Privacy has become more than a key component of corporate cybersecurity policies and procedures — it also is a lightning rod for lawsuits by consumers who believe their rights have been violated. While privacy laws have become commonplace, periodically what might seem to be relatively common language from contracts turn out to be problematic for the vendors.
Google, for example, has a long history of searching the Play Store, its apps repository, for programs that contain malware. Less than a year ago, Google removed multiple apps from the Play Store that had the banking Trojan SharkBot hidden inside.
However, while removing troublesome apps from the Play Store would seem prudent, Google takes this one step further into a legal gray area.
In Google’s Play Store Terms of Service (ToS), Google notes that it scans for malware and reserves the right to remove it from a user’s computer if it deems it necessary. Google’s ToS reads:
Malware protection. To protect you against malicious third party software, URLs, and other security issues, Google may receive information about your Device’s network connections, potentially harmful URLs, the operating system, and apps installed on your Device through Google Play or from other sources. Google may warn you if it considers an app or URL to be unsafe, or Google may remove or block its installation on your Device if it is known to be harmful to devices, data or users. You can choose to disable some of these protections in the settings on your Device, however, Google may continue to receive information about apps installed through Google Play, and apps installed on your Device from other sources may continue to be analyzed for security issues without sending information to Google.
This 130-word paragraph in the 3,537-word document is raising eyebrows among some privacy experts. Debbie Reynolds, CEO of data privacy consultancy Debbie Reynolds Consulting, says Google’s ToS differs widely from those of other companies, in part because Google offers a variety of interconnected services that operate within the Google ecosystem.
Google’s ToS is ambiguous, she says, because it is not clear about exactly what it might block or remove that is “known to be harmful to the device, data or users.” The ToS also does not commit Google to tell users when it makes such a deletion.
A user might have a reason to want a program on their system that Google considers harmful, determining the risk is within their risk tolerance range. If Google deletes that without informing the user, it could have unexpected consequences.
“It is likely that Google’s ambiguous stance on informing users about actions taken on their devices will face legal challenges in the future, particularly if a significant number of individuals voice complaints about Google’s lack of transparency and perceived harm caused by their actions,” Reynolds says.
Deleting Apps, Not Data
However, Rebecca Herold, CEO of consulting firm Rebecca Herold & Associates and popularly known as The Privacy Professor, says, “I do not see that they are claiming a right to delete or modify data. They are reserving the right to delete an app, which is software, if it is harmful to data, users or devices.”
She clarifies that there’s a difference between applications and user data. “An app is not data in the context of how this is written,” Herold says. “I do not see anything within the paragraph you provided that they are going to delete data. It is possible that deleting the app will remove access from that device to the associated data, but the data would still likely exist somewhere else.”
“I think the open-ended way they have worded this, giving users the ability to disable ‘some’ of these protections, without saying specific which protections, does not make it clear whether or not they are overstepping their legal rights,” Herold notes.
“[Google] does not indicate they are deleting or changing data,” she says. “It indicates they may uninstall an app they determine to be harmful, and/or block a website they determine to be harmful, which could remove access to the data. So, they have established their own legal requirements and limits for the boundaries of their actions.”
How Much Access Should Google Have?
Irina Tsukerman, an attorney whose firm specializes in national security, cyber law, and emerging threats, says, “Adhesion contracts, which are one-sided and non-negotiable, are considered legal; however, if any specific clauses represent a significant burden on the consumer/client’s rights, it may be deemed disputable/unenforceable, and the company may be forced by courts to change the language. In this case, the clause is far beyond the mere ‘warning’ or even ‘blocking’ language fairly typical to tech companies, because it involves the additional step of actively intervening and entering a user’s system.”
This intervention step is “extremely questionable in itself, because Google arguably does not have the right to access the user’s entire system,” she adds. Removing a program could impact other parts of the system.
Anytime such language is overbroad, it is very likely to be found illegal and violating the other party’s — in this case, the user’s — rights. Tsukerman says that in this case, the language is “extremely problematic due to excessive vagueness.”