Now The Washington Post Misleadingly Complains About Google & Apple Protecting Your Privacy Too Much
from the oh-come-on-guys dept
Both the NY Times and the Washington Post have been among the most vocal in attacking internet companies like Google and Facebook, claiming that they’re bad regarding your privacy. Yet, like with France (who fined Google for its privacy practices, but then got mad at the company over the privacy-protecting features of its COVID contact tracing API), the Washington Post has a very, very weird article complaining about Google and Apple’s project because it’s too protective of people’s privacy. We’ve talked in the past about how the API (jointly developed between Apple and Google) was designed from the ground up to be privacy protective. And you know damn well that if the API wasn’t developed as such there would be huge articles in the Washington Post and elsewhere decrying this API as a threat to everyone’s privacy. Yet here, the complaint is that it’s too protective, because these companies simply can’t win.
John Gruber, over at Daring Fireball, has an excellent post explaining just how spectacularly bad the Washington Post article is, but we’ll do our own treatment as well.
The crux of the article is that some “health officials” are annoyed that the API won’t share data with them directly, but is more designed to alert individuals themselves if they may have come into contact with someone who turns out to be COVID-19 positive.
But as the tech giants have revealed more details, officials now say the software will be of little use. Due to strict rules imposed by the companies, the system will notify smartphone users if they?ve potentially come into contact with an infected person, but it won?t share any data with health officials or reveal where those meetings took place.
Local health authorities in states like North Dakota, as well as in countries such as Canada and the United Kingdom, say they?ve pleaded with the companies to give them more control over the kinds of information their apps can collect. Without the companies? help, some worry their contact tracing systems will remain dangerously strained.
But Apple and Google have refused, arguing that letting the apps collect location data or loosening other smartphone rules would undermine people?s privacy.
Now, a good news report would explain why it’s important for Google and Apple’s API to protect people’s privacy — and maybe even highlight how lots of people, including some at the Washington Post, have frequently hammered Google and Apple over privacy concerns. Hell, just a few weeks ago, one of the very same reporters on this article, Drew Harwell, was bylined on an article saying that most Americans wouldn’t want to use apps based on the API because they don’t trust Google and Apple’s privacy protections. Though, of course, even that headline was misleading. That headline said “Most Americans are not willing or able to use an app tracking coronavirus infections. That’s a problem for Big Tech’s plan to slow the pandemic.” Yet, they have to do some funny math to make that “most” work, because the actual data said that 50% said they would use it, and among those who had phones, 59% said they’d be comfortable with the app informing others they had COVID-19.
So just a few weeks earlier, the same Washington Post, and one of the same reporters, was crowing about how people wouldn’t trust Apple and Google with their contact tracing apps due to privacy concerns. Then they publish this other piece saying that health officials are steamed that the companies are doing too much to protect people’s privacy. They can’t win.
The article then quotes a very confused professor (tragically, from my own alma mater):
But Helen Nissenbaum, a professor of information science and director of the Digital Life Initiative at Cornell University, called Apple and Google?s use of privacy to defend their refusal to allow public health officials access to smartphone technology a ?flamboyant smokescreen.? She said it was ironic that the two companies had for years tolerated the mass collection of people?s data but were now preventing its use for a purpose that is ?critical to public health.?
?If it?s between Google and Apple having the data, I would far prefer my physician and the public health authorities to have the data about my health status,? she said. ?At least they?re constrained by laws.?
Basically all of this is wrong or bullshit, and a good reporter would have either (a) immediately pointed out that this is bullshit or (b) not published the bullshit. First off, it’s not a “flamboyant smokescreen.” Google and Apple very clearly put a lot of thought into the privacy features of this API. Second, they’re not “preventing its use” for something “critical to public health”. The entire point of the API is to make use of this data in a way that helps deal with the crisis. And this is new data, not the data they’ve “mass collected.” On top of that, despite Nissenbaum’s insinuations to the contrary, none of this is new. It’s how Google and Apple work. Both have long histories of fighting back to make sure that government agencies can’t access your private data without a very clear legal basis to do so.
