from the oh-come-on-guys dept
Both the NY Times and the Washington Post have been among the most vocal in attacking internet companies like Google and Facebook, claiming that they're bad regarding your privacy. Yet, like with France (who fined Google for its privacy practices, but then got mad at the company over the privacy-protecting features of its COVID contact tracing API), the Washington Post has a very, very weird article complaining about Google and Apple's project because it's too protective of people's privacy. We've talked in the past about how the API (jointly developed between Apple and Google) was designed from the ground up to be privacy protective. And you know damn well that if the API wasn't developed as such there would be huge articles in the Washington Post and elsewhere decrying this API as a threat to everyone's privacy. Yet here, the complaint is that it's too protective, because these companies simply can't win.
John Gruber, over at Daring Fireball, has an excellent post explaining just how spectacularly bad the Washington Post article is, but we'll do our own treatment as well.
The crux of the article is that some "health officials" are annoyed that the API won't share data with them directly, but is more designed to alert individuals themselves if they may have come into contact with someone who turns out to be COVID-19 positive.
But as the tech giants have revealed more details, officials now say the software will be of little use. Due to strict rules imposed by the companies, the system will notify smartphone users if they’ve potentially come into contact with an infected person, but it won’t share any data with health officials or reveal where those meetings took place.
Local health authorities in states like North Dakota, as well as in countries such as Canada and the United Kingdom, say they’ve pleaded with the companies to give them more control over the kinds of information their apps can collect. Without the companies’ help, some worry their contact tracing systems will remain dangerously strained.
But Apple and Google have refused, arguing that letting the apps collect location data or loosening other smartphone rules would undermine people’s privacy.
Now, a good news report would explain why it's important for Google and Apple's API to protect people's privacy -- and maybe even highlight how lots of people, including some at the Washington Post, have frequently hammered Google and Apple over privacy concerns. Hell, just a few weeks ago, one of the very same reporters on this article, Drew Harwell, was bylined on an article saying that most Americans wouldn't want to use apps based on the API because they don't trust Google and Apple's privacy protections. Though, of course, even that headline was misleading. That headline said "Most Americans are not willing or able to use an app tracking coronavirus infections. That's a problem for Big Tech's plan to slow the pandemic." Yet, they have to do some funny math to make that "most" work, because the actual data said that 50% said they would use it, and among those who had phones, 59% said they'd be comfortable with the app informing others they had COVID-19.
So just a few weeks earlier, the same Washington Post, and one of the same reporters, was crowing about how people wouldn't trust Apple and Google with their contact tracing apps due to privacy concerns. Then they publish this other piece saying that health officials are steamed that the companies are doing too much to protect people's privacy. They can't win.
The article then quotes a very confused professor (tragically, from my own alma mater):
But Helen Nissenbaum, a professor of information science and director of the Digital Life Initiative at Cornell University, called Apple and Google’s use of privacy to defend their refusal to allow public health officials access to smartphone technology a “flamboyant smokescreen.” She said it was ironic that the two companies had for years tolerated the mass collection of people’s data but were now preventing its use for a purpose that is “critical to public health.”
“If it’s between Google and Apple having the data, I would far prefer my physician and the public health authorities to have the data about my health status,” she said. “At least they’re constrained by laws.”
Basically all of this is wrong or bullshit, and a good reporter would have either (a) immediately pointed out that this is bullshit or (b) not published the bullshit. First off, it's not a "flamboyant smokescreen." Google and Apple very clearly put a lot of thought into the privacy features of this API. Second, they're not "preventing its use" for something "critical to public health". The entire point of the API is to make use of this data in a way that helps deal with the crisis. And this is new data, not the data they've "mass collected." On top of that, despite Nissenbaum's insinuations to the contrary, none of this is new. It's how Google and Apple work. Both have long histories of fighting back to make sure that government agencies can't access your private data without a very clear legal basis to do so.
Most importantly, though, Google and Apple don't have the data. That's part of the "privacy protection" here -- and anyone would know that if they looked at anything that Google and Apple have put out about this API. The data stays on your phone. It's based on your phone, and then the individuals get to make the choice of whether or not to share the data. The FAQ from Apple and Google make this all very clear:
In keeping with our privacy guidelines, Apple and Google will not receive identifying information
about the user, location data, or information about any other devices the user has been in
proximity of.
And, if the users decide, then the necessary information can be shared with public health officials:
If a user chooses to report a positive diagnosis of COVID-19 to their contact tracing
app, the user’s most recent keys to their Bluetooth beacons will be added to the positive
diagnosis list shared by the public health authority so that other users who came in contact
with those beacons can be alerted.
It seems like both Nissenbaum and the Washington Post owe people a rather large apology.
Next up, there's a quote from Matt Stoller, who has built up a cottage industry making ignorant statements about big internet companies (and cheering on Senator Josh Hawley's anti-internet nonsense). While I've come to expect nonsense from Stoller, the quote he gives the Post is beyond the pale:
“They are exercising sovereign power. It’s just crazy,” said Matt Stoller, the director of research at the American Economic Liberties Project, a Washington think tank devoted to reducing the power of monopolies. Apple and Google have “decided for the whole world,” he added, “that it’s not a decision for the public to make. … You have a private government that is making choices over your society instead of democratic governments being able to make those choices.”
Again, nearly everything Stoller says here is wrong. Gruber's summary of it covers this better than anything I would say:
This quote is what’s crazy. Again, this guy Stoller clearly has no idea what he’s talking about. Apple and Google deciding how their operating systems work, in compliance with all existing laws, all around the world, is not “exercising sovereign power”. No one here is alleging that Apple or Google are doing anything even vaguely illegal. They’re not toeing some sort of line, they’re not taking advantage of any sort of loopholes.
