Menu Close

IDAC Researchers Alert Google to Policy-Violating Third-Party Data Practices

IDAC Investigations Logo

In response to outreach from researchers from the International Digital Accountability Council (IDAC), Google has taken corrective action in connection with three apps – Princess Salon, Number Coloring and Cats and Cosplay and data collection practices by three software development kits (SDKs) used within those apps.

IDAC alerted Google that the three apps were in violation of Google’s developer policies.  It also alerted Google to potential issues with three SDKs used in those apps – Unity, Umeng, and Appodeal. Google took corrective action in response, after its own investigation.

IDAC’s president Quentin Palfrey praised Google for the steps it took to resolve the issues IDAC presented to Google. “The practices we observed in our research raised serious concerns about data practices within these apps,” Palfrey said. “We applaud Google for taking steps to enforce on these apps and the third-party data practices within these apps.”

IDAC’s Findings with Respect To Third-Party Data Practices

IDAC flagged to Google that SDK versions of Unity, Appodeal, and Umeng used within the three apps were collecting data in ways that could potentially lead to violations of Google Play policies. Google took action after its own investigation.

IDAC’s tests revealed that certain versions of the Unity, Appodeal, and Umeng SDKs were not in compliance with broader Google Play policies around data collection. Among other things, IDAC’s tests highlighted that certain versions of Unity’s SDK were collecting both the user’s AAID and Android ID simultaneously, which may have allowed Unity to bypass privacy controls and track users over time and across devices.

The AAID is Android’s unique ID used for advertising and, unlike the Android ID (another Android unique identifier), users have the ability to reset their AAID. The AAID is essentially the passport for aggregating all of the data about a user in one place. For example, if a company wants to advertise their brand of potato chips to people who like ice cream, they can contact a platform and pay for their potato chip ad to be shown to users whose AAIDs indicate that they like ice cream. However, when the AAID is linked, or “bridged” with the non resettable Android ID, it allows companies to track users; ID bridging ultimately makes the AAID’s ability to be reset by users moot. 

After being alerted by IDAC, the Google Play team began its own investigation and subsequently took action against these apps and third-party practices to better protect users.