Now The Washington Post Misleadingly Complains About Google & Apple Protecting Your Privacy Too Much

from the oh-come-on-guys dept

Both the NY Times and the Washington Post have been among the most vocal in attacking internet companies like Google and Facebook, claiming that they're bad regarding your privacy. Yet, like with France (who fined Google for its privacy practices, but then got mad at the company over the privacy-protecting features of its COVID contact tracing API), the Washington Post has a very, very weird article complaining about Google and Apple's project because it's too protective of people's privacy. We've talked in the past about how the API (jointly developed between Apple and Google) was designed from the ground up to be privacy protective. And you know damn well that if the API wasn't developed as such there would be huge articles in the Washington Post and elsewhere decrying this API as a threat to everyone's privacy. Yet here, the complaint is that it's too protective, because these companies simply can't win.

John Gruber, over at Daring Fireball, has an excellent post explaining just how spectacularly bad the Washington Post article is, but we'll do our own treatment as well.

The crux of the article is that some "health officials" are annoyed that the API won't share data with them directly, but is more designed to alert individuals themselves if they may have come into contact with someone who turns out to be COVID-19 positive.

But as the tech giants have revealed more details, officials now say the software will be of little use. Due to strict rules imposed by the companies, the system will notify smartphone users if they’ve potentially come into contact with an infected person, but it won’t share any data with health officials or reveal where those meetings took place.

Local health authorities in states like North Dakota, as well as in countries such as Canada and the United Kingdom, say they’ve pleaded with the companies to give them more control over the kinds of information their apps can collect. Without the companies’ help, some worry their contact tracing systems will remain dangerously strained.

But Apple and Google have refused, arguing that letting the apps collect location data or loosening other smartphone rules would undermine people’s privacy.

Now, a good news report would explain why it's important for Google and Apple's API to protect people's privacy -- and maybe even highlight how lots of people, including some at the Washington Post, have frequently hammered Google and Apple over privacy concerns. Hell, just a few weeks ago, one of the very same reporters on this article, Drew Harwell, was bylined on an article saying that most Americans wouldn't want to use apps based on the API because they don't trust Google and Apple's privacy protections. Though, of course, even that headline was misleading. That headline said "Most Americans are not willing or able to use an app tracking coronavirus infections. That's a problem for Big Tech's plan to slow the pandemic." Yet, they have to do some funny math to make that "most" work, because the actual data said that 50% said they would use it, and among those who had phones, 59% said they'd be comfortable with the app informing others they had COVID-19.

So just a few weeks earlier, the same Washington Post, and one of the same reporters, was crowing about how people wouldn't trust Apple and Google with their contact tracing apps due to privacy concerns. Then they publish this other piece saying that health officials are steamed that the companies are doing too much to protect people's privacy. They can't win.

The article then quotes a very confused professor (tragically, from my own alma mater):

But Helen Nissenbaum, a professor of information science and director of the Digital Life Initiative at Cornell University, called Apple and Google’s use of privacy to defend their refusal to allow public health officials access to smartphone technology a “flamboyant smokescreen.” She said it was ironic that the two companies had for years tolerated the mass collection of people’s data but were now preventing its use for a purpose that is “critical to public health.”

“If it’s between Google and Apple having the data, I would far prefer my physician and the public health authorities to have the data about my health status,” she said. “At least they’re constrained by laws.”

Basically all of this is wrong or bullshit, and a good reporter would have either (a) immediately pointed out that this is bullshit or (b) not published the bullshit. First off, it's not a "flamboyant smokescreen." Google and Apple very clearly put a lot of thought into the privacy features of this API. Second, they're not "preventing its use" for something "critical to public health". The entire point of the API is to make use of this data in a way that helps deal with the crisis. And this is new data, not the data they've "mass collected." On top of that, despite Nissenbaum's insinuations to the contrary, none of this is new. It's how Google and Apple work. Both have long histories of fighting back to make sure that government agencies can't access your private data without a very clear legal basis to do so.