And if Apple and Google did what Stoller and Nissenbaum seem to want them to do — track location data of every person you’re in contact with and report that data automatically to government health officials, they almost certainly would be breaking all sorts of laws around the world. The whole point of Europe’s well-intentioned but overzealous GDPR law — 88 dense pages in PDF — is, quoting from its preamble, “Natural persons should have control of their own personal data.” That’s exactly the point of Apple and Google’s system — and seemingly exactly the opposite of what every source in this Post story thinks Apple and Google should do.
Honestly, it's not at all difficult to imagine that if Google and Apple's API was automatically handing data over to the government, you'd see Stoller and Nissenbaum still complaining and suddenly they'd be all concerned about the companies "exercising sovereign power" to "mass collect people's data" and just "handing it over to the government." Again, this is a no win situation, in which the companies are being shat upon as if they're doing the wrong thing when it's clear they've bent over backwards to make sure they were doing the right thing and giving as much power and control as possible to the end user.
Basically every quote in this piece is utter nonsense -- the kind of nonsense that a reporter should be explaining why it's wrong or not publishing. But here it is all published as if these people are making good points. Here's the next one:
“Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can,” said Vern Dosch, the contact-tracing liaison for North Dakota. “I get it. They have a brand to protect. I just wish they would have led with their jaw.”
Huh? What "brand" are they protecting here? The brand that says... they're going to help out by building a big system that others can build on and use for free, and that actually protects people's privacy? I honestly don't get what what Dosch is even saying here. Of course government officials want every piece of data, and this system is designed to help them get more data, but also to protect privacy. And I honestly have no clue what "led with their jaw" even means here.
It's only twenty six paragraphs in that the article mentions how "some privacy advocates have applauded the companies’ stance around anonymity and security concerns," but then it shits on that almost immediately:
But some parts of the U.S., including Apple and Google’s home state, say the restrictions have rendered the apps effectively useless. In California, epidemiologists in charge of contact tracing are ignoring the Apple-Google approach and have decided the best course for contact tracing is to train thousands of people to do the work.
Which "apps" are they even talking about? This is an API, not an app, and it's not even out yet, so these "apps" can't be useless yet. They don't exist. And the fact that California epidemiologists are focusing on training human contact tracers is... meaningless? No one has said that this API should replace human contact tracers. The idea has always been that it's another tool -- not a replacement. And then we get another ridiculous quote:
“The limitations of those kind of apps are extensive,” said Mike Reid, an assistant professor of medicine at the University of California at San Francisco, who is leading the effort to train contact tracers in the state. “I don’t think they have an important role to play for most of the population.”
The contact tracers, he said, will be using software made by Salesforce and Accenture to help reach patients by phone and are trained on how to protect sensitive patient information.
“We go to pains to minimize the amount of data we take from people and we ask consent from people we’re talking to on the phone. We go to considerable lengths to ensure there are strong technical controls to ensure the anonymization of our platforms,” he said. “Can you say the same thing about these big tech companies? I’m not sure.”
Um. Dude. Did you not even bother to read the details of the API that you're commenting on, about which you say you're "not sure" if the data is minimized or that there are strong technical controls to make sure the data remains anonymous? Because half of this very article is all about how other health professionals are annoyed that the apps are doing too much to protect the data.
And, honestly, how is it that these reporters are using quotes that are in direct conflict with other quotes in the article (the API keeps things too private, who knows if the big companies will keep things private...) as if they're making the same argument.
This is just bad, bad reporting.
With the Apple and Google approach, “We’ve overcompensated for privacy and still created other risks and not solved the problem,” said Ashkan Soltani, the former chief technologist of the Federal Trade Commission. “I’d personally be more comfortable if it were a health agency that I trusted and there were legal protections in place over the use of the data and I knew it was operated by a dedicated security team.”
I know and like Ashkan, and have quoted him in the past, but this... is just a bizarre quote in its own right. Google and Apple have two of the best "dedicated security teams" around. Meanwhile the federal health agency, Health & Human Services, has a history of getting hacked, including some sort of hack as the pandemic began (exactly what happened still has not been made clear).
But some public health experts believe the push toward unproven virus-tracing apps has wasted time and missed the point. Tom Frieden, the former director of the Centers for Disease Control and Prevention now working with the health organization Vital Strategies, said the proximity-tracing system as proposed by Apple and Google has “been largely a distraction.”
“There are very serious questions about its feasibility and its ability to be done with adequate respect for privacy, and it has muddied the water for what actually needs to happen,” Frieden said in an interview Wednesday. “This was an approach that was done with not much understanding and a lot of overpromising.”
This quote may be the most accurate of the bunch, but in its own way misleading as well. I haven't seen anyone "overpromising." The people involved in the project and supportive of it have argued that it might be an additional useful tool beyond everything that everyone else is doing. I haven't seen how it's "muddied the waters" for what others need to do.
Honestly, we don't really know how useful the apps built on this API will or won't be. There are reasons to be skeptical of their usefulness, but if you wanted to understand why, you wouldn't get help from this article, which really just seemed like an attempt by the reporters to collect as many disjointed anti-Google and Apple quotes as possible and put them all together in an article that is incredibly misleading and not even internally consistent.
Filed Under: api, contact tracing, data, helen nissenbaum, journalism, matt stoller, privacy, tradeoffs
Companies: apple, google