Most importantly, though, Google and Apple don’t have the data. That’s part of the “privacy protection” here — and anyone would know that if they looked at anything that Google and Apple have put out about this API. The data stays on your phone. It’s based on your phone, and then the individuals get to make the choice of whether or not to share the data. The FAQ from Apple and Google make this all very clear:
In keeping with our privacy guidelines, Apple and Google will not receive identifying information about the user, location data, or information about any other devices the user has been in proximity of.
And, if the users decide, then the necessary information can be shared with public health officials:
If a user chooses to report a positive diagnosis of COVID-19 to their contact tracing app, the user?s most recent keys to their Bluetooth beacons will be added to the positive diagnosis list shared by the public health authority so that other users who came in contact with those beacons can be alerted.
It seems like both Nissenbaum and the Washington Post owe people a rather large apology.
Next up, there’s a quote from Matt Stoller, who has built up a cottage industry making ignorant statements about big internet companies (and cheering on Senator Josh Hawley’s anti-internet nonsense). While I’ve come to expect nonsense from Stoller, the quote he gives the Post is beyond the pale:
?They are exercising sovereign power. It?s just crazy,? said Matt Stoller, the director of research at the American Economic Liberties Project, a Washington think tank devoted to reducing the power of monopolies. Apple and Google have ?decided for the whole world,? he added, ?that it?s not a decision for the public to make. ? You have a private government that is making choices over your society instead of democratic governments being able to make those choices.?
Again, nearly everything Stoller says here is wrong. Gruber’s summary of it covers this better than anything I would say:
This quote is what?s crazy. Again, this guy Stoller clearly has no idea what he?s talking about. Apple and Google deciding how their operating systems work, in compliance with all existing laws, all around the world, is not ?exercising sovereign power?. No one here is alleging that Apple or Google are doing anything even vaguely illegal. They?re not toeing some sort of line, they?re not taking advantage of any sort of loopholes.
And if Apple and Google did what Stoller and Nissenbaum seem to want them to do???track location data of every person you?re in contact with and report that data automatically to government health officials, they almost certainly would be breaking all sorts of laws around the world. The whole point of Europe?s well-intentioned but overzealous GDPR law???88 dense pages in PDF???is, quoting from its preamble, ?Natural persons should have control of their own personal data.? That?s exactly the point of Apple and Google?s system???and seemingly exactly the opposite of what every source in this Post story thinks Apple and Google should do.
Honestly, it’s not at all difficult to imagine that if Google and Apple’s API was automatically handing data over to the government, you’d see Stoller and Nissenbaum still complaining and suddenly they’d be all concerned about the companies “exercising sovereign power” to “mass collect people’s data” and just “handing it over to the government.” Again, this is a no win situation, in which the companies are being shat upon as if they’re doing the wrong thing when it’s clear they’ve bent over backwards to make sure they were doing the right thing and giving as much power and control as possible to the end user.
Basically every quote in this piece is utter nonsense — the kind of nonsense that a reporter should be explaining why it’s wrong or not publishing. But here it is all published as if these people are making good points. Here’s the next one:
?Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can,? said Vern Dosch, the contact-tracing liaison for North Dakota. ?I get it. They have a brand to protect. I just wish they would have led with their jaw.?
Huh? What “brand” are they protecting here? The brand that says… they’re going to help out by building a big system that others can build on and use for free, and that actually protects people’s privacy? I honestly don’t get what what Dosch is even saying here. Of course government officials want every piece of data, and this system is designed to help them get more data, but also to protect privacy. And I honestly have no clue what “led with their jaw” even means here.
It’s only twenty six paragraphs in that the article mentions how “some privacy advocates have applauded the companies? stance around anonymity and security concerns,” but then it shits on that almost immediately:
But some parts of the U.S., including Apple and Google?s home state, say the restrictions have rendered the apps effectively useless. In California, epidemiologists in charge of contact tracing are ignoring the Apple-Google approach and have decided the best course for contact tracing is to train thousands of people to do the work.
