tail on fire is an advertising ID. More than to a stubborn adherence that software should be made free, I would not ever choose to profit by adding advertising to this application because I have worked hard to get the buttons aligned just so, provide a consistent ("hacker punk" say some) theme which looks good. Google's firebase API and animated advertising would make my efforts look ugly on my phone.
I have finally just concluded that the unaccountable analytics devil some people buy stock in as Google, is an order of magnitude worse than Microsoft has ever been. This is no light statement. And I'm not happy with this eventual realization.
My recommendation to those users (of my lovely hacker app, which is another reason I can take pride in maintaining this code base) who have a good reason to want this crap off of your phone to remove your install with play store. Go clone my repo, audit the Java code as you see fit, then -disable most of the libraries that come stock with Android studio-, roll your own and install that way.