Sydney Li and Jason Kelley write:
Imagine this: an enormous tech company is tracking what you do on your phone, even when you’re not using any of its services, down to the specific images that you see. It’s also tracking all of your network traffic, because you’re installing one of its specially-designed routers. And even though some of that traffic is encrypted, it can still know what websites you visit, due to how DNS resolution works. Oh, it’s also recording audio from a custom-microphone that’s placed near your TV, and analyzing what it hears.
It’s an always-on panopticon. In exchange for your privacy (and the privacy of any guests who may be using your Internet connection, or talking near your television), you receive a gift card for a whopping $20.
No, we’re not talking about Facebook—we’ve already detailed the frightening consequences of Facebook’s sneaky, privacy-invading and security-breaking “user research” program. This is Google’s “ScreenWise Meter,” another “research program” that, much like Facebook’s, caused an upheaval this week when it was exposed.
In order to spy on iOS users, Facebook took advantage of Apple’s enterprise application program to get around Apple’s strict app distribution rules. When news of this Facebook program hit earlier this week, Google scrambled to pull the plug on its own “user research” application, which was taking advantage of the same Apple program. Apple quickly revoked both organizations’ Enterprise Certificates, shutting down all of Facebook’s and Google’s internal iOS applications and tooling, leaving the two giants in disarray.
We’re not a fan of Apple’s walled-garden approach to application distribution and its strict control over who gets to play on its platform and who doesn’t. However, this drama shined a valuable spotlight on deceptive messages to users and data harvesting practices surrounding two so-called “opt-in” “research” panopticons.
Although Google pulled its iOS application, all the other parts of its Screenwise Meter surveillance program are still in operation—and in some cases, they collect even more data about their “research users” than the Facebook counterpart did.
“Metering” is a funny word for surveillance
In some ways, Google’s “research” is not as bad as Facebook’s, and in other ways, it’s much worse. The “less worse” parts: it’s not directly targeting teens, it didn’t surreptitiously hide Google’s involvement, it didn’t ask users to install a custom root certificate, and its dystopian marketing makes it more clear what the company is up to.
The “more worse” part: it’s asking you to opt into a panopticon. Although Google is heavily involved in much of the general public’s online and offline lives, Screenwise takes it a big leap ahead.
The Screenwise Meter mobile app and web extension basically allow Google to see what you see on your phone screen and web browser window. The application could monitor all your app usage and network traffic via side-loading a “custom” app on your smartphone. Since Google doesn’t ask you to install a root certificate like Facebook did, they can’t decrypt HTTPS traffic, but the app can see anything on your screen, as detailed by the “Content on Screen” section of its privacy policy.
Let’s say you open the Snapchat app. Google could see that. Let’s say you need to type in your password. Google could see that, too. Let’s say you send a Snapchat to a friend. Yes, Google could see that as well.
The web extension even goes beyond the level of tracking that Facebook was willing to do. Like Facebook, apparently being able to track 80% of all Internet traffic wasn’t enough: the web extension reports all of your web browsing back to Google, even if it’s over HTTPS. It can also collect every single action you make on any website (from composing private messages to browsing a shopping site), and any information stored or saved in your browser. Google even admits to collecting Social Security Numbers and credit card numbers through this program, though it claims that these are “not the focus” of the surveillance.
In addition, Screenwise invades your private living spaces through a custom router. It can’t intercept HTTPS traffic. But because DNS lookups are currently unencrypted, Google can record every single site that anyone visits while connected to your WiFi. And, of course, it can see any unencrypted app and web traffic on your home WiFi, too.
To top it all off, there’s the “TV Meter,” which is an always-on microphone in your house that collects and sends Google audio from your TV as well as any nearby chatter it picks up—a wiretap for your living room.
“But They Consented!”
Although Google’s explanation of its program is somewhat more clear than Facebook’s, it will not be obvious to many people how thoroughly Google is spying on them if they don’t read all of the lengthy privacy policy.
Google has even less consent from the family members of people who installed Google’s snooping tools. These devices aren’t just spying on a person—they’re spying on a household, which can involve guests, who aren’t likely to know about the surveillance at all, and children under 13. Yes, Google “prohibits” children under 13 from taking part in this invasive digital tracking, gives options for pausing the tracking when kids are involved or guests are over, and asks users to inform any house guests about the surveillance. In reality, this provides the company cover rather than protecting your children or guests. By offering temporary “opt-out” options to “protect your privacy,” Screenwise simply shifts the responsibility onto the surveilled user—exactly the sort of behavior that’s been allowed under lax privacy laws, and needs to change under new ones.
Finally, none of Google’s messaging is clear about who it’s sharing all this data with. At the end of its privacy policy, Google mentions it can share all of this collected information with “trusted businesses,” without giving a hint as to who those could be or what they might do with our data.
Screenwise is not the only problem. Just this morning, a new study detailed how Google tricks regular users into “opting in” to constant tracking with deceptive UX flows and default settings.
With each passing day, it’s increasingly clear that we can’t rely on the “ethics” and “value systems” of corporations to judge their own messaging around consent. Jargon-filled dialog boxes, pages of fine print, and hidden privacy policies aren’t enough. When profits are driven by collecting and selling our data, companies are incentivized to manipulate as many people to “opt in” as possible.
Facebook’s and Google’s extensive “research” into user behavior, in exchange for a few gift cards, is more evidence of the dire need for new carefully-tailored rules to protect user privacy, and an end to the era of companies dictating users’ legal rights.
Source: EFF