Most importantly, though, Google and Apple don't have the data. That's part of the "privacy protection" here -- and anyone would know that if they looked at anything that Google and Apple have put out about this API. The data stays on your phone. It's based on your phone, and then the individuals get to make the choice of whether or not to share the data. The FAQ from Apple and Google make this all very clear:

In keeping with our privacy guidelines, Apple and Google will not receive identifying information about the user, location data, or information about any other devices the user has been in proximity of.

And, if the users decide, then the necessary information can be shared with public health officials:

If a user chooses to report a positive diagnosis of COVID-19 to their contact tracing app, the user’s most recent keys to their Bluetooth beacons will be added to the positive diagnosis list shared by the public health authority so that other users who came in contact with those beacons can be alerted.

It seems like both Nissenbaum and the Washington Post owe people a rather large apology.

Next up, there's a quote from Matt Stoller, who has built up a cottage industry making ignorant statements about big internet companies (and cheering on Senator Josh Hawley's anti-internet nonsense). While I've come to expect nonsense from Stoller, the quote he gives the Post is beyond the pale:

“They are exercising sovereign power. It’s just crazy,” said Matt Stoller, the director of research at the American Economic Liberties Project, a Washington think tank devoted to reducing the power of monopolies. Apple and Google have “decided for the whole world,” he added, “that it’s not a decision for the public to make. … You have a private government that is making choices over your society instead of democratic governments being able to make those choices.”

Again, nearly everything Stoller says here is wrong. Gruber's summary of it covers this better than anything I would say:

This quote is what’s crazy. Again, this guy Stoller clearly has no idea what he’s talking about. Apple and Google deciding how their operating systems work, in compliance with all existing laws, all around the world, is not “exercising sovereign power”. No one here is alleging that Apple or Google are doing anything even vaguely illegal. They’re not toeing some sort of line, they’re not taking advantage of any sort of loopholes.

And if Apple and Google did what Stoller and Nissenbaum seem to want them to do — track location data of every person you’re in contact with and report that data automatically to government health officials, they almost certainly would be breaking all sorts of laws around the world. The whole point of Europe’s well-intentioned but overzealous GDPR law — 88 dense pages in PDF — is, quoting from its preamble, “Natural persons should have control of their own personal data.” That’s exactly the point of Apple and Google’s system — and seemingly exactly the opposite of what every source in this Post story thinks Apple and Google should do.

Honestly, it's not at all difficult to imagine that if Google and Apple's API was automatically handing data over to the government, you'd see Stoller and Nissenbaum still complaining and suddenly they'd be all concerned about the companies "exercising sovereign power" to "mass collect people's data" and just "handing it over to the government." Again, this is a no win situation, in which the companies are being shat upon as if they're doing the wrong thing when it's clear they've bent over backwards to make sure they were doing the right thing and giving as much power and control as possible to the end user.

Basically every quote in this piece is utter nonsense -- the kind of nonsense that a reporter should be explaining why it's wrong or not publishing. But here it is all published as if these people are making good points. Here's the next one:

“Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can,” said Vern Dosch, the contact-tracing liaison for North Dakota. “I get it. They have a brand to protect. I just wish they would have led with their jaw.”

Huh? What "brand" are they protecting here? The brand that says... they're going to help out by building a big system that others can build on and use for free, and that actually protects people's privacy? I honestly don't get what what Dosch is even saying here. Of course government officials want every piece of data, and this system is designed to help them get more data, but also to protect privacy. And I honestly have no clue what "led with their jaw" even means here.

It's only twenty six paragraphs in that the article mentions how "some privacy advocates have applauded the companies’ stance around anonymity and security concerns," but then it shits on that almost immediately:

But some parts of the U.S., including Apple and Google’s home state, say the restrictions have rendered the apps effectively useless. In California, epidemiologists in charge of contact tracing are ignoring the Apple-Google approach and have decided the best course for contact tracing is to train thousands of people to do the work.

Which "apps" are they even talking about? This is an API, not an app, and it's not even out yet, so these "apps" can't be useless yet. They don't exist. And the fact that California epidemiologists are focusing on training human contact tracers is... meaningless? No one has said that this API should replace human contact tracers. The idea has always been that it's another tool -- not a replacement. And then we get another ridiculous quote:

“The limitations of those kind of apps are extensive,” said Mike Reid, an assistant professor of medicine at the University of California at San Francisco, who is leading the effort to train contact tracers in the state. “I don’t think they have an important role to play for most of the population.”

