Google is publishing the home addresses of developers without their consent

I am currently being denied the right to delete my Google Play developer account and remove personal data attached to it.

This includes my residential address, which is now publicly visible.

I’ve requested removal multiple times. Google has refused.

I didn’t agree to have it published. I asked them to remove it. They said no.

I asked them to delete my app. They said no.

I asked them to close my account. They said no.

This is a massive violation of privacy and it puts real people in danger.

Please share your thoughts on what to do next.

125 points | by ebenezerdon 3 days ago

18 comments

  • rkagerer 3 days ago
    Some ideas:

    1. Have a lawyer send them a letter. A legal firm's letterhead will get taken more seriously than an email or Contact Us, and may force them to respond in some way.

    2. Spin up a corporation and have it "acquire" your product.

    Use a law firm or other provider as the registered address. If that's not possible in Sweden, incorporate in a jurisdiction outside your country. (This may have an impact on how you get paid, taxes, etc. but that might not matter if you're planning to unpublish).

    3. Quantify your damages (eg. cost of above, security firm to do a home assessment, mitigations like installing security cameras, etc.) and litigate.

    Unfortunately it can be hard to quantify damage to privacy (check for any precedents in the applicable jurisdiction's case law), and you may have already agreed to terms that prejudice this. Be sure to keep track of any disgruntled user feedback that makes you feel even mildly threatened in any way, any increase in unsolicited mailings, etc.

    4. Get a short term rental somewhere, change the address to that, never update. Or use a friend who's about to move or doesn't care (eg. change the address on one of your credit cards to theirs for a billing cycle).

    This isn't nice to whoever winds up at that address next.

    5. Move, and don't update them with your new address.

    6. Instead of selling your old home at the poisoned address, contact your local fire department and offer it as a controlled burn site for training. Scorch the earth and never look back.

    Or, somewhat less satisfyingly, donate the land to your municipality as a park. Subject to a clause it be named something like "Alphabet's Reach" in perpetuity, and commission some kind of permenant concrete art installation to forever memorialize their betrayal.

    [-]
    • kassner 3 days ago
      All of this is a ridiculous amount of work/red tape for an app that never will make a single cent (my case).

      I guess we have to read that as virtue signaling: if you aren’t here to make money, go away. Interestingly, they choose a quite stupid way to do so, when they could just straight forward charge a recurring fee like Apple does.

  • Sytten 3 days ago
    There an interesting debate if home address being public record is a privacy problem. In Canada the government forces business directors/owners to have their address public for transparency. I find that kinda stupid but I do understand the idea behind it and this did shift my threat model when I had to enter it.
    [-]
    • kevincox 3 days ago
      IIUC part of the reason is so that you can sue people. You need to know their address to serve them papers. IIUC this is part of the reason why anyone is allowed to snail-mail you and we don't have spam laws for physical mail like we do for email, phone, ...

      It seems pretty antiquated though and can be putting people at risk. Maybe there should be some form of indirection here where the government can be responsible for notifying you in cases like this and you can indicate who you are suing based on based on either the business or some sort of more opaque identifier.

      Not to mention that an address is a bad identifier as it is not unique, becomes invalid/more confusing over time among other reasons.

      [-]
      • jjmarr 3 days ago
        That's what a PO box is for.
        [-]
        • ArgException 3 days ago
          Yeah, except Google doesn't allow using a PO box.
    • pjc50 3 days ago
      Almost all countries do this, because accountability is a necessary tradeoff for the huge benefits of limited liability.

      (The UK has basically one exception, for Huntingdon Life Sciences, after their directors were subject to an extremely intense harrasment campaign by animal rights activists)

      [-]
      • andrewaylett 3 days ago
        You need to put a correspondence address, but it doesn't need to be a home address — most reasonably-sized companies will allow directors to use the company address, or the address of their law firm, instead. That doesn't work so well for companies that run out of the directors' homes, of course.

        You can see the correspondence addresses for the former directors of Huntingdon Life Sciences in their record at Companies House: https://find-and-update.company-information.service.gov.uk/c...

