Google Maps will let you share your location with friends and family for a specific period of time – TechCrunch (Mar 22, 2017)
Location sharing is one of those really thorny privacy issues, and Google has gone back and forth on it over time precisely for this reason. In this case, it’s now opening the feature back up, though now in the Google Maps mobile app, and with some sensible limits, such as time- and person-based sharing. I can see a lot of utility in sharing my location with someone temporarily if we’re planning to meet up or if I’m on my way home and want to share an ETA. On the other hand, sharing that information with friends or family members means sharing it with Google too, and presumably also means your Google Maps app has to be running and tracking your location in the background, which has battery implications. For some people, those will be non-issues, but for others they make it less palatable to use these features. And of course the more openly you share your location (and the more companies track it) the more ways there are for hackers (and law enforcement) to access it too.
CTIA, which is the industry association that represents the largest US wireless carriers, is arguing before the FCC that it shouldn’t be subjected to new rules on sharing data it collects on its users. The carriers have argued that Google and other online service providers aren’t subject to the same rules (those companies are regulated primarily by the FTC rather than the FCC) and so for consistency’s sake the carriers should be treated the same way. This is really about a technical definition of the word “sensitive” – clearly the kind of data being talked about here is indeed enormously sensitive, but the real question is how disclosure of that data is regulated. This matters because, for example, AT&T as a fiber broadband carrier in certain parts of the country has offered a service discount for customers who consent to tracking of their web browsing history and so on, something which it argues Google does all the time without explicitly asking for users’ permission to do. What the carriers are arguing here is that it should be allowed to continue to do this kind of thing without having to ask users to opt in first. The carriers look likely to win given the current hands-off policy stance of the FCC, which means more erosion of user privacy for users, but the proper approach would be for the FTC and FCC to work together to craft a set of consistent rules that would apply to all players that get access to similar data, rather than each regulating in a vacuum.
via Ars Technica
If you’re a parent of kids under 13, you’ve likely encountered the COPPA law, even if you might not know it by that name, because your kids will have found it impossible to sign up for an online service or account without either lying about their age or going through a very involved process. As a result, I suspect many kids either do lie about their age (perhaps with their parents’ support) or piggyback off a parent’s account, neither of which is ideal. Google now has a service that lets kids legitimately sign up for their own account even if they’re under 13, as part of a family account tightly controlled and supervised by parents. That feels like a great solution, and it looks like these accounts can effectively graduate when the kids reach an appropriate age. I wish more companies would think about how to help parents help their kids use technology, and this feels like a good step. Of course, this does mean that Google is now capturing information about your kids for a future profile, even if that data collection is limited in unspecified ways.
Apple Joins Group of Companies Supporting Google in Foreign Email Privacy Case – Mac Rumors (Mar 14, 2017)
Given the way other big tech companies had weighed in on the related Microsoft case over the past few years, it was a little odd that more hadn’t sprung to Google’s defense in this one, but it’s good to see that they are now doing so. These cases have far-reaching consequences not just for user privacy but for the ability of US companies to do business in overseas markets, and those companies need to defend themselves vigorously. The final outcome of both cases is therefore worth watching closely.
via Mac Rumors
Now that I’ve finally got around to writing this up, it appears Google has patched the specific issue highlighted in this piece, but it’s still worth talking about for a couple of different reasons. For one, anytime you bring a virtual assistant into an existing conversation between two or more human beings, there’s a tension between the bot knowing as much as possible about each participant and using that to be helpful on the one hand, and avoiding exposing personal information about the participants on the other. Google appears to have screwed that up here in a way that could have been damaging or embarrassing for users, though it has now been patched. Secondly, this kind of thing can only happen when you collect and keep enormous amounts of data on your users in the first place – a company that neither collects nor retains such data in a profile could never expose it. It’s clear that Google didn’t intentionally do so here, but it was able to do so anyway because of its business model. Competitors such as Apple might argue that not collecting such data, or keeping it secured on a device rather than in the cloud, would make it impossible for a cloud service to share it with others. We’re going to have to work through lots more of these scenarios in the years to come, and the competition between companies that strictly preserve privacy and those that use personal data to improve services will be a critical facet of that evolution.
Apple hires Jonathan Zdziarski, an active forensics consultant & security researcher in the iOS community – 9to5Mac (Mar 14, 2017)
Zdziarski was in the news a lot a year ago, when Apple was fighting the FBI over the iPhone used by the San Bernardino shooter, because he was frequently quoted and cited as an expert who backed Apple’s stance. As such, it’s not altogether surprising that he should end up at Apple – he’s been both one of its staunchest supporters around some security and privacy issues and someone who has discovered vulnerabilities in its code. On the one hand, that makes him a useful person to have inside the company – this hire feels a lot like Apple’s hire of Anand Shimpi, another prominent outside expert who was brought inside – but Apple will lose the benefit of having a vocal independent advocate on these issues. It’s also interesting to note Zdziarski’s comments about his hiring and why he’s joining Apple – he cites its privacy stance, which is of course closely tied to security concerns, as a strong motivating factor.
