Google for several years has collected app-usage data collected from Android phones to develop and advance its own competing apps, a new report alleges.
The project, called Android Lockbox, “collects sensitive Android user data” for use within Google and has been in effect since at least 2013, The Information reports.
Abuse such as this by platform vendors will continue to take place, and it will continue to get worse and more brazen, because governments and judicial systems simply aren’t designed to deal with the massive international nebulous webs of dozens of individual legal entities that make up a single company. They wield immense power, can spend infinite amounts of money to change any law they don’t like, and aren’t subservient to the people – i.e., the government – like they should be.
Either governments start drastically cutting these massive corporations up – divide and conquer – or the entire western world is at risk of becoming corporate dystopias.
Wouldn’t you know it, Al Gore invented the lockbox.
( I’m sure nobody remembers it, but anytime I hear “lockbox” it reminds me of this skit on SNL about al gore’s presidential debate a couple lifetimes ago
http://www.youtube.com/watch?v=zDgRRVpemLo )
I have a couple of problems with the article.
Ultimately, there is no evidence that they are logging anything that isn’t legitimately related to understanding and optimising the use of Google services. Whether you agree with all the ways that they are using the data or not, they have a legitimate basis for collecting the data. That data can be used to provide a better experience whilst using third party apps.
Likening it to Facebook’s acquisition of Onavo is a false comparison. People expect to use a VPN to keep their activities secure – not to have the company providing the service spying on them.
The other issue I have is where they say “The data was used earlier this month in India, where Google planned to roll out a competitor app to TikTok.”.
What they failed to note is that TikTok had been banned in India at the end of last month. So putting / pushing a similar app in India is not in fact competing with TikTok – it is fulfilling a lost market. Of course, any app that gets a foothold in India has potential to take market share elsewhere – especially if there are more governments taking action against TikTok – and whether Google should be doing that or leaving it up to Indian competitors is another question.
grahamtriggs,
I would say that’s only your opinion. Another opinion, which is just as valid, is that google has no legitimate basis for logging personal data without consent.
Either way it’s rather unethical when you track user behaviors and 3rd party apps without their knowledge. For years I was specifically opting out of google’s location tracking and it came out that google was tracking the locations even of those people who were opting out. Now someone could argue that google was doing it to provide a better experience, but regardless the fact that google was doing it without permission was not only unethical but probably also illegal. I believe google has since correct this abuse of privacy because they were caught, but I still wouldn’t trust google not to mine all the data they can on our devices with or without our knowledge and consent. Google really does deserve to be criticized and maybe even sued over it, but Thom is correct in that it’s a become a widespread problem. Microsoft and others are also helping themselves to our data. These technologies are invasive. It used to be that our computers, phones, game consoles, etc didn’t spy on what we installed or did, but now they do. Hell even our own banks are selling our transaction data (to google no less).
“Google and Mastercard in credit card data deal”
https://www.bbc.com/news/technology-45368040
Explicit “opt-in” would be far less objectionable because then they would have legitimate consent. I think regulators should mandate clear & explicit opt-in policies.
“I would say that’s only your opinion. Another opinion, which is just as valid, is that google has no legitimate basis for logging personal data without consent.”
There is no evidence that they are logging personal data without consent. This is data logged through an API, which the user can choose not to consent to.
“Google really does deserve to be criticized and maybe even sued over it”
They certainly deserve to be criticized for doing something bad – when there is evidence that they have. What you are criticizing them for, you have no basis for. There is no evidence, and the report does not claim, that they are capturing any data without consent. There is no evidence, and the report does not claim, that the data can be tied to/used to identify any individual – it is described as anonymised data. It is not globally available in Google – the report provides an instance where access to the data was denied.
“It used to be that our computers, phones, game consoles, etc didn’t spy on what we installed or did, but now they do.”
It used to be that our phones didn’t do anything but make calls, and our computers and consoles were plugged into an electric socket and not be connected to a network.
Nowadays, it’s not so black and white if we want our devices to work well. We have laptops, tablets and phones that we want to have good battery life. We need companies to be able to spot when an application poses a security risk and limit the exposure / disable or withdraw an app. You can’t know what is and isn’t causing a problem in the real world without data collection.