      • kevincox 3 days ago
        Yes, but if you want to hold someone accountable you should take them to court where it can be fairly decided, not show up at their home address.
        [-]
        • pclmulqdq 3 days ago
          You need their address to have a reliable way to take them to court.
          [-]
          • kevincox 3 days ago
            Yes, this sounds like the root cause. Maybe we should have a way to take someone to court that doesn't rely on knowing their address (and ideally is more stable over time than an address, and less ambiguous if there are multiple people with the same name at the same address).
            [-]
          • bn-l 3 days ago
            You can ask the government
            [-]
            • pclmulqdq 3 days ago
              I can imagine nothing wrong with having the government gatekeep access to the ability to sue corporations.
              [-]
              • LadyCailin 3 days ago
                They.. already do? Who do you think “the judiciary” is?
                [-]
                • pclmulqdq 3 days ago
                  The referee, not the ticket counter.
    • Silhouette 3 days ago
      The UK seems to be heading in roughly the opposite direction. If I've understood the plans correctly then more individuals with significant connections to companies will have to formally prove their identities to the regulators as part of company registration but fewer personal details will then be published online. This seems a much better approach to me - rogue traders and the like can be more easily disrupted but company officials aren't having their personal privacy compromised in ways that could potentially endanger them or their families if that one crazy customer decides to do something inappropriate.
    • zajio1am 3 days ago
      Here in Czechia, not only addresses corporate legal representatives or sole proprietors are in a public registry, but also addresses of real property owners are in the public cadastre.

      It seems funny to me that government considers these information as privacy-sensitive while also publishes them for majority of population (homeowners).

      [-]
      • lostmsu 3 days ago
        It is the same in many US states.
  • benterix 3 days ago
    It was a total deal breaker to me so I registered my company in a virtual office, I pay ca. $10/month for that but at least my home address is not floating around the internet.
  • AdmiralAsshat 3 days ago
    It was a couple years ago I believe that Google started requiring developers to provide a home address. This was the obvious conclusion of that.
    [-]
  • multimoon 3 days ago
    This is exactly why when Google began requiring home addresses I just let them kill my account and refused to provide the info. It was not a dealbreaker to me anyway, I had long since moved to iOS as a developer.
  • rustc 3 days ago
    > I asked them to delete my app. They said no.

    Does the Play Store not allow deleting apps? What reason did they give?

    [-]
    • ebenezerdon 3 days ago
      They said my app already has install stats and therefore cannot be deleted
      [-]
      • pjc50 3 days ago
        I'm wondering if the evil solution is to update the app in such a way that it no longer complies with the rules and get yourself banned from the app store. Although that has other risks to your other google accounts.
        [-]
        • zenNeko 3 days ago
          Doesn't has to be evil, dropping support for newer androids (9.0 and up) is an easy way to get apps delisted.
        • ArgException 3 days ago
          That will only cause the update to be rejected, leaving it on the normal version. But maybe you could make it non-compliant by changing server-side content without an app update.
      • rustc 3 days ago
        So if I release an app on the Play Store I have to support it forever? That sounds unreasonable.
        [-]
        • IAmBroom 3 days ago
          No, there is no requirement to support the software, at least according to what we've heard here. Simply that you can't remove your current rev from the store - you can't prevent people from downloading it.
          [-]
          • jsnell 3 days ago
            That's a bit misleading. You can unpublish the app[0], which hides it in the Play Store and prevents new installs. It just doesn't remove the app from the people who already have the app installed, and I think they'll be able to install it on new phones.

            I don't know why the OP is choosing not to unpublish the app.

            [0] https://support.google.com/googleplay/android-developer/answ...

            [-]
            • multimoon 3 days ago
              Unpublishing the app doesn’t remove you from having to comply with address requirement.
              [-]
              • jsnell 3 days ago
                Yes, but it would mitigate the issue almost completely since the app (and thus the address) would not be discoverable by new users.
      • seba_dos1 2 days ago
        ...and yet it was enough not to verify my account (which I didn't do because it included consenting to my address being shown) to get it removed with all its apps.
  • zajio1am 3 days ago
    How exactly Google Play works for monetised apps from legal point of view? Are they ones who provide paid licence to an app to consumer (reseller), or are they just a marketplace intermediate, where the transaction is between app provider and consumer?

    But in both cases, seems to me that at least for monetised apps, providing identifying information is important for consumer protection and therefore they have legitimate reason to do this.

    [-]
    • madeofpalk 3 days ago
      Apple's App Store is the merchant of record. They do the selling and gathering of sales taxes around the world, etc. I would presume Google Play works the same.
  • mystified5016 3 days ago
    Contact a lawyer and have them send a cease and desist. Shouldn't cost a lot.

    Just engaging Google's legal machinery is probably the only way to get their attention

  • driverdan 3 days ago
    Change the address on your account. You can't delete a published app but you can archive and delist it.
    [-]
    • kassner 3 days ago
      You are required to send proof for the address, meaning you can only change to another place that you can claim your own.

      In Sweden, we have a public registry for personal addresses, and that’s the only one Google accepts.

      [-]
      • ChoGGi 3 days ago
        Get a PO box, change your Google address, cancel the PO box?

        Edit: Nevermind, seems like they don't allow them.