Which “apps” are they even talking about? This is an API, not an app, and it’s not even out yet, so these “apps” can’t be useless yet. They don’t exist. And the fact that California epidemiologists are focusing on training human contact tracers is… meaningless? No one has said that this API should replace human contact tracers. The idea has always been that it’s another tool — not a replacement. And then we get another ridiculous quote:
?The limitations of those kind of apps are extensive,? said Mike Reid, an assistant professor of medicine at the University of California at San Francisco, who is leading the effort to train contact tracers in the state. ?I don?t think they have an important role to play for most of the population.?
The contact tracers, he said, will be using software made by Salesforce and Accenture to help reach patients by phone and are trained on how to protect sensitive patient information.
?We go to pains to minimize the amount of data we take from people and we ask consent from people we?re talking to on the phone. We go to considerable lengths to ensure there are strong technical controls to ensure the anonymization of our platforms,? he said. ?Can you say the same thing about these big tech companies? I?m not sure.?
Um. Dude. Did you not even bother to read the details of the API that you’re commenting on, about which you say you’re “not sure” if the data is minimized or that there are strong technical controls to make sure the data remains anonymous? Because half of this very article is all about how other health professionals are annoyed that the apps are doing too much to protect the data.
And, honestly, how is it that these reporters are using quotes that are in direct conflict with other quotes in the article (the API keeps things too private, who knows if the big companies will keep things private…) as if they’re making the same argument.
This is just bad, bad reporting.
With the Apple and Google approach, ?We?ve overcompensated for privacy and still created other risks and not solved the problem,? said Ashkan Soltani, the former chief technologist of the Federal Trade Commission. ?I?d personally be more comfortable if it were a health agency that I trusted and there were legal protections in place over the use of the data and I knew it was operated by a dedicated security team.?
I know and like Ashkan, and have quoted him in the past, but this… is just a bizarre quote in its own right. Google and Apple have two of the best “dedicated security teams” around. Meanwhile the federal health agency, Health & Human Services, has a history of getting hacked, including some sort of hack as the pandemic began (exactly what happened still has not been made clear).
But some public health experts believe the push toward unproven virus-tracing apps has wasted time and missed the point. Tom Frieden, the former director of the Centers for Disease Control and Prevention now working with the health organization Vital Strategies, said the proximity-tracing system as proposed by Apple and Google has ?been largely a distraction.?
?There are very serious questions about its feasibility and its ability to be done with adequate respect for privacy, and it has muddied the water for what actually needs to happen,? Frieden said in an interview Wednesday. ?This was an approach that was done with not much understanding and a lot of overpromising.?
This quote may be the most accurate of the bunch, but in its own way misleading as well. I haven’t seen anyone “overpromising.” The people involved in the project and supportive of it have argued that it might be an additional useful tool beyond everything that everyone else is doing. I haven’t seen how it’s “muddied the waters” for what others need to do.
Honestly, we don’t really know how useful the apps built on this API will or won’t be. There are reasons to be skeptical of their usefulness, but if you wanted to understand why, you wouldn’t get help from this article, which really just seemed like an attempt by the reporters to collect as many disjointed anti-Google and Apple quotes as possible and put them all together in an article that is incredibly misleading and not even internally consistent.
Filed Under: api, contact tracing, data, helen nissenbaum, journalism, matt stoller, privacy, tradeoffs
Companies: apple, google
Comments on “Now The Washington Post Misleadingly Complains About Google & Apple Protecting Your Privacy Too Much”
Basically, the only consistency Nussbaum and Stoller have is…
"BIG TECH BAD!!!"
Those asshats would complain that a free banquet was "too hot".
Re: Re:
and such small portions!
Re: Re: Re:
Yes, and contributing to obesity too. In CHILDREN!
Amazingly they ignore the other tech giant, Amazon
They gloss over the 900-pound gorilla sitting in the room that is Amazon. They are not saying anything about what that giant is doing for the crisis beyond lowering the expectations that we have for journalism.
