Apple, Amazon and Google are at the Senate to talk about privacy. Here are the latest developments.
Apple, Amazon, AT&T, Google and Twitter sent privacy representatives to the Senate Wednesday to discuss how their companies are addressing user privacy.
According to the Washington Post, the Senate Committee on Commerce, Science and Transportation is meeting with privacy executives belonging to each of the five companies.
“Americans are struggling to understand what’s being collected and how it’s used,” Sen. John Thune, the committee chairman, said, according to the Washington Post. “We’re holding this hearing to help inform consumers and to determine where the federal government may need to assert itself.”
This isn’t the first time this year the Senate has grilled tech companies. In April, Facebook CEO Mark Zuckerberg faced questions during a congressional hearing following the whistleblowing on Cambridge Analytica. In March, the New York Times reported that Facebook allowed the company to siphon data about users of the social network who agreed to take Cambridge Analytica’s personality quiz. Those who agreed to take the quiz had private information scraped from their user profiles. Friends of quiz takers had their info taken too. According to Facebook, this was not a data breach — “everyone involved gave their consent,” the company’s post read.
On Sept. 5, Twitter CEO Jack Dorsey and Facebook COO Sheryl Sandberg visited Washington, to address the spread of false information and censorship on their platforms for the Senate intelligence committee. Since the 2016 presidential election, it has become clear that both platforms were plagued by fake accounts spreading fake news in an effort to sway votes (some sources say that despite fake news being prevalent, it may not have changed people’s votes).
Editor’s note: We will update this post as each of the tech companies meet with the committee.
On Wednesday, Google pledged support for the Honest Ads Act, which requires tech companies to be transparent about the origins of an advertisement, particularly online political ads. The act was sparked by the news that Russians bought ads that ran on Facebook and other social media platforms, CBS News reported.
Keith Enright, Google’s chief privacy officer, also addressed recent news around the search engine’s plans develop a product specifically for users in China.
“My understanding is that we are not in fact close to launching a product in China,” Enright told the committee. “Whether we would or could in the future is unclear.”
Google on privacy: Earlier in September, the Senate scolded Google for not sending co-founder Larry Page to the Sept. 5 hearing as requested. Next to Twitter’s Dorsey and Facebook’s Sandberg was an empty seat for Google during the their visits to the Senate in September.
Google has avoided much of the blowback that Facebook has faced from Cambridge Analytica, even though both companies are responsible for collecting a large amount of personal user data and turning it into ad dollars. In 2017, Google made $27.2 billion in revenue from advertising while Facebook made $39.9 billion in revenue from advertising.
The company may have to answer questions about more than a few infractions when it comes to mistreating users’ privacy. Recently, Google was caught tracking users’ locations even if those users requested they not do so on Google’s site. This followed a glitch in Google’s Amazon Echo competitor, Google Home, was discovered to be recording more audio than it should. In July, the Wall Street Journal reported how third-party companies could access your private Gmail inbox through apps and add-ons. Though this last one isn’t Google’s fault: the email standard wasn’t designed with privacy in mind.
These three instances all took place in 2018. Before 2018, Google was involved in over 30 different privacy scandals, from Google tracking Apple device users secretly to Google tracking the location of Android device owners even when they opted out of location tracking in their device settings. Most recently, the newest version of Google Chrome, Chrome 69, automatically logged users into the browser with their Google login info (previously an optional feature). Experts worried about what browser data the company would upload to their servers and tie to users’ names through this feature.
In advance of the Senate hearing, Google released a document called the Framework for Responsible Data Protection, available as a PDF here. In the three-page document, the company lays out their relationship with user info. It’s likely that Keith Enright, Google’s newly named chief privacy officer, will reference this document and more on Wednesday.
Twitter’s global data protection officer and associate legal director Damien Kieran saw some blowback similar to Google on the subject of ads and convoluted user privacy agreements. Kieran reminded the panel that Twitter had taken steps to make their terms of service more understandable.