Yes, data collection needs to be (and is) something that the user chooses to participate in or not. But without users participating, we almost certainly will have worse devices and software.
grahamtriggs,
Well, I can’t really hand you their evidence since I didn’t conduct the study myself. Like the article says “If The Information’s allegations are accurate, antitrust regulators are likely to have a whole lot of questions for Google.” (my emphasis). Certainly we need more evidence. You are perfectly entitled to trust google if you want to, but I personally don’t because they’ve violated user consent in the past.
This is what google said “The API doesn’t obtain any information about in-app activity and our collection of this data is disclosed to and controllable by users”. Yet I for one have no idea what they’re talking about, I’ve been using google products for over a decade and never once have they explicitly asked for my consent regarding API data. I know for a fact I never gave my explicit consent, however I believe odds are pretty high they collected my data through these APIs anyways. You’re right, stronger evidence is warranted, but I don’t have enough faith in google to dismiss the allegations out right as you do.
Ok, well then lets call the allegations “plausible, but not confirmed”.
“or the entire western world is at risk of becoming corporate dystopias.”
What makes you think we aren’t there already? How many more years of reporting about corporate abuse will it take? We are living in a world, right now, where corporate power & greed control the levers and strings of congress, the Supreme Court, and the presidency. We get report after report after report after report of how corporations violate the peoples rights, their privacy, the law and anything else they want with little to no recourse because of their immense power & influence. What about any of this is *not* dystopian?!
The (western) world is not the same as the USA.
The USA is extremely influencial, especially in the world of software but the rules that these companies have to follow (and the penalties for nog following them) are stricter in e.g. Europe than inside the USA.
You can call me an optimist but I feel like the corporate dystopia hasn’t advanced as far yet where I live compared to your place
The EU was little more than a neoliberal (corporate) take over of Europe. Notice all the austerity for workers, but never for the corps – a familiar story to us Americans.
In America it all crept up slowly over decades. That’s the plan in the EU as well. Watch for it – it’s already happening.
“Notice all the austerity for workers, but never for the corps – a familiar story to us Americans.”
You mean like GDPR?
Or the right to healthcare? https://fra.europa.eu/en/eu-charter/article/35-health-care#:~:text=Article%2031%20Everyone%20has%20the,conditions%20provided%20for%20by%20law.
Or…well, as you can see from the provided link above where you can scroll left and right everything from article 27 to 46 at least. (Title 4, Solidarity)
Of course the world is not black-and-white but in general I would say that the EU burdens companies a lot more than happens in the USA and the EU protects citizens a lot more than the USA.
“In America it all crept up slowly over decades. That’s the plan in the EU as well. Watch for it – it’s already happening.”
They are lobbying very hard in the EU and sometimes get what they want, this is true.
But I do think politicians are still far more independent than in the US.
It is known for years, on how most of the biggest and popular general purpose web services do their business. They provide the services, people can use them free of charge. In return it is expected for people to let such services collect their personal data. Until this model changes fundamentally i am afraid that not much can be expected to happen in this regard. In addition i am afraid that in the future this will become a norm and enforced by law, not for people to be protected by law, against such business model.
Yes, but this Google behaving like Microsoft when they’re the platform provider, checking out what is working (or not) for application vendors to help them prioritize and design competing applications.
I remember reading that Silicon Valley VCs would laugh at funding proposals based on a Windows desktop app. That’s still probably true.
Aren’t you confusing Microsoft with Apple here? https://en.wikipedia.org/wiki/Sherlock_(software)#Sherlocked_as_a_term
Microsoft mostly prefers to partner with companies like Citrix instead of putting them out of business by making a competitor
I would actually argue that the biggest culprit of this would be Amazon. They offer a platform for everyone to sell their stuff, monitor pppular buys, analyse it for easy replication and then offer Amazon branded “generic” versions that are prioritized in the recommendation engine effectively putting the original sellers out of business and taking over their markets.
This isn’t very different from “home brands” in your local supermarket, but because of Amazons power they are far more succesful in taking over existing markets. Home brands are often looked at as ” cheap/generic/knockoff” while with Amazon it is often the original seller that becomes branded as ” cheap/low-quality”
No, it is understood that we will get ads, not that our personal data is collected.
People were used to this model from tv. Watch for free, including commercial breaks.
Collecting personal data was not possible and people were pretty much fine with this model.