Zuckerberg manifesto removes reference to Facebook monitoring ‘private channels’ – Business Insider (Feb 17, 2017)
Kudos to Mashable, which first noticed that one paragraph in a 6,000-word manifesto had been changed from the original to the final version (I covered the manifesto itself yesterday). And kudos, too, to Business Insider for following up with Facebook to find out why it was removed. The official explanation is that the paragraph talked too specifically about a capability Facebook hasn’t finalized yet, but it’s at least as likely that Facebook worried it would cause major privacy concerns. The paragraph in question talked about using AI to detect terrorists in private channels, which rather flies in the face of Facebook’s commitment to encryption and protecting privacy. As with much else in the letter, I think it was likely intended to be mostly aspirational rather than specific, but the original paragraph was rather tone deaf about how such an idea would be received even in such high-level terms.
via Business Insider
It turns out Vizio has been collecting extremely granular data on users of its smart TVs, and then matching its IP data with offline data about individuals and households (essentially everything short of actual names). And it’s done all this without making users properly aware that this was what it was doing. The data related to everything consumers watched on the TVs, whether the content came through Vizio’s own smart TV apps or merely through one of its inputs from another box or antenna. Something I’d forgotten was that Vizio filed an S-1 in preparation to go public back in 2015 – it never actually went public because Chinese player LeEco decided to acquire them (a deal due to close shortly). Aside from talking about how many TVs the company sells, the S-1 makes a big deal of of the “up to 100 billion viewing data points daily” it collects from 8 million TVs, and touts its InScape data services, which package up this data for advertisers, although it says this data is “anonymized”, which feels like an alternative fact at this point. The risk factors in the filing even mention possible regulatory threats to such data gathering, so it’s probably fair to say that Vizio shared more information with its potential investors about the data it was collecting than it did with end users. To settle the case, Vizio has to pay a total of $3.7m in fines to the FTC and the state of New Jersey (whose AG brought the suit with the FTC), discontinue the practice, and disclose it to consumers. I can’t wait to see how it manages that last point – imagine turning on your Vizio TV one day and seeing a message pop up about the fact that it’s been tracking your every pixel for the last several years. Assuming that’s done right, it could be the most damaging part of it this for Vizio, which made over $3 billion in revenue in its most recently reported financial years. Meanwhile, yet another headache for LeEco to manage.
Court Rules Google Has to Hand Over Data in Contradiction to Recent Microsoft Ruling – The Register (Feb 4, 2017)
The recent ruling in the ongoing case involving Microsoft and customer data stored outside the US had at least temporarily provided some reassurance that the big tech companies’ stance on this issue would be upheld in court. However, a new court in a different part of the US has now ruled the other way, though its rationale for ruling differently is that Google manages its data and data centers differently from Microsoft. This is a blow to the big tech companies who’ve fought to keep their overseas data centers (and the data held there on non-US customers) off limits for US law enforcement, but the Microsoft case was likely to go to the Supreme Court anyway. Hopefully, the court will rule in such a way that provides clarity not just in the Microsoft case but more broadly on this question.
Given that Apple argued precisely that security backdoors almost always make their way into the hands of evildoers, this news is great validation of Apple’s refusal to cooperate with the FBI early last year, even if it’s a private firm rather than the government that’s been hacked in this case. Indeed, that seems to have been the hacker’s motivation in this case. It’s also worrying from an Apple perspective that a provider like Cellebrite should have had such lax security that a hacker could breach its systems and access these tools, assuming the claims being made here are in fact legitimate.
Introducing the New Privacy Basics – Facebook (Jan 26, 2017)
Facebook’s busy week for news continues. This update to Facebook’s privacy mini site is timed to coincide with Data Privacy Day later this week, but it’s a useful reminder of how far Facebook has come on privacy. Facebook has always had two distinct privacy issues. One is the same that affects all ad-based companies: gathering lots of information about users and using it to target advertising. The other, however, has always been more Facebook-specific, which is that users have often been unaware of how broadly their content was being shared with other users and potentially the general public. It’s come a long way on both points, but especially the latter one. The new Privacy Basics site has lots of information about how to exercise more control over how posts get shared and with whom, and Facebook has done a nice job here. The fact that there are 32 separate interactive guides is perhaps unintentionally funny – protecting your privacy on the service can still be a complex proposition – but at least Facebook is now effective at walking users through some of that complexity. And in general it now does much better at being transparent and reminding users about how they’re sharing, and most importantly seems to have stopped deliberately or merely carelessly getting users to share more broadly than they intend to.
