|Permissionless data slurping: Why Google's latest bombshell matters|
Comment According to an old Chinese proverb: "When a wise man points at the Moon, an idiot looks at his finger." Google may have been hoping that you were examining a finger, not reading a Quartz story yesterday, which reveals how Android phones send location data to Google without you even knowing it.
Google received the data even if you didn't have a SIM card in your phone, and everything else was turned off.
It's such an old story, you'll fall asleep reading it, so please don't, urged one blue-ticked tweeter. Nobody suspected Google did this practice – and Google has now vowed to stop.
But you may want to consider two questions about a story that goes to the heart of the human relationship with technology: "Who is in control, here?" Firstly, can you turn it off? If you can't turn it off then obviously you are not in control. Secondly, do you know it's happening? If you don't know it's happening, you're not even in a position to turn it off. This entirely changes the terms of that human-machine relationship.
What Google did is also illegal here because consent is the key to data protection in the EU. This is what motivated a student, Max Schrems, to look into Facebook's cookies in 2011. An Austrian studying law in California, Schrems was curious how Facebook could track you across the web, even though you hadn't given it permission to do so. Europe's data protection laws had been introduced in the mid-1990s, with memories of East Germany's Stasi fresh in the memory. Schrems investigated, and discovered that Facebook didn't delete the data even after you asked it to. Four years later the "safe harbour" provisions governing data flows from Europe to the USA lay in tatters.
The paparazzi in your pocketSome of Silicon Valley's vanguardistas are fond of a phrase "permissionless innovation", a propaganda expression which implies that somehow progress won't take place if it respects human boundaries. For obvious reasons, the phrase is coming back to haunt them.
This is "permissionless", too, it just wasn't very innovative. As Charles Arthur notes, Google's response is similar to another piece of permissionless data collection. "Very reminiscent of the collection of Wi-Fi network data by Google Street View in 2010. That was blamed on a rogue engineer, even though the system had to be approved by a manager," he writes.
Indeed, Google advanced the theory that it was the work of a lone gunman: one rogue slurper, acting alone. The FCC demolished the theory. Google had intercepted the data "for business purposes", privacy group EPIC concluded.
If Google was a person, it would have had a restraining order for stalking slapped on it by now.
There's an obsessive quality to Google's collection of location data, and its insistence that it alone should have it. When in 2010 Motorola decided to go with Skyhook for its location data based on triangulating against a database of Wi-Fi access points – something Skyhook had invented – Larry Page went ballistic, threatening to close down Motorola's production lines. Skyhook was "contaminating" Google's own data collection, Page fumed.
Google went further in the dog days of the Obama administration, with the FCC being run by one of Obama's biggest fundraisers, Tom Wheeler. Although the FTC has traditionally handled data protection, the FCC drove over its lawn and introduced a regulation attempting to stop ISPs doing what was central to Google's business model – data collection. The regulation meant you could opt out of your network's data collection, but never opt out of Google or Facebook. It was a brazen attempt to wrestle the issue of privacy away from a watchdog that was obliged to treat everyone equally, to Google-friendly regulators. The regulation was never implemented.
If Google was a person, it would have had a restraining order for stalking slapped on it by now. Google argues that it needs this data to bring you lovely services for free, and that users happily consent to the data collection. But the Street View and the Quartz story blow away the argument: consent didn't come into it.
It's worth examining exactly why Oracle brought the issue of data collection to the attention of the European Commission – and it's not out of direct self-interest. Having promised both users and regulators that it would never combine data from its advertising silos into one giant "super profile", Google went ahead and did it anyway. Everything is now co-mingled with everything else.
The European Commission is examining the complaint because data is key to effective behavioural advertising, and the super profile (like Facebook's Graph) presents an insurmountable barrier to entry for competition. The super profile is like Napoleon crowning himself Emperor. It's intended to ensure Google retains its part of a dominant advertising duopoly forever.
You can accuse Oracle of many things, but it isn't an ad-slinger, and has no interest in becoming one either. Quartz is to be commended for... hey, look over there! A finger! ®