When internet came along people thought the business model was the same and for a while it was. Then (specifically) Amazon proved how efficient a personalized recommendation engine could be for bookshopping, Google and later FaceBook made targetted ads incredibly efficient, internetproviders were granted the right to “collect and sell” everything, free phone-apps (+advertising) became the norm on how people consume services. Fingerprinting became incredibly sophisticated….but all the while people kept thinking “I get free stuff in return for ads”. For a big part of the population this thought is followd by “and I can ignore those ads whenever I want or use an adblocker”
avgalen,
+1
Agreed, most people don’t realize just how much data is being collected and used. Ads as easy to understand and see, but the deals to monetize our data, are hidden and proprietary. Companies including facebook and google do a terrible job disclosing what happens with our data because the laws (with a few exceptions like HIPAA where we get strong protections for healthcare privacy) don’t compel them to do so.
Ask an average person if they believe their mobile phone is tracking them. The answer will most often be yes. Therefore i don’t agree with you in the regard that people believe they will only get ads but won’t be tracked, like with the TV. In reality most people know they will get tracked. And if we didn’t get any laws preventing from that to happen, in the past decade, there is a really slim chance of that happening in the near future. It will likely be the other way around, governments will write laws and enforce more of it.
Geck,
It’s not enough to ask whether people are being tracked in such vague terms. It’s the depth and pervasiveness of the tracking that’s alarming and not well understood. Obviously when you go to google.com or amazon.com or facebook.com, you know they can track you there, but a lot of people don’t expect regular purchases and browsing habits from unrelated websites to end up at google or data from your facebook account to end up in the hands of a political campaign, etc. One does not naturally expect the activities on A to end up at company B, it’s creepy and it occurs without explicit permission. Such things subvert the public’s reasonable privacy expectations.
This is one of the rare cases where you can’t say people are being ignorant or clueless. People in general know, they are being tracked.
Geck,
Well you’ve ignored my points. Also, I take issue with your use of “tracking” as a blanket term without respect to the nuance of what that means. For example, people expect their ISP & carriers to track usage in order to bill us & optimize service, however we do not expect them to sell our browsing habits for their profits even though they could. Not all “tracking” is equivalent. Again, it’s not enough to ask whether people are being tracked in such vague terms, details matter and it does not advance the discussion to gloss over the very kinds of tracking that people find surprising.
For some of these companies it’s probably in their best interests to trade our data in secret, but the very fact that they do makes it harder to be informed and make specific objections to what they’re doing. They’re protected by obscurity. It’s similar to the NSA wiretapping scandal, sure it’s easy to guess that the government’s abusing it’s power, but such notions are abstract and distant. The power of snowden’s leaks was in revealing specific details. It’s very hard to have an informed debate minus the details.
I asked 20 people today. Some at work, some at home, some at sports and the most common replies were (paraphrasing below for easier grouping):
6: No, that only happens in movies
5. Yeah, how else would the cell-tower know to handle your phonecalls (I work in tech and this was mostly the answer at work
4. Yes, when you are taking a picture, using navigation or a running app
3. Probably, those bastard do whatever they can to make money of of me
2. I don’t have a phone daddy, only a toyphone that plays songs. Can I have one and if I get lost (again) you can find me right?
Nobody, not even the technical people at work, had ever read an article about actual tracking like this: https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html
Ironic that when I tried to post this I got this message:
Access Denied
Allow Request
You have been blocked from entering information on this blog. In order to prevent this from happening in the future you may ask the owner to add your network address to a list that allows you full access.
Please enter your email address and a short note requesting access here.
avgalen,
Not to detract from the thread, but I’ve seen that too and at first I thought it was something I did…I’ve seen that mostly when posting and rarely when logging in with no rhythm or reason. It’s just wordpress (maybe some plugin?) heuristics gone amuck. Anyone know specifically where it comes from?
If it were up to me, I’d change the way it works, but I’ve found it’s more of a road bump than a road block.
@Alfman
You can nitpick as much as you want, but in general people do understand, past couple of years, they are being tracked and their personal data is being colected. Whenever using most of the free of charge web services and applications. Usually people joke about it, when asked, but in reality this is not all that funny.
@avgalen
Thanks for doing the survey.
Geck,
Except it wasn’t nitpicking, glossing over the details is a problem with your argument. Anyways if you feel that you need to gloss over the details to make your point, that’s up to you, I’m just pointing out that it weakens your argument.
In your opinion, i can agree with that. As for the rest, best not to argue anymore, just ask other people for opinion. That is if they feel the most popular free of charge web services are tracking them and collection their personal data, or not. In 2020 i feel that the answer is a rather clear one if you aren’t living under a rock.