“We worked on animations, graphics and pop-ups for users,” Kieran said. “We want people to understand what we’re doing with their data.”
In response to Sen. Catherine Cortez Masto question of whether all the companies could agree to making better privacy the default, Kieran offered an instance exemplifying the tough balance of user privacy and user convenience.
“When a person comes to Twitter for the first time, we look at their IP address to put the site in their language.” More privacy by default could eliminate this feature, he said.
Twitter on privacy: Dorsey already explained himself in front of public officials on Sept 5. The CEO answered questions in regards to misinformation on Twitter and free speech, but few questions related to user privacy. While Twitter hasn’t received much of the heat companies have faced for invasive privacy practices, the microblogging platform did sell some data to Cambridge Analytica as well.
Apple’s vice president for software technology Guy Tribble noted Wednesday that a one-size-fits-all solution for privacy is unreasonable.
“There’s no silver bullet,” Tribble said. “Even data that was disassociated from a person can later be associated with that person.” However, he said there are ways companies can learn about their user base without handing over sensitive or personally-identifiable information. He used an example of a company that wants to know how much money is in each user’s pocket.
“You could add 100 to everyone’s value,” Tribble said. “You can still determine an average but doesn’t give you specific information about any person.”
Apple on privacy: Apple’s messaging service, iMessage, is encrypted by default and, unlike Google or Facebook, doesn’t profit from using your personal info to tell advertisers how they should target you. Its update to Mac OS, Mojave, includes protections so social media “Like” buttons don’t track everywhere users go around the web. When MSNBC asked Apple CEO Tim Cook in March what he would do if he was in Zuckerberg’s shoes during Cambridge Analytica — Cook said, “I wouldn’t be in this situation.”
The company publicly refused to cooperate with law enforcement following the 2016 mass shooting in San Bernardino, when they refused to unlock the iPhone of one of the gunmen (after offering the FBI a cloud option loophole). In 2018, Apple’s iOS 12 introduced updates to their USB Restricted Mode feature to thwart passcode-breaking tools like GrayKey. The new mode prevents data from being transferred over USB if its been three days since the phone last connected to a computer. Additionally, the phone will turn on USB Restricted Mode whenever it’s locked and requires a user’s passcode (not just a fingerprint or face for facial recognition). It’s possible that Grayshift, the company behind GrayKey, will eventually provide a workaround.
In a question directed at Andrew DeVore, vice president and associate general counsel at Amazon, Sen. Cory Gardner inquired about the amount of access Chinese companies have to the data on Amazon servers. Amazon Web Services powers not just Amazon sites but other services like Netflix and NASA. Gardner’s yes-or-no question aroused a roundabout response from DeVore, resulting in the refrain “the customer owns the data.” When Gardner asked if China has access to the data, DeVore replied no.
Amazon on privacy: The Amazon Echo, the company’s virtual assistant for the home, is worth investigating for privacy reasons. The device always listens to you as well as keeps a record of every interaction between the device and its users. Which in itself isn’t bad — any consumer who buys the device knows this. However it could be worth it to the Senate to grill the company on how it uses all the data it collects.
Amazon has a lot of information at their disposal with their virtual assistant business but they also handle servers for many companies too. Customers of Amazon Web Services include services like Netflix and federal government organizations like NASA and the FDA. The company explains what kind of privacy their web services customers can expect here.
The hearing will primarily center on privacy, but we might be able to expect one of the senators to highlight Amazon’s bad practices when it comes to employee wages. Amazon’s CEO Jeff Bezos is the richest man in modern history, but workers’ median salary remain under $29,000.
Tech companies get a lot of the bad press for intrusive privacy practices, but cell phone carriers can track just as much. In 2014, AT&T was reportedly tracking customers via “supercookies,” by letting the companies track people even when traveling abroad or using private browsing mode on their phone. In May, Sen. Ron Wyden clued many people into Securus, a prison technology company that was purchasing data from cell carriers, including AT&T, that allowed them to track anyone “within seconds.”
Sept. 26, 2018, 1:21 p.m.: This post has been updated.