Uncomfortable Questions About Android Developer Verification
ICEBlock “is an innovative, completely anonymous crowdsourced platform that allows users to report Immigration and Customs Enforcement (ICE) activity with just two taps on their phone.”
The developer of ICEBlock disclosed his identity. In addition to receiving threats of federal prosecution over the app, the developer has faced other backlash, including his wife being fired from a federal government job.
This is one recent example demonstrating that app developer anonymity has impacts and that the lack of such anonymity can cause harm.
With that example in mind, and in the spirit of a previous issue, I have some questions with regards to their proposed developer verification program. To Google, these questions might be uncomfortable.
Question 1. What considerations were taken into account with regards to developers with legitimate reasons for anonymity?
For example, suppose that a developer creates an ICEBlock-like app, but one that supports Android, which ICEBlock does not. Let’s call this workalike app “ICE Scream”. Given the experiences of ICEBlock’s developer, the developer of ICE Scream may have concerns over their identity being disclosed. How would Google like to address such scenarios?
Question 2. Which civil society organizations (e.g., EFF and AccessNow in the US) did Google engage with to review your plans, and what were the results of those engagements?
Organizations such as these have a long track record of dealing with the balance of equities related to privacy and security. A theoretical developer of “ICE Scream” would be well-advised to try reaching out (anonymously) to such organizations for advice. Similarly, their expertise and outside opinions should be of value to Google while drafting programs such as developer verification, and so one hopes that Google availed themselves of such assistance. How did that go?
Question 3. Why does Google’s privacy policy allow Google to share “personal information” with any “businesses or persons”?
Google’s privacy policy states that it provides “personal information to [Google’s] affiliates and other trusted businesses or persons to process it for us”, with no obvious restrictions on who or what constitutes “trusted businesses or persons” and no obvious restrictions on what those parties can do with the personal information. How does Google wish developers, such as the ICE Scream developer, to interpret that policy?
Question 4. How will apps be developed starting in 2027, as app development uses debug keystores, and those keystores do not seem to be part of the Android Developer Verification process? Will it no longer be possible to test apps under development on Google-certified production hardware?
Debug keystores are designed to be transient, as there are few repercussions from replacing those keystores as needed. As such, debug keystores can come and go, especially in environments like classrooms and continuous integration (CI) servers. It seems unrealistic to have these all be registered on a Google-supplied Web site, and it seems hostile to require anyone who wants to learn Android app development to file “papers, please”. How does Google wish for this to work?
Question 5. Similarly, how will apps be developed starting in 2027, as app development often uses duplicate package names (e.g., in educational settings), and duplicate package names are banned? For example, how will developers be able to build and run Google’s own sample projects?
I have a particular interest here, as I am the author of many books on Android app development. I expected readers to be able to download and run the samples, but under this program, it seems like at most one person on the entire planet can do that. Everybody else will get error messages until they go in and change the package name… which will be beyond the skills of many people just learning Android app development. How does Google wish for this to work?
If you have your own questions and concerns, in addition to writing blog posts, you can fill out and submit this form.
If any civil society organizations or others are interested in discussing these and related questions, please reach out!.
And, heck, if Google itself would like to talk about this, they too can reach out.
— Aug 26, 2025