Geck,
No need, I’ve already spoken to other people over the years about how data is used and they’re just as unclear as I am with factual details. Companies are not transparent about what they do with our data and none of us, not even you, know who all is getting the data. At least not until facts are revealed through a leak or investigation. Like I said, it’s easy for us to make assumptions, but concrete facts are much harder to get. Meanwhile the companies always claim we can trust they won’t abuse customer privacy, it’s no wonder people are confused. Except for true insiders at the companies holding the data, nobody knows exactly where our data goes once it’s in corporate data silos.
@Alfman
OK therefore you are arguing most popular free of charge services (companies) are not transparent, with what they are doing with the collected information. I can agree with that, but note that that is not what i said in my initial post, post you responded to. I said they do track you and they do collect your personal data. Now if you agree with that part, then i guess we are OK, if you disagree, then you are fooling yourself. What i assume made this conversation feel like we don’t agree is we basically talked about two different things. As for your claims, that there is little transparency involved, i agree with that.
As long as platform vendors are allowed to build products on their own platforms, this will always been a problem. It always has been a problem.
And we are already a corporate dystopia, it’s just that it came about slowly over 40 years, and we didn’t notice, until it was too late.
CaptainN-,
Absolutely. And a big part of the problem (at least here in the US) is that legislators utterly failed to pass legislation addressing these problems comprehensively. Instead we’re using tools we’ve inherited from a century ago, namely antitrust, which is too blunt, non-prescriptive, and largely ineffectual. Consumers are ever dependent on walled off platforms, devices we own but don’t have an explicit right to modify and repair, isolated networks that severely hurt the viability of alternatives, and we don’t have any explicit opt-in privacy protection, meaning companies can often do as they please with our data without asking us first. Our legislative branch has long been corrupt in favor of corporations and the executive branch increasingly so. Our DOJ is becoming increasingly brazen, even overruling it’s own offers to serve political interests. The future is bright for those who play into the corruption.
Google should just release Google Lockbox as a standalone app complete with the usual “we value your privacy” consent wall. Slogan: “Make your apps work for a better Google experience”.
It’s why I don’t let Google get my health data with Google Fit despite being an owner of a 2nd gen Moto 360. I don’t want to click through a consent wall and hand them over my health data so they can use them as they want, or having to micromanage privacy options. And frankly I don’t even trust them to not lose them to hackers. They can have my taste in porn for all I care, but not my health data.
I also don’t use Google Pay. I mean, is letting Google establish a permanent verified link between you worth the convenience of not having to type a pin?
I’ve said it before & I’m sure I’ll say it again, but: being a developer who is dependent on an ecosystem that’s controlled by a single company is the 21st century digital equivalent to working in an early 20th century “company town”. I’d also say that being a content creator dependent on youtube, Facebook, or any other single platform is close to being in the same boat, except that the skills needed for that are a bit more easily transferable than, say, knowing how to code to a specific proprietary API.
In that situation, not only do you work for the company, but you spend the money you earn at the company store, then drive the company car home to the company-owned house. It seems like a great convenience at first… until you quit or get fired, and realize that it was just the “carrot” portion of carefully & deliberately designed carrot-and-stick strategy. Then not only do you have to find other work, but you also have to do so without a vehicle or a place to live – and they were (and still are in some places) notorious for using the threat of that as leverage.
To me, the worst part about ecosystems/platforms that behave that way, is they know full well that if all else were equal, no one with any sense would choose their offerings over more open/less tightly controlled alternatives – so they make their solution just better/more convenient enough that most people won’t consider the long-term issues… at least until they bit by them, at which point they’ve probably invested too much time and/or money to easily go elsewhere (see also: “bait-and-switch”). As a result, we seem to have reached the point where the only parties who really seem to have any incentive to introduce genuine advances in computer & internet tech, are those who are also actively working to decrease openness of the internet & increase the amount of centralized control. In fact, To the point where, while I don’t consider myself to be a knee-jerk “fundamentally opposed to all progress or change” type, I’ve started viewing most new computer tech as being merely Trojan Horses, intended to drag the progress of computing further in the wrong direction – in exchange for minor ease-of-use & convenience improvements.
StephenBeDoper,
+1, great points.