Re: Amazingly they ignore the other tech giant, Amazon
Considering who owns the Washington Post, I’d say it was a deliberate decision of omission.
Meanwhile Germany and Switzerland are using a decentralised approach and Google/Apple API
https://www.reuters.com/article/us-health-coronavirus-europe-tech-idUSKCN22807J
The problem is that this is too good an opportunity for data-fetish governments like France and the UK to miss out on. They would rather have an app that is largely useless for contact tracing but ok at tracking people’s movements than go the other way and have something that may actually save a few people. I despair of the way the UK is heading!
We can’t have people knowing if they might have been near an infected person without the government knowing the personal details of everyone involved! Which would be perfectly safe in our many, many, well-vetted and highly-trained-in-security hands. Further, how dare they give people the option of sharing that information with us. How useless! Plus it is wasting time… somehow.
Pretty cool how the government and its fetishists (or at least temporarily, to have a go at these outfits) just straight up admit they want exactly the police state powers that anyone with mild concern has been worried about, all the way to what rabid conspiracy theorists constantly claim.
I’m surprised they haven’t complained that "the app" (sic) isn’t utterly forced upon everyone as well.
[side rant: No matter how potentially useful… Bluetooth. Just nope.]
Re: Re:
Pretty cool how the government and its fetishists (or at least temporarily, to have a go at these outfits) just straight up admit they want exactly the police state powers that anyone with mild concern has been worried about,
Including themselves, which is the best part. ‘How dare the company that just two weeks ago we attacked for not caring about user privacy care about user privacy?!’
Re: Re: Re:
Oh, but that power should just be handed over to governments. They don’t want Apple/Google to actually have that power. But certainly, they do twist themselves into pretzels in efforts to avoid having any sort of coherent position. One they can state, which doesn’t make them sound like petulant 5 year-olds, anyway.
Now all these sorts can pout and not make use of the API, because screw people maybe being informed if the govs can’t track you endlessly.
Faulty premise, assumes actual reporting desired
This is just bad, bad reporting.
Because it’s not reporting, it’s a hatchet piece.
The goal was not to investigate a subject, dig into the details, condense them into an easily understandable format and present that to the audience in a clear, concise, and honest fashion, it was to continue the attacks against the companies that either the ‘reporter’ or their higher-ups had decided would make good public punching-bags for whatever reason.
As reporting it would be pathetic and downright abysmal and accomplish nothing but showing that the Washington Post can not be trusted to cover the topic honestly, but as a hit piece designed to rile people up and keep them focused on hating certain companies it probably works just fine.
Re: Not faulty premise, they present themselves as reporters
TOG,
Whatever their actual intent is, the presentation of these types is that they are, in fact, reporters, who are reporting on a thing. They aren’t stating it’s a hatchet piece, they’re writing a hatchet piece and masquerading it as real reporting.
Which makes it bad reporting. So they get called out for being bad reporters, and whether they meant to be bad reporters or not is irrelevant.
Re: Re: Not faulty premise, they present themselves as reporters
It would be interesting to see if anyone was honest enough to admit to writing a hatchet piece but good point I suppose, if they’re going to pretend that they are engaging in reporting then they deserve to be called out as terrible reporters.
Re: Faulty premise, assumes actual reporting desired
Would it be too cynical to point out that they’re attacking two of Amazon’s competitors? I’m hoping Amazon’s ownership has nothing to do with it, but I wonder.
They should just ask Facebook
The giant Zucking sound you hear is every other app with some library uploading your contacts, location, phone calls, and texts to Facebook. Even if you don’t have a Facebook account. (DNS logs can be very revealing). Or just visit a website with a F share on facebook button.
Big Zucker is watching you!
I remember the story where different patients visiting a psychiatrist were suggested in “people you may know”.
This comment has been flagged by the community. Click here to show it.
They should just ask Facebook
The giant Zucking sound you hear is every other app with some library uploading your contacts, location, phone calls, and texts to Facebook. Even if you don’t have a Facebook account. (DNS logs can be very revealing). Or just visit a website with a F share on facebook button.