This was one of those rare cases where many of the big tech companies banded together to support one of their number on an issue of concern to all of them. The case concerns data held by Microsoft in a data center in Ireland but requested by US authorities investigating a crime (there’s a good summary of the case here). Microsoft and its pals have argued that this data should not be subject to US law enforcement requests because it resides outside the US, even though Microsoft is a US-headquartered company. Were the government’s argument to be upheld, data held anywhere by a US-based company could be obtained by the authorities in the US, regardless of whether the user has any ties to the US, which could dramatically impact tech companies’ ability to operate in overseas jurisdictions. That’s precisely why Microsoft has had the support of Apple, Amazon, and others, because the effects of upholding the government’s arguments here would be significant. This is a victory not just for Microsoft but the sector as a whole, and I would hope that the Supreme Court either refuses to hear the case or upholds the current verdict.
Google Privacy-Policy Change Faces New Scrutiny in EU – WSJ (Jan 24, 2017)
Europe continues to be the locus of a lot of regulatory effort aimed at paring back perceived privacy invasions by big US online advertising companies, notably Facebook and Google. In this case, Oracle is part of a coalition that seeks controls on Google’s tracking of user data, and the focus of the current complaint is the change Google made to its terms and conditions last June, pursuant to which it now combines data on its users across its various services and DoubleClick. No action has been taken yet by European regulators, so this is only a complaint by one of Google’s biggest foes at this point, but this area has proven a thorny one for Facebook already, and could yet become one for Google too.
Your real-world purchases will soon determine what ads you see on Snapchat – Mashable (Jan 19, 2017)
Here’s further evidence that Snap is evolving Snapchat’s advertising targeting capabilities, something it badly needs to do to ramp up ad spending ahead of a potential IPO. But that also means going back on some of the commitments Evan Spiegel has made in the past to avoid “creepy” targeting. The reality is that Snapchat has captured a nice little share of ad spending purely on the basis of having a great target market for a certain generation at a general level, but if it wants to capture more targeted advertising, it needs to provide the tools that Facebook, Google, and others already provide. That means buying in data from Oracle (as in this deal, and further to a previous deal with Oracle for measuring ROI) or other data collection houses (as Facebook already does) in order both to target advertising and to capture information about subsequent purchases to prove an ROI. Though Snapchat’s target market is generally more open to ad-based business models and the attendant privacy implications, there’s a point at which even millennials will balk, and Snap has to be careful not to cross that line.
The reporting here is based on a Twitter account that claims to be looking into WhatsApp’s code to find hints about what the app’s future business features might look like. Facebook has already said it wants to take WhatsApp in a similar direction to Messenger, with more hooks for businesses to communicate with users manually and through bots, and these would appear to be early signs of that happening in practice. WhatsApp is a challenging property for Facebook in this respect, because it has always eschewed advertising, and anything that smacks of that direction will likely be poorly received by its users, so Facebook is going to have to tread even more carefully than usual as it pursues this strategy. On the other hand, Facebook didn’t spend $22 billion to buy WhatsApp just to shut off its only revenue stream – this was always inevitable.
Apple’s CareKit apps get enhanced security option – Mashable (Jan 11, 2017)
From the beginning, Apple has been extremely careful with its HealthKit developer tools, making some really granular choices about how data is shared (my favorite example is that developers can’t even query whether or not there is insulin data, because its presence would suggest diabetes). Now, CareKit is getting end-to-end encryption for better HIPAA compliance, through a partnership between Apple and a third party (here’s the official Apple announcement). We’re going to see lots more partnership work by Apple to solve some of the thornier problems relating to both HIPAA and FDA compliance as it gets deeper into healthcare.
Microsoft has been rapped over the knuckles by regulators and attacked by privacy advocates over its data collection in Windows 10. Over-collection of data combined with lack of notification for users have to be the most common twosome in privacy abuses among tech companies. Tech companies often collect far too much data by default, and then fail to inform users what’s being collected or why. This change is a positive one, but I’d hope that Microsoft (and others) will learn from the backlash here and do better from the outset in future releases of Windows and other products.
Europe proposes expanding telco data privacy rules to WhatsApp, Facebook et al | TechCrunch (Jan 10, 2017)
Europe continues to take a harder line on privacy for online services, and is also finally caving to long-term pressure from telecoms operators to force online communications providers to comply with a more consistent regulatory framework. Both individual European countries and the EU have come down on Facebook recently for its attempted integration with WhatsApp following the merger, and the region is likely to continue to be more challenging for online providers operating there. This, in turn, may provide a small advantage for those providers that collect less user data and offer more protections by default.
The Verge 2016 tech report card: Apple – The Verge (Dec 29, 2016)
I’ve seen lots of this sort of thing as we approach the end of the year – quite a number of Apple observers seem to see 2016 as an off year for the company. And yet so much depends on how you few key innovations – yes, the Watch changed relatively little, but those features will please runners, swimmers and wheelchair users, and the price drops that accompanied them created new markets. The same can be said for many of the other changes. Apple news continues to be something of a Rohrschach test for observers.
This is an interesting take on the repeated Yahoo breaches and the implications, and it goes along with my gut sense that people have very short memories when it comes to security and privacy breaches. There’s lots of outrage in the short term, but it blows over very quickly, as any Google Trends search relating to a major breach will tell you. The hits keep coming with Yahoo, but ultimately I expect Verizon’s acquisition will still go through.