Well, I think even more important than making their solution better is simply letting the network effect do its job. Even an open source platform that is better in nearly every way but doesn’t have users is a hard sell. You and I could build a facebook easily enough, but you’d have a damn hard time convincing any friends or family to use it when everyone they want to collaborate with is on facebook, etc. So with regards to merit, it isn’t enough to be about on par with the big players, you’ve got to be many times better. Without scales of economy, virtually no bargaining power, and competing against “free”, it’s a long uphill battle. Heck even google couldn’t compete against youtube, popularity is everything in this business.
Yeah. For a time in the 90s and 2000s, I actually thought P2P and standardized open protocols would win, they had already won the popularity contest. But I’d be proven wrong. For better or worse these networks were extremely popular for movies and music, consequently the RIAA/hollywood sued the crap out of both users and developers of P2P technology. These events ultimately gave the advantage to centralized services that were easier to censor when MPAA and the RIAA came knocking. Whether we like it or not these powerful associations shaped the internet into what it is today, rendering it more closed and proprietary.
I don’t like that so many services end up being proprietary, but what can you do about it? It’s far more profitable to build closed networks and monetize users than open networks to empower users. The internet has gotten worse as a result, with advertising that no users want, but money rather than the greater good ultimately decides its fate.
Yeah, that’s definitely true – see also the failure of Google Plus, and on the flipside, the success Microsoft has had with products that are basically just “a clone of [insert name of competitor’s product], but integrated with Office.” I guess we’re both just talking about different sides of the same coin: ways to make the platform/product/whatever appealing enough to draw in new users & reach the point of critical mass where that becomes self-sustaining.
Oh yes, I made the exact same mistake: because the “open internet” won out against closed single-vendor systems like AOL, Prodigy, etc, I assumed that that was a debate that had been definitely settled. Instead, we now have the flip-side: instead of closed systems like AOL that run separately from the Internet, we have AOL-style closed systems that run on top OF the Internet. And speaking of the *AAs, it probably didn’t help much when they started pressuring ISPs to stop providing access to what was probably the largest precursor to modern social media: Usenet. Though, admittedly, that probably wasn’t a very hard sell, since its use was already on the decline thanks to the difficulty of using it compared to web-based forums, and how bad the sound:noise (or real posts:spam) ratio had become.
I really wish I had an answer. These are things that devs & admins understand, though it’s not because we possess some higher class of intellect, but simply because we’re the ones who have to deal with the resulting problems on a day to day basis – probably not realistic to expect all users of online services to be competent devs or admins. And when non-techies are bitten by those issues, they tend to mis-identify the root of them: focus on individual issues in isolation, while not recognizing that they’re all due to the fundamental nature of those types of platforms.
E.g. there’s a cycle I’ve gone through more times that I can count, where someone comes to me asking for my thoughts on a SaAS/”cloud” service they are considering. I usually explain the pros and cons: a self-hosted solution will cost more up front, but it can be tailored to your needs & modified further down the road if need be – basically the same proposition as owning vs renting (except that people generally don’t do long-term rentals of things they could afford to purchase outright, but that’s surprisingly common for users of SaAS/cloud systems). Then they decide to go with the SaAS option anyway, and 4-6 months down the road, they come back to me looking for help with something that WOULD be simple with nearly every self-hosted CMS out there, like adding a new custom field to group/section of content. But with a cloud system, best-case is that they need to submit a feature request, and hope that enough other users of the same platform request the same feature, and then maybe 6-12 months down the road, they might get around to rolling out that feature.
All of which is, I guess, a long-winded way of saying that there doesn’t seem to be any real answer, and that trying to push back against it is about as effective as trying to command the tides. The best solution I’ve found is to basically pick my battles & be happy with small victories where I can find them – E.g. if I’m building a site for someone, I’ll typically strongly encourage them to embed their Twitter/FB feed on their website, rather than just having a link that sends people off to their Twitter/FB page. But I have no illusions that that’s anything more than a small drop in the ocean.
StephenBeDoper,
I’ve accepted the futility in trying to convince anyone, I used to, but I was just paddling upstream. Professionally I give them my suggestions but I just give them what they want without any push-back and that’s that. Vendor locking and lack of control are lessons they have to learn for themselves. Technically their needs haven’t changed, they still ask for modifications and new features and get annoyed by the limitations of what they have, but that’s on them. They made their own bed. Alas, I’ve seen better years for contract programmers like myself, but what are you going to do.
Anyways, I don’t have much more to add, I agree with your points across the board.