Big Zucker is watching you!
I remember the story where different patients visiting a psychiatrist were suggested in “people you may know”.
Agenda
It seems to me that some of these articles are not written to explain facts or how things work, and then let readers decide if that’s good or bad thing (or perhaps a little of both!). Instead, it’s about pushing an agenda. Sadly, this isn’t about reporting. It’s about influencing, disguised as a news article.
Re: Agenda
Anything specific you have problem with, or are you just too dumb to understand that an opinion blog will offer an opinion?
Re: Re: Agenda
Hey Paul, you’ve been really agressive and quick to assume recently. Is the lockdown getting to ya?
Anyway, I think you have taken his comment the wrong way – it sure looks like he’s talking about the newspaper article and not Techdirts one. Correct me if I’m wrong.
Re: Re: Re: Agenda
"Is the lockdown getting to ya?"
The opposite actually. A lot of restrictions were relaxed where I live yesterday, and what you’re reading is the result of me sitting outside a local bar in the sun, drinking with friends then waking up way too early with a moderate hangover. I’ll be back at work tomorrow so hopefully I’ll be back to normal health!
"Correct me if I’m wrong."
You may be right, and my apologies to Koby if that’s the case. I think I was just scrolling through way too many threads where people were making bad faith, stupid comments and misread one that wasn’t.
We have talked about covid tracing apps before.
See here for instance.
Epidemic protection theater.
the companies are being shat upon as if they’re doing the wrong thing when it’s clear they’ve bent over backwards to make sure they were doing the right thing
Reminds me of Aero
Washington Post being hypocritical about privacy
I don’t read the Washington Post any more, precisely because they refuse to respect my privacy.
I use a privacy protection tool (EFF’s Privacy Badger) to block trackers, while still allowing adverts.
I’m fine with ads — when I’m not already subscribing or supporting the outlet in question (sometimes even then). But WaPo insists that I’m "blocking ads" and blocking my access in return.
I’ve double-checked that I’ve white-listed WaPo in my browser’s ad-blocker. It appears that Washington Post not only feels entitled to track me and gather my personal data — they’re willing to lie about it, too.
Too bad. And it’s really a shame, because Washington Post does some pretty decent journalism — but there’s plenty of other good coverage, readily accessible, elsewhere on the Internet.
From other sources that don’t insist on tracking me (though somehow they do manage to show me adverts, just the same).
The irony is of course, that some of the other outlets that haven’t treated me that way, but instead have provided me the benefit of free-er policies, better privacy, and regular exposure to their product, have actually managed to win me over and earn my active, direct financial support.
That presently includes, oddly enough, the New York Times. And since I’m not even American, I’m not going to subscribe to more than a couple of major US newspapers anyhow — so WaPo has effectively pushed me to their main competitor, when otherwise I might have (probably would have) preferred to give them my support.
Yes, the sovereign "citizens" who have absolutely no lawful authority to do the things they claim to be a party to.
Such as the sovereign "stateless people who were the impetus for the Rome Statute of the ICC". Sovereign "terrorist organizations". Sovereign "pirates on the high seas". Or their sovereign "satanic or similar cult for human sacrifices". The sovereign "human and drug trafficking organizations" are another famous one.
The sovereign, "I can no longer get a pardon for my crimes because my persons/organizations were impeached and are therefore ineligible for a pardon" is another pertinent one in modern society.
Re: Re:
Sovereign hostage holders is another one that has been pertinent to my life.
No win
Also if these companies decided not to do anything about Covid-19 tracing they would still get shat upon. There really is no way to win.
Shill
C’mon. This whole post is clearly Masnick shilling for Google. The only thing different is that Apple gets collateral shilling. </sarcasm>
how about they complain about their government instead?
The government that has managed to destroy the last bit of trust of its agencies even trying to limit themselves to fair use. To actually use data they have access to protect the interests of citizens, instead of their own.
The government and its agencies can use "national security" to bulldoze over every bit of protection the constitution has given us for more than 200 years. What "national security" will not do is restore trust