The contact tracers, he said, will be using software made by Salesforce and Accenture to help reach patients by phone and are trained on how to protect sensitive patient information.

“We go to pains to minimize the amount of data we take from people and we ask consent from people we’re talking to on the phone. We go to considerable lengths to ensure there are strong technical controls to ensure the anonymization of our platforms,” he said. “Can you say the same thing about these big tech companies? I’m not sure.”

Um. Dude. Did you not even bother to read the details of the API that you're commenting on, about which you say you're "not sure" if the data is minimized or that there are strong technical controls to make sure the data remains anonymous? Because half of this very article is all about how other health professionals are annoyed that the apps are doing too much to protect the data.

And, honestly, how is it that these reporters are using quotes that are in direct conflict with other quotes in the article (the API keeps things too private, who knows if the big companies will keep things private...) as if they're making the same argument.

This is just bad, bad reporting.

With the Apple and Google approach, “We’ve overcompensated for privacy and still created other risks and not solved the problem,” said Ashkan Soltani, the former chief technologist of the Federal Trade Commission. “I’d personally be more comfortable if it were a health agency that I trusted and there were legal protections in place over the use of the data and I knew it was operated by a dedicated security team.”

I know and like Ashkan, and have quoted him in the past, but this... is just a bizarre quote in its own right. Google and Apple have two of the best "dedicated security teams" around. Meanwhile the federal health agency, Health & Human Services, has a history of getting hacked, including some sort of hack as the pandemic began (exactly what happened still has not been made clear).

But some public health experts believe the push toward unproven virus-tracing apps has wasted time and missed the point. Tom Frieden, the former director of the Centers for Disease Control and Prevention now working with the health organization Vital Strategies, said the proximity-tracing system as proposed by Apple and Google has “been largely a distraction.”

“There are very serious questions about its feasibility and its ability to be done with adequate respect for privacy, and it has muddied the water for what actually needs to happen,” Frieden said in an interview Wednesday. “This was an approach that was done with not much understanding and a lot of overpromising.”

This quote may be the most accurate of the bunch, but in its own way misleading as well. I haven't seen anyone "overpromising." The people involved in the project and supportive of it have argued that it might be an additional useful tool beyond everything that everyone else is doing. I haven't seen how it's "muddied the waters" for what others need to do.

Honestly, we don't really know how useful the apps built on this API will or won't be. There are reasons to be skeptical of their usefulness, but if you wanted to understand why, you wouldn't get help from this article, which really just seemed like an attempt by the reporters to collect as many disjointed anti-Google and Apple quotes as possible and put them all together in an article that is incredibly misleading and not even internally consistent.

Filed Under: api, contact tracing, data, helen nissenbaum, journalism, matt stoller, privacy, tradeoffs
Companies: apple, google

Google And Facebook Didn't Kill Newspapers: The Internet Did

from the check-the-data dept

There is an infamous chart in media circles. It shows newspaper advertising revenue steadily rising until about the year 2000. A few years later, it drops off a cliff. Superimposed on this chart is the exponential growth of Google and Facebook:

Source: Thomas Baekdal

The obvious implication, at least to those who work in journalism, is that Google and Facebook killed their industry. That’s certainly the conclusion Matt Stoller comes to in a recent op-ed for the New York Times:

The collapse of journalism and democracy in the face of the internet is not inevitable. To save democracy and the free press, we must eliminate Google and Facebook’s control over the information commons. That means decentralizing these markets and splitting information utilities from one another so that search, mapping, YouTube and other Google subsidiaries are separate companies, and Instagram, WhatsApp and Facebook once again compete.