  • ankitml 3 days ago
    Amazon did that to a physical product my wife is selling. I was very annoyed. But it ended up being a configuration but default being `show address` state is definitely annoying.
  • _rm 3 days ago
    Where are you resident?
    [-]
    • ebenezerdon 3 days ago
      I'm in the UK. But I've seen developers from all around having the same issue. (See Reddit)

      My app is a free app, and their policy (which I don't agree with) states that private home addresses will only be shown for monetised apps.

      To my surprise, Google published my home address for a free app. My account is new too, and address verification is a requirement for getting your developer account approved.

      [-]
      • ajb 3 days ago
        The best guide for dealing with obstructive bureaucracies is patio11's :https://www.kalzumeus.com/2017/09/09/identity-theft-credit-r...

        That's specific to credit theft, but a great many of the principles apply to many situations:

        - Approach via the legal dept, since their objective is to remove risk, rather than close tickets.

        - Know your rights under the law

        - Act like a relentless professional not an angry amateur .

        But read the article, it's worth it

        [-]
        • _rm 5 hours ago
          This, just calmly explain to them your awareness of the asymmetrical costs you can inflict on them (which GDPR etc were specifically designed to create) and what you'll be doing next on what date. And then make sure you do it.

          I've found quoting exact provisions of statutes to be very effective (just be careful to be right).

      • pjc50 3 days ago
        The official channel to complain about this is the Information Commissioner's Office (ICO). https://ico.org.uk/

        I'm not expecting it to be speedy or effective. Another channel is writing a formal letter requesting your GDPR rights to deletion on paper, to the UK business address https://find-and-update.company-information.service.gov.uk/c...

        We all know that online support is a waste of time. In some ways, HN is one of the actually effective support channels.

        [-]
        • gbuk2013 3 days ago
          From my anecdotal experience of 1 attempt of writing to the ICO it was 100% effective: several months later I received a polite response with a history of communication between ICO and the organisation I complained about, where the latter had to justify what they were doing. This was a sports organisation that originally announced that they would be putting DOB of the athletes on their public profiles, but ultimately was just the age (because there are age bands in competitions) maybe as a result of my complaint - who knows?
        • ebenezerdon 3 days ago
          Thank you for this. I'm going to do so now
        • hyperpape 3 days ago
          You may wish to contact compliance and inform them that they are violating legal requirements in the UK (assuming that this is, y'know...true). Without blustering or yelling (getting angry makes you look less credible), simply state the government agency that accepts complaints, and state that you will file a complaint if the matter is not resolved. If there are laws that mandate how fast Google is required to resolve the issue, it is worth mentioning them.

          In general, support has the incentive of making tickets go away. Compliance has the incentive of making sure the company doesn't run afoul of regulators. Compliance is also much much more powerful at an organizational level.

          [-]
          • ebenezerdon 3 days ago
            I've contacted them and they've left my last email without response, and have chosen to ignore all my requests to take down my private information
        • stefs 3 days ago
          > Another channel is writing a formal letter requesting your GDPR rights to deletion on paper

          GDPR is EU, UK is not. how does this work? surley the UK didn't adopt the GDPR voluntarily?

          [-]
      • bell-cot 3 days ago
        Sounds like it's a matter of UK law then. At a time when neither the US, nor its tech giants, are particularly popular at 10 Downing St. Nor in the UK generally.

        And like you've a fair bit of company, to make common cause - whether paying solicitors, or raising a ruckus.

        [-]
        • kassner 3 days ago
          I’m going through the process of listing in the Play Store just now and I’m having the same issues in the EU.
  • yread 3 days ago
    Where can you see the address for a Play developer account?
    [-]
    • ArgException 3 days ago
      On the app details screen, scroll down past reviews to the "App support" section, and the address is under "About the developer".

      This only shows in the Google Play app, not on the website.

  • streptomycin 2 days ago
    Shit is so dumb. I'm a solo video game dev and I don't exactly want my home address prominently displayed next to my video games. Not that I think it's likely I get swatted or something, but why even take the risk?

    But Google (and D&B, who you need to also sign up for if you are a business) ban most PO boxes and other virtual mailbox/office services. I had to try a few times, but eventually I found one that they accepted.

    Also the Microsoft Store does the same thing with addresses. idk about Apple, I don't publish there. Probably there is some law forcing everyone to do this.

  • boyka 3 days ago
    I'd say lawyer up, but then this is goliath..
    [-]
    • ebenezerdon 3 days ago
      Yeah, it feels like Goliath. But at the very least, I can try to get my voice heard.

      I'll explore all options available to me.

      [-]
      • sam_lowry_ 3 days ago
        I do not know where you live and why you think that Google is wrong publishing your personal address but I can share my own story from Western Europe.

        I managed an online community for tens of thousands of people for 18 years. The domain was registered to a fake address, but once I started accepting ads, I had to register a business and list my home address in the public records.

