People care about their privacy. Some have doubted this in the past, pointing to the amount of personal information people willingly shared, often in exchange for free software or services. Yet I’ve long thought that many people simply were not aware of the privacy implications of sharing their data and how it could be misused and abused. Those who did understand the implications often didn’t feel empowered to do anything about it given the vast resources of Big Tech companies.
These privacy abuses couldn’t stay hidden forever. With the help of documentaries, the Cambridge Analytica scandal, US congressional hearings and regulatory threats from the European Union, most people today have some awareness of the ways Big Tech abuse their privacy. Big Tech noticed. Apple saw this trend earlier than most, and realized that a big differentiator between them and their main competitors (Facebook and Google in particular) was that their competitors were primarily funded by selling customer data. Privacy became a big keyword in Apple marketing, and Google and Facebook quickly followed suit.
Yet all of this marketing amounts to privacy washing. Just like with security, when these companies say something is for privacy, it’s really about control. Privacy and security were the reasons Apple gave for removing parental control apps from their app store, coincidentally around the same time they launched their own parental control software, Screen Time, in iOS 12, resulting in anti-trust scrutiny.
In the past, Apple used security as the excuse for why all software must go through the App Store instead of via what it calls “sideloading” (known as “installing software” on other platforms, sideloading on iOS refers to jailbreaking an iOS device and installing software outside of the App Store). Apple is opposed to sideloading, because it removes their control over all their competitors’ software on their platform. But now in a recent keynote Apple CEO Tim Cook gave at a privacy conference, “security” was replaced with “privacy” as the reason sideloading is bad.
Apple, Google and Facebook have all used warning labels within their respective app stores to demonstrate how much they care about privacy. Facebook was actually first to market with this approach, as its Cambridge Analytica privacy scandal caused it to add further restrictions and extra notifications to how third parties access customer data on its platform. Apple added “privacy nutrition labels” to the App Store which had a helpful side effect of harming competitors on their platform while also capitalizing on consumer interest in privacy. Yet even with these controls and warnings in place, iOS apps might still be tracking you. Google has also followed suit, announcing its own version of “privacy nutrition labels” in its Play Store.
These companies are strong proponents for protecting your privacy from everyone else. Notably absent from all of these privacy nutrition labels, are Facebook, Google’s and Apple’s own data collection. For instance, outside of the app store, on idle devices, researchers have found both Android and iOS share plenty of private data with Google and Apple respectively, on average every 4.5 minutes:
We investigate what data iOS on an iPhone shares with Apple and what data Google Android on a Pixel phone shares with Google. We find that even when minimally configured and the handset is idle both iOS and Google Android share data with Apple/Google on average every 4.5 mins. The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc. are shared with Apple and Google. Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this. When a SIM is inserted both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple together with their GPS location. Users have no opt out from this and currently there are few, if any, realistic options for preventing this data sharing.
As I mention in a previous post on this subject, neither Apple nor Google dispute they do this, they simply argue it’s required for the OS to function and dispute how much they do it. Google goes on to say:
The company [Google] also contended that data collection is a core function of any Internet-connected device.
Even if you are offered an opt out for some of this tracking, that doesn’t mean they will honor it. For instance, when you disable location services in Android, it turns out Google might be tracking your location anyway. A number of states filed complaints against Google earlier this year because of this practice.
Apple also makes exceptions when it comes to privacy. In the case of MacOS, recent changes have exempted some Apple software from firewall rules, preventing you from inspecting and blocking traffic to some Apple services, such as when Apple phones home for permission each time you launch a signed application. Apple also exempted itself when it came to scanning files on customer devices in the name of child safety. There was enough public backlash against this proposal that Apple has paused the initiative for now. While Apple has sometimes fought government attempts to get customer data stored on locked devices, iCloud backups offer less privacy, with some data being stored unencrypted, or alongside their keys. Some data on iCloud is encrypted with keys that only Apple controls, at least depending on which government is asking.
These companies understand that privacy is really about control. Because they control the OS, their app stores, and their respective clouds, they control their customers’ privacy. They use this control to their advantage against competitors on their platforms, while often exempting themselves from their rules and getting the marketing benefit from privacy-aware customers.
Real privacy (instead of privacy washing) means giving that control back to customers. Customers should hold the encryption keys to their data even if it is shared on a cloud. Customers should be able to inspect and block access to their data, even if it’s from the OS vendor.
People not only care about their privacy, they now understand the privacy implications of sharing their data, how it has been used and abused, and are starting to feel empowered to do something about it. People are voting with their dollars for real privacy and while Big Tech marketing wants to capitalize on it, their business interests and need to control prevent them from ever delivering it. Fortunately, there are alternatives.