First, it’s important to note that newspaper advertising revenue peaked a few years before the rise of Google (and many years before Facebook). That’s one hint a broader phenomenon is at work. But more generally, Stoller frames the history of advertising and journalism in a fundamentally incorrect way. He argues as if the ad-based business model for local journalism was the natural state of the world — upended only by Facebook’s and Google’s so-called "monopolies." In reality, print newspapers had a monopoly on local information distribution due to the prevailing technologies of their time. These regional monopolies were slowly eroded by the introduction, first, of radio and then television (see Lorain Journal Co. v. United States). But, ultimately, newspapers were disrupted by the internet.

Source: Matthew Ball

So, why did newspapers have a local monopoly in the first place? Mostly due to the high fixed costs (e.g., printing presses, warehouses, reporters, delivery trucks) and low marginal costs (i.e., paper and ink) of newspaper production and distribution. Therefore, it was very easy for newspapers to dominate the local market with one bundled product, which included everything from political news and opinion to sports and classifieds. The monopoly profits were used to fund, among other things, investigative journalism (which would lose money as a standalone business but provides value and prestige as part of a bundle).

The internet blew this arrangement to pieces. No longer was owning printing presses and delivery trucks sufficient to charge advertisers and readers whatever you wanted. The newspaper was unbundled by many internet companies, large and small. The infographic below shows how different digital services peeled off a piece of the newspaper value proposition:

Source: Haseeb Qureshi

For example, Craigslist, eBay and other free or low-cost digital classified ad services out-competed print classified ads:

Source: Business Insider

Google and Facebook entered the ad market with more efficient self-service platforms for advertisers and quickly gained market share. Stoller attributes their success not to superior efficiency but to anti-competitive acquisitions:

Enabled by a loose merger policy, there was a roll-up of the internet space. From 2004 to 2014, Google spent at least $23 billion buying 145 companies, including the advertising giant DoubleClick. And since 2004, Facebook has spent a similar amount buying 66 companies, including key acquisitions allowing it to attain dominance in mobile social networking. None of these acquisitions were blocked as anti-competitive.

What this merger analysis omits, however, is that the vast majority of these were vertical mergers, meaning the acquired company wasn’t a direct competitor with the acquirer. In other words, Google is not dominant in search today because it engaged in killer acquisitions of rival search engines. Of the 66 Facebook acquisitions, only Instagram is a plausible case of horizontal integration between social media companies (and, even then, Facebook invested heavily post-acquisition).

But Stoller also exaggerates the extent of their market power, calling them “global monopolies sitting astride public discourse.” In 2018, the global ad market was about $540 billion. Google’s revenue from advertising was $116 billion; Facebook’s was $55 billion. That’s a combined 32 percent market share. Not quite a monopoly (or duopoly, technically).

Source: Benedict Evans

And if you expand the market definition to include both advertising and marketing, as Benedict Evans shows in the chart below, then Google and Facebook’s share gets cut in half.

Source: Benedict Evans

Stoller concludes by saying, “Advertising revenue should once again flow to journalism and art.” But even if we break up all the big tech companies, your local newspaper will not magically have a profitable ad business again. The money currently flowing to consolidated Facebook would go to the newly independent Facebook, Instagram, and WhatsApp (or other digital services if you curtail advertising on social media). Internet platforms are simply more efficient at matching advertisers with customers than are traditional newspapers.

If we want to “fix” journalism, it will require a new path forward (i.e., innovative business models). We've tried radical protectionism before: In 1970, Nixon signed the Newspaper Preservation Act, which gave newspapers a special carve-out from the antitrust laws. According to the NYT (in 1999!), it had no effect on the end result:

But in the world of 1999, does the loss of a newspaper matter as much as it did in 1970, when the scores of cable channels and hundreds of Web sites did not exist?

The new media landscape and the growing competition for advertising dollars, make it harder for a weak newspaper to survive, and make its survival less urgent, Mr. Lacy believes. ''I'm not sure I'd call the Newspaper Preservation Act a failure,'' he said. ''Just a nonsuccess. People back then did not realize that this would not make a difference in the long run.''

It’s possible policymakers could construct another special protection for journalism. But it would entail massive state control of media that no one would be satisfied with. Resurrecting the regional monopolies once enjoyed by local newspapers is both undesirable and unrealistic.

Filed Under: ads, business models, competition, democracy, internet platforms, journalism, matt stoller, trust
Companies: facebook, google