        I dealt with hundreds of advertisers, and the most obvious risk was that an adversary contacts me to publish an ad, gets my company details, checks online for company address and comes ripping my heart off.

        Over these years, I received multiple online threats from various people... but none have ever have showed at my door step.

        I still wonder why.

        Did the users I blocked and banned never really felt offended because I tried to be professional and predictable in all circumstances?

        Or was it just because finding my personal address required a bit of ingenuity which the most egregious perpetrators simply lacked?

        P.S. And no, this was not a gaming community nor anime lovers forum, but a place where immigrants turned in for help.

        P.P.S. Before downvoting... think again about the responsibility you take on when people pay you money in return for your service.

        [-]
        • charles_f 3 days ago
          > think again about the responsibility you take on when people pay you money in return for your service.

          OP mentioned their app is free

          [-]
          • sam_lowry_ 3 days ago
            I just Googled and it looks like even if the app is free, but account has been set to monetized at least once in the past, the address is displayed.

            Back to my story... my online community was also free to join. This does not change much.

            Once you start interacting with the world, expect the world to interact with you.

  • sunsetonsaturn 3 days ago
    If you're in the EU:

    Leverage the GDPR and contact Google's DPO (Data Protection Officer) to inform them about the problem. If the problem is not solved or there is no reaction, lodge a complaint with the DPA (Data Protection Authority).

    [-]
    • scarface_74 3 days ago
      There is a slight problem with that. It’s actually the law in the EU that your address has to be displayed

      https://www.macrumors.com/2024/10/17/developers-eu-app-store...

    • ivan_gammel 3 days ago
      Probably won’t work, since there’s legitimate interest of app users in having this information accessible. However at least in Germany private person can have a legal address different from home address: you can buy this service from a number of providers and all legal correspondence will be delivered to you without interference with your privacy.
  • cmurf 3 days ago
    Get a PO box. Either USPS or UPS address. Change address. Get the cheapest in your area, especially if you won't actually use it for deliveries. This is a deductible office expense for the business.

    You don't need a DBA (doing business as) registered with the state for this, but it helps build a business narrative for the IRS and business purposes. And then you can use it in lieu of your name.

    [-]
    • ebenezerdon 3 days ago
      Thanks for this. To my knowledge, the current policy doesn't allow a PO box. But I'll explore what you've mentioned.

      Although I've now lost interest in publishing on the play store.

      [-]
      • cmurf 3 days ago
        Non-USPS mail services use physical addresses. The post office delivers all the mail there, and it's the responsibility of the private party to sort.

        Therefore you can list the "box" as a "unit" number, or "ste" (suite) or "apt" (apartment). Ask the 3rd party service prior to contracting.

        I had such a service in NYC (they're common, lotsa businesses love having a Suite address on 5th Ave, or whatever).

        I'd test it before committing to a long term contract though.

      • jadamson 3 days ago
        In the UK you might be able to use a "virtual office" address instead, although this will cost money.

        https://www.reddit.com/r/ContractorUK/comments/1gka8lq/virtu...

      • 5555624 3 days ago
        Check with your Post Office. My USPS Post Office Box actually has a street address I can use, as well. They started this about four or five years ago. It's the street address of the Post Office, with the box number added like an apartment number. (Interestingly, the Zip+four is different.)
  • buyucu 3 days ago
    Google does this kind of nonsense all the time. That is why everyone is screaming their lungs out that we need to help and support alternative app-stores like F-Droid.

    Your best bet is the privacy watchdog in your country.

    [-]
    • scarface_74 3 days ago
      This is not “Google nonsense”. It’s the law in the EU. Apple has to do the same thing

      https://www.macrumors.com/2024/10/17/developers-eu-app-store...

      [-]
      • f4c39012 3 days ago
        ^This. If you are a trader under the Digital Services Act then your address, email and phone number is published. From https://eur-lex.europa.eu/eli/dir/2005/29/oj: ‘trader’ means any natural or legal person who, in commercial practices covered by this Directive, is acting for purposes relating to his trade, business, craft or profession and anyone acting in the name of or on behalf of a trader;

        IANAL

        [-]
      • kassner 3 days ago
        This is only applicable if you are making money with your App (either paid or IAP). Free apps don’t have that requirement on Apple’s store.
      • buyucu 3 days ago
        OP is not from the EU. He said elsewhere in the thread that he's from UK.
        [-]
        • Aloisius 2 days ago
          Doesn't matter where they live. If the app is made available for EU users, it has to comply if they're a "trader" (they've monetized an app in any way at any time or set their account to do so ever).
    • ebenezerdon 3 days ago
      It's disheartening. I've tried reaching out on several platforms, but they've completely ignored me.

      I'll be exploring the privacy watchdog, as you've advised.

  • zenNeko 3 days ago
    [dead]