About a month ago I put my money where my mouth was and built a version of the Paul Keating insult generator for Android (after the iOS version hit number 1 in the Australian App Store [tell your friends]). We sold a few hundred copies on Android in the last month, so that’s all good. Today I decided to log into my google play account to update my payment details. I jumped over to the ‘merchant account’ section to see the orders and realised one absolutely insane thing.

If you bought the app on Google Play (even if you cancelled the order) I have your email address, your suburb, and in many instances your full name. Each Google Play order is treated as a Google wallet transaction and as such software developers get all of the information (sans exact address) for an order of an app that they would get from the order of something physical. Even underneath the order information there is a flag that says 'Email Marketing’ with a value next to it, because of course scrupulous developers would always obey that flag.

Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred. With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase. The problems on android of app permissions (and subsequent potential for malware aside) is one of active negative behaviour on the part of an app developer. This isn’t. This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it’s made crystal clear to them that I’m getting this information. This is a massive, massive privacy issue Google. Fix it. Immediately.